Authentication system for mobile entities

US 20020197979A1
Filed: 05/21/2002
Published: 12/26/2002
Est. Priority Date: 05/22/2001
Status: Abandoned Application

First Claim

Patent Images

1. A security method for use in a communication system including at least one mobile node that includes a secret value and a plurality of nodes that are coupled to a security server that also stores said secret value, the method comprising:

operating the security server to generate a token from said stored secret and to communicate said token to a first one of said plurality of nodes;

operating the first one of said plurality of nodes to communicate with said mobile node;

transferring the generated token from said first one of said plurality of nodes to a second one of said plurality of nodes;

operating the second one of said plurality of nodes to generate a new encryption key from said token; and

operating the second one of said plurality of nodes to communicate with said mobile node using said new encryption key to encrypt at least some data transmitted to said mobile node.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Verification and authentication methods for use in mobile communications systems where base stations do not have direct access to a shared secret common to a security server and mobile node are described. Unilateral authentication of a mobile node by a base station is augmented through the use of a mutual authentication token (MAT) generated by the security server and the mobile node as a function of the shared secret. With each handoff the MAT generated by the security server is passed from base station to base station via a secure communications channel. After each handoff the mobile node and new base station perform a unilateral authentication operation and establish a new encryption key that is a function of the MAT. Existence of a trust relationship between a new base station and the last base station is verified by the new base station'"'"'s ability to properly encrypt data.

313 Citations

38 Claims

1. A security method for use in a communication system including at least one mobile node that includes a secret value and a plurality of nodes that are coupled to a security server that also stores said secret value, the method comprising:
- operating the security server to generate a token from said stored secret and to communicate said token to a first one of said plurality of nodes;
  
  operating the first one of said plurality of nodes to communicate with said mobile node;
  
  transferring the generated token from said first one of said plurality of nodes to a second one of said plurality of nodes;
  
  operating the second one of said plurality of nodes to generate a new encryption key from said token; and
  
  operating the second one of said plurality of nodes to communicate with said mobile node using said new encryption key to encrypt at least some data transmitted to said mobile node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 26, 28, 29, 30, 31, 32, 33, 34, 36, 37, 38)
- - 2. The method of claim 1, wherein said new encryption key is generated as a function of both said token and a key generated from at least some information transmitted to the mobile node.
  - 3. The method of claim 2, further comprising:
    - operating the mobile node to generate said token from said shared secret value.
  - 4. The method of claim 3, wherein the step of operating the mobile node to generate said token further includes:
    - operating the mobile node to use information, received from at least one of the first one of said plurality of nodes and said security server, in addition to said shared secret to generate said token.
  - 5. The method of claim 4, wherein the first one of the plurality of nodes is a base station.
  - 6. The method of claim 5, further comprising:
    - operating a subsequent one of said plurality of nodes to perform unilateral authentication of said mobile node prior to operating the second one of said plurality of nodes to communicate with said mobile node using said new encryption key.
  - 7. The method of claim 6, wherein said at least some information from which said key is generated is a mobile node challenge transmitted as part of said unilateral authentication of said mobile node.
  - 8. The method of claim 1, wherein the step of operating the security server to generate a token from said stored secret includes:
    - using said stored secret and at least some information communicated between the first one of said plurality of nodes and said mobile node as input to a security function which generates said token.
  - 9. The method of claim 8, wherein said security function is one of a Message Authentication Code, a hash function and a HMAC.
  - 10. The method of claim 8, wherein said input to the security function includes a challenge transmitted to said mobile node.
  - 11. The method of claim 10, wherein said challenge is generated by the security server.
  - 12. The method of claim 10, wherein said challenge is generated by the first of said plurality of nodes.
  - 13. The method of claim 10, wherein said input to the security function includes a challenge received by said first of said plurality of nodes from said mobile node.
  - 14. The method of claim 1, further comprising:
    - operating said security server to generate, using said shared secret, a set of security information including a plurality of mobile node challenges and expected mobile node responses, each expected mobile node response corresponding one of said mobile node challenges and being a function of said shared secret; and
      
      supplying said generated set of security information to said first one of plurality of nodes.
  - 15. The method of claim 8, wherein said step transferring the generated token from said first one of said plurality of nodes to a second one of said plurality of nodes is performed as part of a mobile node handoff operation, said mobile node handoff operation further comprising:
    - transferring at least a portion of said set of security information generated by said security server from said first one of the plurality of nodes to the second one of said plurality of nodes.
  - 16. The method of claim 15, further comprising:
    - operating the subsequent one of said plurality of nodes to perform unilateral authentication of said mobile node prior to operating the subsequent one of said plurality of nodes to communicate with said mobile node using said new encryption key.
  - 17. The method of claim 16, wherein the step of operating the second one of said plurality of nodes to perform unilateral authentication of said mobile node includes:
    - transmitting a mobile node challenge included in the transferred portion of said set of security information to said mobile node; and
      
      comparing a mobile node response received from the mobile node to an expected mobile node response included in the transferred portion of said set of security information.
  - 18. The method of claim 17, further comprising:
    - operating the security server to generate a new token from said shared secret after a preselected period of time; and
      
      operating one of said plurality of base stations to;
      
