Key conversion method for communication session encryption and authentication system

US 20050050322A1
Filed: 09/02/2003
Published: 03/03/2005
Est. Priority Date: 09/02/2003
Status: Active Grant

First Claim

Patent Images

1. The method for mutual authentication of a first station and a second station, comprising:

encrypting a particular data random key at the first station by first veiling the particular data random key using a first conversion array seeded by a shared secret and then encrypting the veiled particular data random key to produce a first encrypted key, where access to the shared secret indicates authenticity of the first station;

sending a first message to the second station including the first encrypted key, where the second station decrypts and unveils said particular data random key using the shared secret, and where the second station encrypts the particular data random key by first veiling a version of the particular data random key using a second conversion array seeded by the shared secret and then encrypting the veiled version of the particular data random key to produce a second encrypted key, and sends a second message to the first station carrying the second encrypted key, nowhere access to the shared secret indicates authenticity of the second station; and

receiving the second message, and decrypting and unveiling the version of the particular data random key at the first station.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An interactive mutual authentication protocol, which does not allow shared secrets to pass through untrusted communication media, integrates an encryption key management system into the authentication protocol. The server encrypts a particular data random key by first veiling the particular data random key using a first conversion array seeded by a shared secret, and then encrypting the veiled particular data random key. The client decrypts and unveils the particular data random key using the shared secret, and returns a similarly veiled version of the particular data random key using a second conversion array seeded by a shared secret. Access to the shared secret indicates authenticity of the stations. The procedure may be repeated for a second shared secret for strong authentication, without allowing shared secrets to pass via untrusted media.

73 Citations

View as Search Results

27 Claims

1. The method for mutual authentication of a first station and a second station, comprising:
- encrypting a particular data random key at the first station by first veiling the particular data random key using a first conversion array seeded by a shared secret and then encrypting the veiled particular data random key to produce a first encrypted key, where access to the shared secret indicates authenticity of the first station;
  
  sending a first message to the second station including the first encrypted key, where the second station decrypts and unveils said particular data random key using the shared secret, and where the second station encrypts the particular data random key by first veiling a version of the particular data random key using a second conversion array seeded by the shared secret and then encrypting the veiled version of the particular data random key to produce a second encrypted key, and sends a second message to the first station carrying the second encrypted key, nowhere access to the shared secret indicates authenticity of the second station; and
  
  receiving the second message, and decrypting and unveiling the version of the particular data random key at the first station.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 12)
- - 2. The method of claim 1, including encrypting an additional particular data random key at the first station by first veiling the additional particular data random key using a first conversion array seeded by an additional shared secret and then encrypting the veiled particular data random key to produce a first additional encrypted key, where access to the additional shared secret indicates authenticity of the first station;
    - sending a third message to the second station including the additional encrypted key, where the second station decrypts and unveils said additional particular data random key using the additional shared secret, and where the second station encrypts the additional particular data random key by first veiling a version of the additional particular data random key using a second conversion array seeded by the additional shared secret and then encrypting the veiled version of the additional particular data random key to produce a second additional encrypted key, and sends a second message to the first station carrying the second additional encrypted key, where access to the additional shared secret indicates authenticity of the second station; and
      
      receiving the second message, and decrypting and unveiling the version of the additional particular data random key at the first station.
  - 3. The method of claim 2, wherein said additional particular data random key is the same as the particular data random key.
  - 4. The method of claim 1, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Y byte positions in an order, and including instructions generating one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Y and identifying one of said Y byte positions, and placing a byte of said random key in each of said X sections at the one of said Y byte positions identified by the corresponding one of said X values.
  - 5. The method of claim 1, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Z bit positions in an order, and including generating one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Z and identifying one of said Z bit positions, and placing a bit of said random key in each of said X sections at the one of said Z bit positions identified by the corresponding one of said X values.
  - 6. The method of claim 1, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Y byte positions in an order, each of said Y byte positions including B bit positions in an order, and including generating one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a first pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Y and identifying one of said Y byte positions, using a random number generator seeded by said shared secret to produce a second pseudorandom number having B values corresponding with respective bits in a byte of said random key, the B values each being between 1 and B and identifying one of said B bit positions, placing a byte, including B bits, of said random key in each of said X sections at the one of said Y byte positions identified by the corresponding one of said X values, and mapping the B bits of said byte of said random key to said B bit positions identified by the corresponding one of said B values.
  - 7. The method of claim 1, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Y byte positions in an order, each of said Y byte positions including B bit positions in an order, and including generating one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a first pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Y and identifying one of said Y byte positions, using a random number generator to produce a second pseudorandom number having B values corresponding with respective bits in a byte of said random key, the B values each being between 1 and B and identifying one of said B bit positions, placing a byte, including B bits, of said random key in each of said X sections at the one of said Y byte positions identified by the corresponding one of said X values, and mapping the B bits of said byte of said random key to said B bit positions identified by the corresponding one of said B values.
  - 8. The method of claim 1, including presenting a use interface to the second station from the first station carrying parameters of said first and second conversion arrays.
  - 9. The method of claim 1, including executing an interactive exchange of messages to deliver the particular data random key from the first station to the second station.
  - 12. The apparatus of claim 11, wherein said additional particular data random key is the same as the particular data random key.

