Use of static Diffie-Hellman key with IPSec for authentication

US 20050149732A1
Filed: 03/23/2004
Published: 07/07/2005
Est. Priority Date: 01/07/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for establishing a secure communications channel and authenticating a party, for use by an initiator in an Internet Security Protocol (IPSec) negotiation, comprising:

initiating an Internet Key Exchange (IKE) negotiation with a responder;

transmitting, to the responder, a public Diffie-Hellman (DH) key of the initiator;

receiving, from the responder, a public DH key of the responder;

transmitting, to the responder, a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder;

receiving, from the responder, a payload encrypted with the shared secret; and

decrypting the payload;

wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention authenticate devices and establish secure connections between devices using static Diffie-Hellman key pairs. A first device obtains in a trusted manner a static DH public key of a second device prior to negotiation. The second device negotiates a secure connection to the first device using a shared secret created from the static DH public key, which serves as both a claim on the second device'"'"'s identity and an encryption key. The static DH public key can be used to establish subsequent secure, authenticated communications sessions.

Citations

23 Claims

1. A method for establishing a secure communications channel and authenticating a party, for use by an initiator in an Internet Security Protocol (IPSec) negotiation, comprising:
- initiating an Internet Key Exchange (IKE) negotiation with a responder;
  
  transmitting, to the responder, a public Diffie-Hellman (DH) key of the initiator;
  
  receiving, from the responder, a public DH key of the responder;
  
  transmitting, to the responder, a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder;
  
  receiving, from the responder, a payload encrypted with the shared secret; and
  
  decrypting the payload;
  
  wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the public DH key of the responder is previously known to the initiator and is a claim on the identity of the responder.
  - 3. The method of claim 2 wherein the responder has previously obtained the public DH key of the initiator from a portable media device.
  - 4. The method of claim 1 wherein the public DH key of the initiator is previously known to the responder and is a claim on the identity of the initiator.
  - 5. The method of claim 4 wherein the initiator has previously obtained the public DH key of the responder from a portable media device.
  - 6. The method of claim 1 wherein the secure communications channel is a channel in a virtual private network (VPN).
  - 7. The method of claim 6 wherein the VPN comprises a client and a server, and a public DH key of the VPN client is transmitted as a hint to the identity of the client.

8. A method for establishing a secure communications channel and authenticating a party, for use by a responder in an Internet Security Protocol (IPSec) negotiation, comprising:
- receiving an Internet Key Exchange (IKE) negotiation request from an initiator;
  
  transmitting, to the initiator, a public Diffie-Hellman (DH) key of the responder;
  
  receiving, from the initiator, a public DH key of the initiator;
  
  transmitting, to the initiator, a payload encrypted with a shared secret created from the public DH key of the initiator and the private DH key corresponding to the public DH key of the responder transmitted to the initiator;
  
  receiving, from the initiator, a payload encrypted with the shared secret; and
  
  decrypting the payload;
  
  wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 wherein the public DH key of the responder is previously known to the initiator and is a claim on the identity of the responder.
  - 10. The method of claim 9 wherein the responder has previously obtained the public DH key of the initiator from a portable media device.
  - 11. The method of claim 8 wherein the public DH key of the initiator is previously known to the responder and is a claim on the identity of the initiator.
  - 12. The method of claim 11 wherein the initiator has previously obtained the public DH key of the responder from a portable media device.
  - 13. The method of claim 8 wherein the secure communications channel is a channel in a virtual private network (VPN).
  - 14. The method of claim 13 wherein VPN comprises a client and a server, and a public DH key of the VPN client is received as a hint to the identity of the client.

15. A method of establishing, between an initiator and a responder, a secure communications channel following the Internet Security Protocol (IPSec), comprising using the Internet Key Exchange (IKE) protocol, wherein a static Diffie-Hellman (DH) key-pair is used by at least one of the initiator or the responder to establish confidentiality and authentication.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 wherein the private DH key of the DH key-pair is used to create a claim of identity for the initiator or the responder.
  - 17. The method of claim 15 wherein the secure communications channel is a channel in a virtual private network.

18. A system for establishing a secure communications channel between networked devices comprising:
- a first networked device generating a Diffie-Hellman (DH) key pair;
  
  a portable media device storing the DH key pair generated by the first networked device;
  
  a second networked device reading the DH key pair from the portable media device; and
  
  the second networked device using the DH key pair to ensure confidentiality and authenticity in securing a communications channel with another networked device, following the Internet Key Exchange (IKE) and Internet Security (IPSec) protocols.
- View Dependent Claims (19)
- - 19. The system of claim 18 wherein the secure communications channel is a channel in a virtual private network.

20. A computer-readable medium including computer-executable instructions facilitating establishing a secure communications channel and authenticating a party, for execution by an initiator in an Internet Security Protocol (IPSec) negotiation, said computer-executable instructions executing the steps of:
- initiating an Internet Key Exchange (IKE) negotiation with a responder;
  
  transmitting, to the responder, a public Diffie-Hellman (DH) key of the initiator;
  
  receiving, from the responder, a public DH key of the responder;
  
  transmitting, to the responder, a payload encrypted with a shared secret created from the public DH key of the responder and the private DH key corresponding to the public DH key of the initiator transmitted to the responder;
  
  receiving, from the responder, a payload encrypted with the shared secret; and
  
  decrypting the payload;
  
  wherein the public DH key of the responder is a claim on the identity of the responder and the shared secret is used to authenticate the identity of the responder, or the public DH key of the initiator is a claim on the identity of the initiator and the shared secret is used to authenticate the identity of the initiator.
- View Dependent Claims (21, 22, 23)
- - 21. The computer-readable medium of claim 20 wherein the public DH key of the responder is previously known to the initiator and is as a claim on the identity of the responder.
  - 22. The computer-readable medium of claim 20 wherein the public DH key of the initiator is previously known to the responder and is a claim on the identity of the initiator.
  - 23. The computer-readable medium of claim 20 wherein the secure communications channel is a channel in a virtual private network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rovi Technologies Corporation (Adeia Inc.)
Original Assignee
Microsoft Corporation
Inventors
Swander, Brian D., Manchester, Scott, Freeman, Trevor W., Mayfield, Paul G.

Application Number

US10/806,772
Publication Number

US 20050149732A1
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 41/0806   for initial configuration o...

H04L 41/0843   based on generic templates

H04L 41/0879   Manual configuration throug...

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0853   using an additional device,...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/303   Terminal profiles

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

H04W 12/041   Key generation or derivation

H04W 12/065   Continuous authentication

H04W 28/18   Negotiating wireless commun...

H04W 48/08   Access restriction or acces...

H04W 48/16   Discovering, processing acc...

H04W 76/10 : Connection setup

View All

Use of static Diffie-Hellman key with IPSec for authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Use of static Diffie-Hellman key with IPSec for authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links