      i) use said new token to generate another new encryption key; and
      
      ii) use said generated another new encryption key to encrypt data transmitted to the mobile node.
  - 19. The method of claim 15, further comprising:
    - operating the security server to perform a mutual authentication operation and to generate a new token from said shared secret using information received by said security server from one of said plurality of nodes.
  - 20. The method of claim 19, wherein said information received by said security server is information transmitted from said mobile node to said one of said plurality of nodes.
  - 21. The method of claim 15, wherein the transferred portion of said set of security information includes the encryption key used by said first one of said plurality of nodes to encrypts information transmitted to said mobile node, the method further comprising:
    - operating the second one of said plurality of nodes to use the transferred encryption key previously used by said first one of said plurality of nodes to encrypt information sent by said second one of said plurality of nodes to said mobile node.
  - 22. The method of claim 21, further comprising the step of:
    - determining when a timer associated with the encryption key used by said first one of said plurality of nodes expires; and
      
      wherein said step of operating the second one of said plurality of nodes to generate a new encryption key occurs in response to determining that said timer has expired.
  - 23. The method of claim 1, further comprising:
    - operating the first one of said plurality of nodes to transfer an encryption key and an associated timer to said second one of said plurality of nodes; and
      
      wherein said new encryption key generated by said second one of the plurality of nodes is used to encrypt said at least some data after said associated timer expires.
  - 24. The method of claim 23, further comprising the step of:
    - determining when a timer associated with the encryption key used by said first one of said plurality of nodes expires; and
      
      wherein said step of operating the second one of said plurality of nodes to generate a new encryption key occurs in response to determining that said timer has expired.
  - 26. The communication system of claim 25, wherein said token and said first encryption key are stored in said memory of said second base station, the base station further including:
    - means for detecting when a timer associated with said first encryption key expires.
  - 28. The method of claim 27, further comprising:
    - providing unilateral authentication information to said second one of said plurality of nodes prior to performing said step of encrypting information.
  - 29. The method of claim 28, wherein said step of generating an encryption key includes:
    - performing an operation using said token and a value obtained from information passed between said second node and said mobile node to generate said encryption key.
  - 30. The method of claim 28, further comprising:
    - storing a first timer associated with said token.
  - 31. The method of claim 30, further comprising:
    - performing a mutual authentication operation with one of said plurality of nodes in response to expiration of said timer.
  - 32. The method of claim 31, further comprising:
    - storing a second timer associated with said generated encryption key, said second timer having a shorter length than said first timer.
  - 33. The method of claim 32, further comprising the step of:
    - using a new encryption key to encrypt information transmitted by said mobile node in response to expiration of said second timer.
  - 34. The method of claim 33, further comprising the step of:
    - generating a new token as a function of said shared secret in response to expiration of said first timer.
  - 36. The mobile node of claim 35, further comprising:
    - means for providing unilateral authentication information to said second one of said plurality of nodes.
  - 37. The mobile node of claim 36, wherein said means for generating an encryption key includes an encryption module for performing an operation using said token and a value obtained from information passed between said second node and said mobile node to generate said encryption key.
  - 38. The mobile node of claim 37, further comprising:
    - a first timer associated with said token; and
      
      a second timer associated with said encryption key, said second timer being a shorter timer than said first timer.

25. A communication system including:
- a security server including;
  
  a secret value corresponding to a mobile node;
  
  means for generating a token from said secret value; and
  
  means for communicating said token to a base station;
  
  a first base station coupled to said security server, the first base station including;
  
  means for communicating with a mobile node;
  
  a memory for storing said token generated by said security server and a first encryption key used to encrypt information transmitted to said mobile node; and
  
  means for transmitting said token to another base station as part of a mobile node handoff operation; and
  
  a second base station coupled to said first base station, the second base station including;
  
  means for generating as second encryption key as a function of said token following a handoff operation involving the transfer of said token from said first base station to said second base station.

27. A method of operating a mobile node in a communication system including a plurality of nodes that are coupled by a communications channel to a security server that stores a secret value corresponding to said mobile node, the method comprising:
- storing said secret value in said mobile node;
  
  performing a mutual authentication operation with a first one of said base stations using said shared secret to generate at least one value transmitted to said first one of said base stations as part of the mutual authentication operation;
  
  generating a token as a function of said stored secret value;
  
  generating an encryption key as a function of said generated token; and
  
  encrypting information sent to a second one of said plurality of nodes using said generated encryption key.

35. A mobile node for use in a communication system including a plurality of nodes that are coupled by a communications channel to a security server, the security server storing a secret value corresponding to said mobile node, the mobile mode comprising:
- a memory including said secret value;
  
  means for performing a mutual authentication operation with a first one of said base stations;
  
  means for performing a mutual authentication operation with a first one of said base stations using said shared secret to generate at least one value transmitted to said first one of said base stations as part of the mutual authentication operation;
  
  means for generating a token as a function of said stored secret value;
  
  means for generating an encryption key as a function of said generated token; and
  
  means for encrypting information sent to a second one of said plurality of nodes using said generated encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Vanderveen, Michaela Catalina

Application Number

US10/152,655
Publication Number

US 20020197979A1
Time in Patent Office

Days
Field of Search
US Class Current

455/410
CPC Class Codes

H04L 63/0869   for achieving mutual authen...

H04W 12/033   of the user plane, e.g. use...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 36/0038   of security context informa...

H04W 88/08   Access point devices

Authentication system for mobile entities

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

313 Citations

38 Claims

Specification

Use Cases

Quick Links

Others

Authentication system for mobile entities

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

313 Citations

38 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others