10. A data processing apparatus, comprising:
- a processor, a communication interface adapted for connection to a communication medium, and memory storing instructions for execution by the data processor, the instructions including logic to encrypt a particular data random key at the first station by first veiling the particular data random key using a first conversion array seeded by a shared secret and then encrypting the veiled particular data random key to produce a first encrypted key, where access to the shared secret indicates authenticity of the first station;
  
  logic to send a first message to the second station including the first encrypted key, where the second station decrypts and unveils said particular data random key using the shared secret, and where the second station encrypts the particular data random key by first veiling a version of the particular data random key using a second conversion array seeded by the shared secret and then encrypting the veiled version of the particular data random key to produce a second encrypted key, and sends a second message to the first station carrying the second encrypted key, where access to the shared secret indicates authenticity of the second station; and
  
  logic to receive the second message, and to decrypt and unveil the version of the particular data random key at the first station.
- View Dependent Claims (11, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10, including logic to encrypt an additional particular data random key at the first station by first veiling the additional particular data random key using a first conversion array seeded by an additional shared secret and then encrypting the veiled particular data random key to produce a first additional encrypted key, where access to the additional shared secret indicates authenticity of the first station;
    - logic to send a third message to the second station including the additional encrypted key, where the second station decrypts and unveils said additional particular data random key using the additional shared secret, and where the second station encrypts the additional particular data random key by first veiling a version of the additional particular data random key using a second conversion array seeded by the additional shared secret and then encrypting the veiled version of the additional particular data random key to produce a second additional encrypted key, and sends a second message to the first station carrying the second additional encrypted key, where access to the additional shared secret indicates authenticity of the second station; and
      
      logic to receive the second message, and to decrypt and unveil the version of the additional particular data random key at the first station.
  - 13. The apparatus of claim 10, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Y byte positions in an order, and including logic to generate one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Y and identifying one of said Y byte positions, and to place a byte of said random key in each of said X sections at the one of said Y byte positions identified by the corresponding one of said X values.
  - 14. The apparatus of claim 10, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Z bit positions in an order, and including logic to generate one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Z and identifying one of said Z bit positions, and to place a bit of said random key in each of said X sections at the one of said Z bit positions identified by the corresponding one of said X values.
  - 15. The apparatus of claim 10, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Y byte positions in an order, each of said Y byte positions including B bit positions in an order, and including logic to generate one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a first pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Y and identifying one of said Y byte positions, use a random number generator seeded by said shared secret to produce a second pseudorandom number having B values corresponding with respective bits in a byte of said random key, the B values each being between 1 and B and identifying one of said B bit positions, place a byte, including B bits, of said random key in each of said X sections at the one of said Y byte positions identified by the corresponding one of said X values, and map the B bits of said byte of said random key to said B bit positions identified by the corresponding one of said B values.
  - 16. The apparatus of claim 10, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Y byte positions in an order, each of said Y byte positions including B bit positions in an order, and including logic to generate one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a first pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Y and identifying one of said Y byte positions, use a random number generator to produce a second pseudorandom number having B values corresponding with respective bits in a byte of said random key, the B values each being between 1 and B and identifying one of said B bit positions, place a byte, including B bits, of said random key in each of said X sections at the one of said Y byte positions identified by the corresponding one of said X values, and map the B bits of said byte of said random key to said B bit positions identified by the corresponding one of said B values.
  - 17. The apparatus of claim 10, including logic to present a user interface to the second station from the first station carrying parameters of said first and second conversion arrays.
  - 18. The apparatus of claim 10, including logic to execute an interactive exchange of messages to deliver the particular data random key from the first station to the second station.

