Secure spontaneous associations between networkable devices

US 20060209843A1
Filed: 02/25/2005
Published: 09/21/2006
Est. Priority Date: 02/25/2005
Status: Active Grant

First Claim

Patent Images

1. A method for communicating a public key of a sender device to a receiver device, the method comprising:

transmitting a plurality of messages to the receiver device, each message including a first message portion including the public key of the sender device and a message identifier, and a value representing a predetermined transformation of the first message portion;

receiving at least a subset of the plurality of messages at the receiver device;

verifying that each received message fulfils at least one predetermined criterion;

extracting a respective message identifier from each received messages;

transmitting the message identifiers extracted from the received messages to the sender device; and

verifying that each of said transmitted message identifiers that are received at the sender device are message identifiers that were included in a message of the plurality of messages transmitted to the receiver device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a first aspect, the present invention provides a protocol for communications across a securable communication channel between a first device and a second device. The protocol includes the transmission of a plurality of uniquely identifiable messages which each include security-related data, from the first device to the second device. The protocol includes determining whether a subset of messages that are received by the second device comply with at least one predetermined message criterion and are identifiable as having been sent from the first device. In the event that said subset of messages are determined to comply with the predetermined verification criterion (or criteria) and are identifiable as having been sent from the first device, the security-related data is determined to have been successfully communicated to the second device.

47 Citations

View as Search Results

37 Claims

1. A method for communicating a public key of a sender device to a receiver device, the method comprising:
- transmitting a plurality of messages to the receiver device, each message including a first message portion including the public key of the sender device and a message identifier, and a value representing a predetermined transformation of the first message portion;
  
  receiving at least a subset of the plurality of messages at the receiver device;
  
  verifying that each received message fulfils at least one predetermined criterion;
  
  extracting a respective message identifier from each received messages;
  
  transmitting the message identifiers extracted from the received messages to the sender device; and
  
  verifying that each of said transmitted message identifiers that are received at the sender device are message identifiers that were included in a message of the plurality of messages transmitted to the receiver device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the plurality of messages are transmitted to the receiver device at a first predetermined rate, and the method includes:
    - verifying that the plurality of messages are received at the receiver device at a second predetermined rate.
  - 3. The method of claim 2 including randomly selecting the message identifier for each message.
  - 4. The method of claim 3 wherein the value representing the predetermined transformation of the first message portion is generated using a secure hash function.
  - 5. The method of claim 4 wherein the first message portion further includes a network address of the sender device.
  - 6. The method of claim 4 including storing the message identifiers extracted from the received messages at the receiver device;
    - and communicating the stored message identifiers to the sender device once a predetermined number of messages have been received by the receiver device.
  - 7. The method of claim 4 including storing the message identifiers extracted from the received messages at the receiver device;
    - and communicating the stored message identifiers to the sender device after a predetermined time has elapsed from a time at which a first message was received by the receiver device.
  - 8. The method of claim 4 in which the messages have a predetermined format, and wherein verifying that each received message fulfils at least one predetermined criterion, includes verifying that each of the subset of messages received by the receiver device are in the predetermined format.
  - 9. The method of claim 5 wherein the method is terminated if at least one of the following occur:
    - the value representing the predetermined transformation of the first message portion of a message of the subset of messages received by the receiver device is not correct;
      
      a common sender key is not included in each message of the subset of messages received by the receiver device;
      
      the messages of the subset of messages received by the receiver device are not received at the second predefined rate;
      
      a common sender network address is not included in each message of the subset of messages received by the receiver device.

10. A method for communicating a public key of a sender device to a receiver device, the method comprising:
- transmitting a plurality of messages to the receiver device, each message including a first message portion including the public key of the sender device and a message identifier, and a value representing a predetermined transformation of the first message portion;
  
  receiving from the receiver device a plurality of message;
  
  verifying that each of said received messages includes a message identifier that was sent to the receiver device in a message of the plurality of messages transmitted to the receiver device.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10 wherein the first message portion of the plurality of messages further includes a network address of the sender device.
  - 12. The method of claim 11 wherein the plurality of messages are transmitted to the receiver device at a first predetermined rate.
  - 13. The method of claim 12 wherein the value representing the predetermined transformation of the first message portion of the messages in the plurality of messages are generated using a secure hash function.

