Use of static Diffie-Hellman key with IPSec for authentication
First Claim
1. A method for establishing a secure communications channel and authenticating a party, for use by an initiator in an Internet Security Protocol (IPSec) negotiation, comprising:
- initiating an Internet Key Exchange (IKE) negotiation with a responder;
transmitting, to the responder, a public Diffie-Hellman (DH) key of the initiator;
receiving, from the responder, a public DH key of the responder;
transmitting, to the responder, a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder;
receiving, from the responder, a payload encrypted with the shared secret; and
decrypting the payload;
wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator.
3 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention authenticate devices and establish secure connections between devices using static Diffie-Hellman key pairs. A first device obtains in a trusted manner a static DH public key of a second device prior to negotiation. The second device negotiates a secure connection to the first device using a shared secret created from the static DH public key, which serves as both a claim on the second device'"'"'s identity and an encryption key. The static DH public key can be used to establish subsequent secure, authenticated communications sessions.
-
Citations
23 Claims
-
1. A method for establishing a secure communications channel and authenticating a party, for use by an initiator in an Internet Security Protocol (IPSec) negotiation, comprising:
-
initiating an Internet Key Exchange (IKE) negotiation with a responder;
transmitting, to the responder, a public Diffie-Hellman (DH) key of the initiator;
receiving, from the responder, a public DH key of the responder;
transmitting, to the responder, a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder;
receiving, from the responder, a payload encrypted with the shared secret; and
decrypting the payload;
wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for establishing a secure communications channel and authenticating a party, for use by a responder in an Internet Security Protocol (IPSec) negotiation, comprising:
-
receiving an Internet Key Exchange (IKE) negotiation request from an initiator;
transmitting, to the initiator, a public Diffie-Hellman (DH) key of the responder;
receiving, from the initiator, a public DH key of the initiator;
transmitting, to the initiator, a payload encrypted with a shared secret created from the public DH key of the initiator and the private DH key corresponding to the public DH key of the responder transmitted to the initiator;
receiving, from the initiator, a payload encrypted with the shared secret; and
decrypting the payload;
wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
- 15. A method of establishing, between an initiator and a responder, a secure communications channel following the Internet Security Protocol (IPSec), comprising using the Internet Key Exchange (IKE) protocol, wherein a static Diffie-Hellman (DH) key-pair is used by at least one of the initiator or the responder to establish confidentiality and authentication.
-
18. A system for establishing a secure communications channel between networked devices comprising:
-
a first networked device generating a Diffie-Hellman (DH) key pair;
a portable media device storing the DH key pair generated by the first networked device;
a second networked device reading the DH key pair from the portable media device; and
the second networked device using the DH key pair to ensure confidentiality and authenticity in securing a communications channel with another networked device, following the Internet Key Exchange (IKE) and Internet Security (IPSec) protocols. - View Dependent Claims (19)
-
-
20. A computer-readable medium including computer-executable instructions facilitating establishing a secure communications channel and authenticating a party, for execution by an initiator in an Internet Security Protocol (IPSec) negotiation, said computer-executable instructions executing the steps of:
-
initiating an Internet Key Exchange (IKE) negotiation with a responder;
transmitting, to the responder, a public Diffie-Hellman (DH) key of the initiator;
receiving, from the responder, a public DH key of the responder;
transmitting, to the responder, a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder;
receiving, from the responder, a payload encrypted with the shared secret; and
decrypting the payload;
wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator. - View Dependent Claims (21, 22, 23)
-
Specification