19. An article, comprising:
- machine readable data storage medium having computer program instructions stored therein for establishing a communication session on a communication medium between a first data processing station and a second data processing station having access to the communication medium, said instructions comprising logic to encrypt a particular data random key at the first station by first veiling the particular data random key using a first conversion array seeded by a shared secret and then encrypting the veiled particular data random key to produce a first encrypted key, where access to the shared secret indicates authenticity of the first station;
  
  logic to send a first message to the second station including the first encrypted key, where the second station decrypts and unveils said particular data random key using the shared secret, and where the second station encrypts the particular data random key by first veiling a version of the particular data random key using a second conversion array seeded by the shared secret and then encrypting the veiled version of the particular data random key to produce a second encrypted key, and sends a second message to the first station carrying the second encrypted key, where access to the shared secret indicates authenticity of the second station; and
  
  logic to receive the second message, and to decrypt and unveil the version of the particular data random key at the first station.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The article of claim 19, the instructions including logic to encrypt an additional particular data random key at the first station by first veiling the additional particular data random key using a first conversion array seeded by an additional shared secret and then encrypting the veiled particular data random key to produce a first additional encrypted key, where access to the additional shared secret indicates authenticity of the first station;
    - logic to send a third message to the second station including the additional encrypted key, where the second station decrypts and unveils said additional particular data random key using the additional shared secret, and where the second station encrypts the additional particular data random key by first veiling a version of the additional particular data random key using a second conversion array seeded by the additional shared secret and then encrypting the veiled version of the additional particular data random key to produce a second additional encrypted key, and sends a second message to the first station carrying the second additional encrypted key, where access to the additional shared secret indicates authenticity of the second station; and
      
      logic to receive the second message, and to decrypt and unveil the version of the additional particular data random key at the first station.
  - 21. The article of claim 19, wherein said additional particular data random key is the same as the particular data random key.
  - 22. The article of claim 19, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Y byte positions in an order, and the instructions include logic to generate one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Y and identifying one of said Y byte positions, and to place a byte of said random key in each of said X sections at the one of said Y byte positions identified by the corresponding one of said X values.
  - 23. The article of claim 19, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Z bit positions in an order, and the instructions include logic to generate one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Z and identifying one of said Z bit positions, and to place a bit of said random key in each of said X sections at the one of said Z bit positions identified by the corresponding one of said X values.
  - 24. The article of claim 19, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Y byte positions in an order, each of said Y byte positions including B bit positions in an order, and the instructions include logic to generate one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a first pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Y and identifying one of said Y byte positions, use a random number generator seeded by said shared secret to produce a second pseudorandom number having B values corresponding with respective bits in a byte of said random key, the B values each being between 1 and B and identifying one of said B bit positions, place a byte, including B bits, of said random key in each of said X sections at the one of said Y byte positions identified by the corresponding one of said X values, and map the B bits of said byte of said random key to said B bit positions identified by the corresponding one of said B values.
  - 25. The article of claim 19, where the one of the first and second conversion arrays comprises X sections, each of said X sections including Y byte positions in an order, each of said Y byte positions including B bit positions in an order, and the instructions include logic to generate one of the first and second conversion arrays using a random number generator seeded by said shared secret to produce a first pseudorandom number having X values corresponding with respective sections of said X sections, the X values each being between 1 and Y and identifying one of said Y byte positions, use a random number generator to produce a second pseudorandom number having B values corresponding with respective bits in a byte of said random key, the B values each being between 1 and B and identifying one of said B bit positions, place a byte, including B bits, of said random key in each of said X sections at the one of said Y byte positions identified by the corresponding one of said X values, and map the B bits of said byte of said random key to said B bit positions identified by the corresponding one of said B values.
  - 26. The article of claim 19, wherein the instructions include logic to present a user interface to the second station from the first station carrying parameters of said first and second conversion arrays.
  - 27. The article of claim 19, wherein the instructions include logic to execute an interactive exchange of messages to deliver the particular data random key from the first station to the second station.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Authernative
Original Assignee
Authernative, Inc.
Inventors
Mizrah, Len L.

Granted Patent

US 7,299,356 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0869   for achieving mutual authen...

H04L 9/0822   using key encryption key

H04L 9/0844   with user authentication or...

Key conversion method for communication session encryption and authentication system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Key conversion method for communication session encryption and authentication system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links