14. A method for verifying that an association formed between a first device and second device has been secured with a valid session key pair including:
- transmitting a set of message from the first device to the second device wherein each message includes a unique message identifier and is encrypted with a session key of the first device;
  
  verifying the reception and decryption of at least a subset of the transmitted set of messages by the second device wherein the decryption is performed using a session key of the second device;
  
  verifying the content of the subset of messages received and decrypted by the second device including verifying that a message identifier portion of at least some of the subset of messages received and decrypted by the second device include a message identifiers that were included in a message of the transmitted set of messages.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The method of claim 14 where the method further includes:
    - transmitting a second set of messages from the second device to the first device wherein each message includes a unique message identifier and is encrypted with a session key of the second device;
      
      verifying the reception and decryption of at least a second subset of the transmitted second set of messages by the first device wherein the decryption is performed using a session key of the first device;
      
      verifying the content of the second subset of messages received and decrypted by the first device including verifying that a message identifier portions of at least some of the second subset of messages include a message identifier that was included in a message of the transmitted second set of messages.
  - 16. The method of claim 14 in which verifying the content of the subset of messages received and decrypted by the second device includes transmitting to the first device a set of verification messages each message including at least a message identifier portion of one of the subset of messages received and decrypted by the second device.
  - 17. The method of claim 16 wherein the messages of the set of transmitted messages each further include a network address of the second device and wherein verifying the content of the subset of messages received and decrypted by the second device include verifying that each received and decrypted message includes the network address of the second device.
  - 18. The method of claim 16 wherein the set of messages are transmitted to the first device at a first predefined rate and the second set of messages is transmitted at a second predefined rate.
  - 19. The method of claim 18 wherein verifying the reception and decryption of at least a subset of the transmitted messages includes verifying that the subset of messages are received at the second device at a rate less than or equal to the first predefined rate.
  - 20. The method of claim 19 wherein verifying the content of the subset of messages received and decrypted, includes the first device;
    - identifying a message identifier in the set of verification messages to the first device that was included in a message of the set of messages that was sent at an earliest time, and verifying that set of the verification messages include message identifiers from a predetermined proportion of message in the set of messages that were sent between the earliest time, and a time of reception of the first verification message by the first device.
  - 21. The method of claim 15 in which verifying the content of the subset of messages received and decrypted by the second device includes transmitting a set of verification messages wherein each message includes at least the message identifier portion of a respective one of the subset of messages received and decrypted by the second device, and verifying the content of the second subset of messages received and decrypted by the second devices includes transmitting a second set of verification message including wherein each verification message includes at least the message identifier portion of a respective one of the messages in the second subset of messages.
  - 22. The method of claim 21 wherein the messages in the set of messages each further include a network address of the second device and wherein verifying the content of the subset of messages received and decrypted by the second device include verifying that each received and decrypted message includes t he return address of the second device and the messages of the second set of transmitted messages each further include a network address of the first device and wherein, verifying the content of the subset of messages received and decrypted by the second device includes verifying that each received and decrypted message of the second set includes the network addresses of the first device.
  - 23. The method of claim 22 wherein verifying the reception and decryption of at least a subset of the transmitted messages includes verifying that the subset of messages are received at the second device at a rate less than or equal to the first predefined rate and verifying the reception and decryption of at least a second subset of the transmitted messages includes verifying that the second subset of messages are received at the first device at a rate less than or equal to the second predefined rate.

