Methods and apparatus for secure data communication links

US 20040117623A1
Filed: 08/29/2003
Published: 06/17/2004
Est. Priority Date: 08/30/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method of initializing a secure communications link between a first data processing system and a second data processing system using a first token comprising a first key and associated first request data, the method of initializing a secure communication link comprising:

generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system;

encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and

sending said encrypted first message from said first system to said second system to initialize said secure communications link.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention generally relates to methods, apparatus and computer program code for secure communication links, in particular where accountability is required.

A method of initialising a secure communications link between a first data processing system and a second data processing system using a first token comprising a first key and associated first request data is described. The method comprises: generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system; encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and sending said encrypted first message from said first system to said second system to initialize said secure communications link.

The method is particularly useful for establishing chains of accountability in systems where trust is delegated.

130 Citations

32 Claims

1. A method of initializing a secure communications link between a first data processing system and a second data processing system using a first token comprising a first key and associated first request data, the method of initializing a secure communication link comprising:
- generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system;
  
  encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and
  
  sending said encrypted first message from said first system to said second system to initialize said secure communications link.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 20, 21, 27, 28, 29, 30, 31)
- - 2. A method as claimed in claim 1, further comprising:
    - receiving at said first data processing system from a previous data processing system a previous encrypted message comprising a previous token and previous authentication data, said previous token comprising a previous key and associated previous request data, said previous authentication data comprising data generated by operating on at least one of said previous key and said previous request data with a secret key of said previous system;
      
      decrypting said previous encrypted message using a key known to both said first and said previous data processing systems; and
      
      including said previous token and said previous authentication data in said first message.
  - 3. A method as claimed in claim 2 further comprising:
    - verifying said previous authentication data; and
      
      wherein said sending of said first encrypted message is dependent upon a result of said verifying.
  - 4. A method as claimed in claim 1, further comprising:
    - establishing a secure communications link between said first and second data processing systems using said first key.
  - 5. A method as claimed in claim 1, wherein said encrypting comprises encrypting using an asymmetric cryptographic algorithm.
  - 6. A method as claimed in claims 1, wherein said encrypting comprises using a symmetric cryptographic algorithm.
  - 7. A method as claimed in claim 1, wherein said first token has associated lifetime data.
  - 8. A method as claimed in claim 1 wherein said sending further comprises sending an unencrypted identifier for the recipient.
  - 9. A method as claimed in claim 1, wherein said sending her comprises sending timestamp and/or or nonce data.
  - 20. A method as claimed in claim 1, comprising operating on both said first key and said first request data with a secret key of said first system.
  - 21. A method as claimed in claim 1, comprising encrypting said first message using a public key of said second data processing system.
  - 27. A method as claimed in any one of claims 1, 10, 16 or 22, wherein a said data processing system or machine comprises a mobile terminal of a wireless mobile communications system.
  - 28. Processor control code to, when running, perform the method of claim 1 or the method steps of claim 22.
  - 29. A carrier carrying processor control code to, when running, perform the method of claim 1 or the method steps of claim 22.
  - 30. A data processing system or machine configured to perform the method of claim 1 or the method steps of claim 22.
  - 31. A plurality of data processors configured to operate in accordance with the method of any one of claims 1, 10 and 22.

10. A method of initializing a secure communications chain between first, second and third data processing systems, the method comprising initializing a secure communications link between first and second data processing systems, using a first token comprising a first key and associated first request data, and comprising:
- generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system;
  
  encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and
  
  sending said encrypted first message from said first system to said second system to initialize said secure communications link, the method of initializing a secure communications chain between first, second and third data processing systems further comprising;
  
  decrypting, at said second system, said encrypted first message;
  
  generating at said second system, a second message comprising said first token and said first authentication data, and a second token and second authentication data, said second token comprising a second key and associated second request data, said second authentication data comprising data generated by operating on at least one of said second key and said second request data with a secret key of said second system;
  
  encrypting said second message using a key known at least to both said second and third data processing systems; and
  
  sending said encrypted second message from said second system to said third system.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. A method as claimed in claim 10, wherein said encrypting comprises encrypting using an asymmetric cryptographic algorithm.
  - 12. A method as claimed in claims 10, wherein said encrypting comprises using a symmetric cryptographic algorithm.
  - 13. A method as claimed in claim 10, wherein said first token and said second token, has associated lifetime data.
  - 14. A method as claimed in claim 10 wherein said sending further comprises sending an unencrypted identifier for the recipient.
  - 15. A method as claimed in claim 10, wherein said sending filcher comprises sending timestamp and/or or nonce data.

