System and method for provisioning and authenticating via a network

US 20050120213A1
Filed: 12/01/2003
Published: 06/02/2005
Est. Priority Date: 12/01/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of authenticating communication between a first and a second party, the method comprising:

provisioning a first secure credential between the first party and the second party;

establishing a secure tunnel between the first party and the second party using the first secure credential;

authenticating a relationship between the first party and the second party within the secure tunnel using a second secure credential to establish an authorization policy; and

distributing an update to one of the first secure credential and the second secure credential within the secure tunnel to update the authorization policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System architecture and corresponding method for securing communication via a network (e.g. IEEE 802.11) is provided. In accordance with one embodiment, the present system and method protocol, may be suitably configured to achieve mutual authentication by using a shared secret to establish a tunnel used to protect weaker authentication methods (e.g. user names and passwords). The shared secret, referred to in this embodiment as the protected access credential may be advantageously used to mutually authenticate a server and a peer upon securing a tunnel for communication via a network. The present system and method disclosed and claimed herein, in one aspect thereof, comprises the steps of 1) providing a communication implementation between a first and a second party; 2) provisioning a secure credential between the first and the second party; and 3) establishing a secure tunnel between the first and the second party using the secure credential.

Citations

23 Claims

1. A method of authenticating communication between a first and a second party, the method comprising:
- provisioning a first secure credential between the first party and the second party;
  
  establishing a secure tunnel between the first party and the second party using the first secure credential;
  
  authenticating a relationship between the first party and the second party within the secure tunnel using a second secure credential to establish an authorization policy; and
  
  distributing an update to one of the first secure credential and the second secure credential within the secure tunnel to update the authorization policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method set forth in claim 1 further comprising the step of protecting the termination of the authenticated conversation by use of a tunnel encryption and authentication to protect against a denial of service by an unauthorized user.
  - 3. The method set forth in claim 1 wherein the step of provisioning occurs within a wired implementation.
  - 4. The method set forth in claim 1 wherein the step of provisioning occurs within a wireless implementation.
  - 5. The method set forth in claim 1 wherein the first secure credential is a protected access credential (PAC).
  - 6. The method set forth in claim 5 wherein the protected access credential includes a protected access credential key.
  - 7. The method set forth in claim 6 wherein the protected access credential key is a strong entropy key.
  - 8. The method set forth in claim 7 wherein the entropy key is a 32-octet key.
  - 9. The method set forth in claim 6 wherein the protected access credential includes a protected access credential opaque element.
  - 10. The method set forth in claim 6 wherein the protected access credential includes a protected access credential information element.
  - 11. The method set forth in claim 1 wherein the step of provisioning occurs through out-of-band mechanisms.
  - 12. The method set forth in claim 1 wherein the step of provisioning occurs through in-band mechanisms.
  - 13. The method set forth in claim 1 wherein the step of establishing the secure tunnel includes the step of establishing a tunnel key using a symmetric cryptographic technique.
  - 14. The method set forth in claim 13 wherein the step of establishing a tunnel key further includes the step of establishing a session_key_seed to be used in protecting the secure tunnel integrity and establishing a master session key.
  - 15. The method set forth in claim 1 wherein the step of authenticating is performed using EAP-GTC.
  - 16. The method set forth in claim 1 wherein the step of authenticating is performed using Microsoft MS-CHAP v2.

17. A system for communicating via a network, the system comprising:
- means for providing a communication link between a first party and a second party;
  
  means for provisioning a first secure credential between the first and the second party;
  
  means for establishing a secure tunnel utilizing the first secure credential;
  
  means for authenticating a relationship between the first party and the second party within the secure tunnel using a second secure credential to establish an authorization policy; and
  
  means for delivering an update to one of the first secure credential and the second secure credential to update the authorization policy.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system for communicating set forth in claim 17 wherein the communication link is a wireless network.
  - 19. The system for communicating set forth in claim 17 wherein the communication link is a wired network.
  - 20. The system for communicating set forth in claim 17 wherein the first secure credential is a protected access credential (PAC).
  - 21. The system for communicating set forth in claim 18 wherein the wireless network is an 802.11 wireless network.

22. An article of manufacture embodied in a computer-readable medium for use in a processing system for communicating via a network, the article comprising:
- a provisioning logic for causing the processing system to establish a shared secret between a first and a second party;
  
  a tunnel establishment logic for causing the processing system to establish a secure tunnel based upon the shared secret;
  
  an authentication logic for causing the processing system to authenticate a communication link between the first and the second party within the secure tunnel based upon a secure credential; and
  
  a second provisioning logic for causing the processing system to provision an access; and
  
  a delivery logic for causing the processing system to deliver an update to one of the shared secret and the secure credential via the network.
- View Dependent Claims (23)
- - 23. The article set forth in claim 22 wherein the tunnel establishment logic further includes a key generation logic for causing the processing system to generate a secure key for encrypting and signing a communication between the first party and the second party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gillai, Saar, Jakkahalli, Padmanabha Cheluvaraju, Stieglitz, Jeremy, Krischer, Mark, Zhou, Hao, Salowey, Joseph A., Winget, Nancy Cam

Application Number

US10/724,995
Publication Number

US 20050120213A1
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0869   for achieving mutual authen...

H04L 63/1458   Denial of Service

H04L 9/0838   Key agreement, i.e. key est...

H04W 12/02   Protecting privacy or anony...

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/35   Protecting application or s...

System and method for provisioning and authenticating via a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for provisioning and authenticating via a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links