24. A method of verifying that an association formed between a first device and a second device has been secured with a valid session key pair including:
- transmitting a set of messages from the first device to the second device wherein each message includes a unique message identifier and is encrypted using a session key of the first device;
  
  awaiting confirmation from the second device that it has received and decrypted at least a subset of the set of messages, said confirmation including the transmission of a set of verification messages wherein each message includes a message identifier extracted from the subset of messages received and decrypted by the second device; and
  
  verifying that said set of verification messages is received from the second device and that the set of verification messages includes a plurality of message identifiers that were included in respective messages of the transmitted set of messages.
- View Dependent Claims (25)
- - 25. The method of claim 24 which further includes receiving a second subset of messages from the second device;
    - verifying that the received second subset of messages can be decrypted and that each one includes a unique message identifier;
      
      transmitting to the second device a second set of verification messages wherein each verification message includes at least a message identifier from a message of the received second subset of messages.

26. A method for verifying that a secure association been formed between a first device and a second device by verifying that each device possesses a network address of the other device and a common encryption key is shared by the two devices, said method including:
- generating a first cipher text by encrypting, using a secret encryption key of the first device, plaintext including the second device'"'"'s network address and a message identifier;
  
  communicating the first cipher text to the second device;
  
  decrypting the received first cipher text at the second device to obtain a decrypted plain text;
  
  verifying that the decrypted plain text includes the network address of the second device, and a message identifier;
  
  communicating the decrypted message identifier to the first device; and
  
  verifying that the decrypted message identifier and the message identifier included in the plaintext are equal;
  
  encrypting, using a secret encryption key of the second device, second plaintext including the first device'"'"'s network address, and a message identifier to generate a second cipher text;
  
  communicating the second cipher text to the first device;
  
  decrypting the received second cipher text at the first device to obtain a decrypted second plain text;
  
  verifying that the decrypted second plaintext includes the network address of the first device, and a message identifier;
  
  communicating the decrypted message identifier to the second device; and
  
  verifying that the decrypted message identifier and the message identifier included in the second plaintext are equal.
- View Dependent Claims (27, 28, 29)
- - 27. The method of claim 26 wherein a plurality of messages are generated and transmitted to the receiver device at a first predetermined rate.
  - 28. The method of claim 27 including verifying that the plurality of messages are received at the receiver device at a second predetermined rate.
  - 29. The method of claim 28 including randomly selecting the message identifier for each message.

30. A protocol for communications across a securable communication channel between a first device and a second device, the protocol including:
- transmitting a plurality of uniquely identifiable messages including at least security-related data from the first device to the second device;
  
  determining whether a subset of messages received by the second device comply with at least one predetermined message criterion and are identifiable as having been sent from the first device; and
  
  in the event that said subset of messages are determined comply with said at one or more predetermined verification criterion, and are identifiable as having been sent from the first device, verifying that said security-related data has been communicated to the second device.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
- - 31. The protocol of claim 30 which further includes transmitting the plurality of messages at a first predetermined rate, and determining a rate of reception of the subset of messages by the second device.
  - 32. The protocol of claim 30 wherein at least one the predetermined verification criterion are based on one or more of the following:
    - the ability of the second device to decrypted one or more of the messages;
      
      the number of messages received by the second device;
      
      the rate of reception of messages by the second device;
      
      the form of the messages received by the second device;
      
      the content of messages received by the second device.
  - 33. The protocol of claim 32 wherein determining whether a message was sent by the first device includes:
    - extracting a unique identifier from each received message and;
      
      transmitting the at least said extracted unique identifier back to the first device.
  - 34. The protocol of claim 33 wherein each of said plurality of uniquely identifiable messages is encrypted.
  - 35. The protocol of claim 33 wherein each of said plurality of messages is includes a first portion containing at least a unique message identifier and a second portion comprising a predetermined transform of the first portion.
  - 36. The protocol of claim 34 wherein the protocol is configured to be used to verify that the communication channel over which communication is being conducted has been secured by a valid session key pair.
  - 37. The protocol of claim 35 wherein the protocol is configured to communicate at least a public key of the first device to the second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Tourrilhes, Jean, Zhang, Kan, Im, Seunghyun, Kindberg, Timothy P.J.G.

Granted Patent

US 7,698,556 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/395.320
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/12 Applying verification of th...

Secure spontaneous associations between networkable devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

37 Claims

Specification

Use Cases

Quick Links

Others

Secure spontaneous associations between networkable devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

37 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others