Key generation method for communication session encryption and authentication system

US 20050050328A1
Filed: 09/02/2003
Published: 03/03/2005
Est. Priority Date: 09/02/2003
Status: Active Grant

First Claim

Patent Images

1. A method for producing ephemeral encryption keys at a first station for use in a communication session with a second station, comprising:

assigning an ephemeral session key in said first station, in response to a request received by said first station during a session random key initiation interval for use in a first exchange of said plurality of exchanges;

associating, in said first station, a set of ephemeral intermediate data random keys with said request for use in said plurality of exchanges;

sending at least one message carrying said session key to the second station, and receiving a response from the second station including a shared parameter, which is shared between the first station and the second station, or between the first station and a user at the second station, encrypted using said session random key verifying receipt of the session random key; and

sending, after verifying receipt of the session random key at the second station, at least one message carrying an encrypted version of one of said set of ephemeral intermediate data random keys encrypted to be accepted as an encryption key for the session.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An interactive mutual authentication protocol, which does not allow shared secrets to pass through untrusted communication media, integrates an encryption key management system into the authentication protocol. The server provides ephemeral encryption keys in response to a request during a Session Random Key (SRK) initiation interval. SRK is provided for all sessions initiated in the SRK initiation interval. A set of ephemeral intermediate Data Random Keys (DRK) is associated with each request. A message carrying the SRK is sent to the requestor. A response from the requester includes a shared parameter encrypted using the SRK verifying receipt of the SRK. After verifying receipt of the SRK at the requester, at least one message is sent by the server carrying an encrypted version of one of said set of ephemeral intermediate DRK to be accepted as an encryption key for the session.

Citations

21 Claims

1. A method for producing ephemeral encryption keys at a first station for use in a communication session with a second station, comprising:
- assigning an ephemeral session key in said first station, in response to a request received by said first station during a session random key initiation interval for use in a first exchange of said plurality of exchanges;
  
  associating, in said first station, a set of ephemeral intermediate data random keys with said request for use in said plurality of exchanges;
  
  sending at least one message carrying said session key to the second station, and receiving a response from the second station including a shared parameter, which is shared between the first station and the second station, or between the first station and a user at the second station, encrypted using said session random key verifying receipt of the session random key; and
  
  sending, after verifying receipt of the session random key at the second station, at least one message carrying an encrypted version of one of said set of ephemeral intermediate data random keys encrypted to be accepted as an encryption key for the session.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, including assigning said session random key to all communication sessions initiated with the first station, during said session random key initiation interval.
  - 3. The method of claim 1, including assigning said session random key to all communication sessions initiated with the first station during said session random key initiation interval, and associating a different set of ephemeral intermediate data random keys with each communication session.
  - 4. The method of claim 1, including providing a buffer at the first station;
    - storing said ephemeral session random keys in the buffer;
      
      associating respective session random key initiation intervals with said ephemeral session random keys stored in said buffer;
      
      using ephemeral session random keys from said buffer as session random keys in response to requests received by said first station during said respective session random key initiation intervals;
      
      removing ephemeral session random keys from said buffer after expiry of the respective session random key lifetime in the buffer.
  - 5. The method of claim 4, wherein said buffer is managed as a circular buffer.
  - 6. The method of claim 4, wherein a session random key lifetime in the buffer for said plurality of exchanges has a value within which the plurality of exchanges can be completed in expected circumstances, and said ephemeral session random keys are removed from said buffer after a multiple M times said value of session random key lifetime to engage into establishing a communication session, where M is less than or equal to 10.
  - 7. The method of claim 4, wherein a session random key lifetime in the buffer for said plurality of exchanges has a value within which the plurality of exchanges can be completed in expected circumstances, and said ephemeral session random keys are removed from said buffer after a multiple M times said value, and the session random key lifetime to engage into establishing a communication session is less than about 90 seconds.

8. A data processing apparatus, comprising:
- a processor, a communication interface adapted for connection to a communication medium, and memory storing instructions for execution by the data processor, the instructions including logic to receive a request via the communication interface for initiation of a communication session between a first station and a second station;
  
  logic to provide ephemeral encryption keys at the first station, in response to a request received by said first station during a session random key initiation interval for use in a first exchange of said plurality of exchanges, to associate, in said first station, a set of ephemeral intermediate data random keys with said request for use in said plurality of exchanges, and logic to send at least one message carrying said session random key to the second station, and to receive a response from the second station including a shared parameter encrypted using said session random key verifying receipt of the session random key; and
  
  logic to send, after verifying receipt of the session random key at the second station, at least one message carrying an encrypted version of one of said set of ephemeral intermediate data random keys encrypted to be accepted as an encryption key for the session.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, including logic to assign said session random key to all communication sessions initiated with the first station, during said session random key initiation interval.
  - 10. The apparatus of claim 8, including logic to assign said session random key to all communication sessions initiated with the first station during said session random key initiation interval, and to associate a different set of ephemeral intermediate data random keys with each communication session.
  - 11. The apparatus of claim 8, including a buffer at the first station;
    - logic to store said ephemeral session random keys in the buffer, to associate respective session random key initiation intervals with said ephemeral session random keys stored in said buffer, to use ephemeral session random keys from said buffer as session random keys in response to requests received by said first station during said respective session random key initiation intervals, and to remove ephemeral session random keys from said buffer after expiry of the respective session random key lifetime in the buffer.
  - 12. The apparatus of claim 11, wherein said buffer comprises a circular buffer.
  - 13. The apparatus of claim 11, wherein a session random key lifetime in the buffer for said plurality of exchanges has a value within which the plurality of exchanges can be completed in expected circumstances, and logic to remove said ephemeral session random keys from said buffer after a multiple M times said value of session random key lifetime to engage into establishing a communication session, where M is less than or equal to 10.
  - 14. The apparatus of claim 11, wherein a predicted lifetime for said plurality of exchanges has a value within which the plurality of exchanges can be completed in expected circumstances, and logic to remove said ephemeral session random keys from said buffer after a multiple M times said value, and the session random key lifetime to engage into establishing a communication session is less than about 90 seconds.

15. An article, comprising:
- machine readable data storage medium having computer program instructions stored therein for establishing a communication session on a communication medium between a first data processing station and a second data processing station having access to the communication medium, said instructions comprising logic to receive a request via the communication interface for initiation of a communication session between a first station and a second station;
  
  logic to provide ephemeral encryption keys at the first station, in response to a request received by said first station during a session random key initiation interval for use in a first exchange of said plurality of exchanges, to associate, in said first station, a set of ephemeral intermediate data random keys with said request for use in said plurality of exchanges, and logic to send at least one message carrying said session random key to the second station, and to receive a response from the second station including a shared parameter encrypted using said session random key verifying receipt of the session random key; and
  
  logic to send, after verifying receipt of the session random key at the second station, at least one message carrying an encrypted version of one of said set of ephemeral intermediate data random keys encrypted to be accepted as an encryption key for the session.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The article of claim 15, wherein the instructions include logic to assign said session random key to all communication sessions initiated with the first station, during said session random key initiation interval.
  - 17. The article of claim 15, wherein the instructions include logic to assign said session random key to all communication sessions initiated with the first station during said session random key initiation interval, and to associate a different set of ephemeral intermediate data random keys with each communication session.
  - 18. The article of claim 15, including a buffer at the first station;
    - and the instructions include logic to store said ephemeral session random keys in the buffer, to associate respective session random key initiation intervals with said ephemeral session random keys stored in said buffer, to use ephemeral session random keys from said buffer as session random keys in response to requests received by said first station during said respective session random key initiation intervals, and to remove ephemeral session random keys from said buffer after expiry of the respective session random key lifetime in the buffer.
  - 19. The article of claim 18, wherein said buffer comprises a circular buffer.
  - 20. The article of claim 18, wherein a session random key lifetime in the buffer for said plurality of exchanges has a value within which the plurality of exchanges can be completed in expected circumstances, and the instructions include logic to remove said ephemeral session random keys from said buffer after a multiple M times said value of session random key lifetime to engage into establishing a communication session, where M is less than or equal to 10.
  - 21. The article of claim 18, wherein a session random key lifetime in the buffer for said plurality of exchanges has a value within which the plurality of exchanges can be completed in expected circumstances, and the instructions include logic to remove said ephemeral session random keys from said buffer after a multiple M times said value, and the session random key lifetime to engage into establishing a communication session is less than about 90 seconds.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Authernative
Original Assignee
Authernative, Inc.
Inventors
Mizrah, Len L.

Granted Patent

US 7,581,100 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0869   for achieving mutual authen...

H04L 9/0844   with user authentication or...

H04L 9/3273   for mutual authentication n...

Key generation method for communication session encryption and authentication system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Key generation method for communication session encryption and authentication system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links