16. A method of initializing a secure chain of communication for a chain of data processing systems, the chain comprising a start data processing system and an end data processing system linked via one or more intermediate data processing systems, the method comprising:
- initializing successive links of the chain by successive applications of a method of initializing a secure communications link between a first data processing system and a second data processing system using a first token comprising a first key and associated first request data, the method of initialising a secure communication link comprising;
  
  generating at said first system a first message comprising said first token and first authentication data generated by operating on at least one of said first key and said first request data with a secret key of said first system;
  
  encrypting said first message using a key known to both said first and said second data processing systems to form an encrypted first message; and
  
  sending said encrypted first message from said first system to said second system to initialize said secure communications link.
- View Dependent Claims (17, 18, 19)
- - 17. A method as claimed in claim 16, wherein the encrypted message sent in each successive application of the method of initializing a secure communication link to a secure communication to a link includes tokens and authentication data for all previous data processing systems in the chain up to the link.
  - 18. A method as claimed in claim 16, wherein said encrypting comprises encrypting using an asymmetric cryptographic algorithm.
  - 19. A method as claimed in claims 16, wherein said encrypting comprises using a symmetric cryptographic algorithm.

22. A method of establishing a chain of secure communication links between a plurality of data processing machines such that the identify of each successive data processing machine making up the chain is confirmable, the method comprising performing, at each successive data processing machine in the chain after a first machine, the steps of:
- receiving from a previous data processing machine in the chain an encrypted message comprising authentication data and a delegation token including a delegation key;
  
  decrypting said encrypted message;
  
  adding to the decrypted message a delegation token and authentication data for said successive data processing machine to form an extended message;
  
  encrypting said extended message; and
  
  forwarding said encrypted extended message to the next machine in the chain;
  
  until an end machine of the chain is reached, whereby said chain of secure communication links is established.
- View Dependent Claims (23, 24, 25)
- - 23. A method as claimed in claim 22, wherein each said delegation token includes a delegation key, the method further comprising sending data back from said end machine to a first machine of the chain, said data being encrypted using the delegation key of said first machine.
  - 24. A method as claimed in claim 23, wherein said sending sends said data over the chain from said end machine to said first machine.
  - 25. A method as claimed in claim 22, wherein each said delegation token includes request data for a request associated with the delegation key of the said token.

26. A method as claimed in 22, further comprising generating said authentication data at each successive machine by performing a cryptographic operation on said delegation token.

32. Data processing apparatus comprising:
- a data memory operable to store data to be processed;
  
  an instruction memory storing processor implementable instructions; and
  
  a processor coupled to the data memory and to the instruction memory and operable to process data in accordance with the instructions, the instructions comprising instructions for controlling the processor to;
  
  generate a message comprising a token and authentication data, the token comprising a key and associated request data, the authentication data being generated by operating on at least one of said key and said request data with a secret key of the data processing apparatus;
  
  encrypt said message using a key known to a second data processor to form an encrypted message; and
  
  send said encrypted message to said second data processor to initialize a secure communications link between said data processing apparatus and said second data processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Original Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Inventors
Kalogridis, Georgios, Clemo, Gary, Yeun, Chan Yeob

Application Number

US10/650,755
Publication Number

US 20040117623A1
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

H04L 9/3297   involving time stamps, e.g....

H04L 9/50   using hash chains, e.g. blo...

Methods and apparatus for secure data communication links

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

130 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for secure data communication links

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links