Key conversion method for communication session encryption and authentication system
First Claim
1. The method for mutual authentication of a first station and a second station, comprising:
- encrypting a particular data random key at the first station by first veiling the particular data random key using a first conversion array seeded by a shared secret and then encrypting the veiled particular data random key to produce a first encrypted key, where access to the shared secret indicates authenticity of the first station;
sending a first message to the second station including the first encrypted key, where the second station decrypts and unveils said particular data random key using the shared secret, and where the second station encrypts the particular data random key by first veiling a version of the particular data random key using a second conversion array seeded by the shared secret and then encrypting the veiled version of the particular data random key to produce a second encrypted key, and sends a second message to the first station carrying the second encrypted key, nowhere access to the shared secret indicates authenticity of the second station; and
receiving the second message, and decrypting and unveiling the version of the particular data random key at the first station.
2 Assignments
0 Petitions
Accused Products
Abstract
An interactive mutual authentication protocol, which does not allow shared secrets to pass through untrusted communication media, integrates an encryption key management system into the authentication protocol. The server encrypts a particular data random key by first veiling the particular data random key using a first conversion array seeded by a shared secret, and then encrypting the veiled particular data random key. The client decrypts and unveils the particular data random key using the shared secret, and returns a similarly veiled version of the particular data random key using a second conversion array seeded by a shared secret. Access to the shared secret indicates authenticity of the stations. The procedure may be repeated for a second shared secret for strong authentication, without allowing shared secrets to pass via untrusted media.
73 Citations
27 Claims
-
1. The method for mutual authentication of a first station and a second station, comprising:
-
encrypting a particular data random key at the first station by first veiling the particular data random key using a first conversion array seeded by a shared secret and then encrypting the veiled particular data random key to produce a first encrypted key, where access to the shared secret indicates authenticity of the first station;
sending a first message to the second station including the first encrypted key, where the second station decrypts and unveils said particular data random key using the shared secret, and where the second station encrypts the particular data random key by first veiling a version of the particular data random key using a second conversion array seeded by the shared secret and then encrypting the veiled version of the particular data random key to produce a second encrypted key, and sends a second message to the first station carrying the second encrypted key, nowhere access to the shared secret indicates authenticity of the second station; and
receiving the second message, and decrypting and unveiling the version of the particular data random key at the first station. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 12)
-
-
10. A data processing apparatus, comprising:
-
a processor, a communication interface adapted for connection to a communication medium, and memory storing instructions for execution by the data processor, the instructions including logic to encrypt a particular data random key at the first station by first veiling the particular data random key using a first conversion array seeded by a shared secret and then encrypting the veiled particular data random key to produce a first encrypted key, where access to the shared secret indicates authenticity of the first station;
logic to send a first message to the second station including the first encrypted key, where the second station decrypts and unveils said particular data random key using the shared secret, and where the second station encrypts the particular data random key by first veiling a version of the particular data random key using a second conversion array seeded by the shared secret and then encrypting the veiled version of the particular data random key to produce a second encrypted key, and sends a second message to the first station carrying the second encrypted key, where access to the shared secret indicates authenticity of the second station; and
logic to receive the second message, and to decrypt and unveil the version of the particular data random key at the first station. - View Dependent Claims (11, 13, 14, 15, 16, 17, 18)
-
-
19. An article, comprising:
-
machine readable data storage medium having computer program instructions stored therein for establishing a communication session on a communication medium between a first data processing station and a second data processing station having access to the communication medium, said instructions comprising logic to encrypt a particular data random key at the first station by first veiling the particular data random key using a first conversion array seeded by a shared secret and then encrypting the veiled particular data random key to produce a first encrypted key, where access to the shared secret indicates authenticity of the first station;
logic to send a first message to the second station including the first encrypted key, where the second station decrypts and unveils said particular data random key using the shared secret, and where the second station encrypts the particular data random key by first veiling a version of the particular data random key using a second conversion array seeded by the shared secret and then encrypting the veiled version of the particular data random key to produce a second encrypted key, and sends a second message to the first station carrying the second encrypted key, where access to the shared secret indicates authenticity of the second station; and
logic to receive the second message, and to decrypt and unveil the version of the particular data random key at the first station. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification