Key management for network elements
1 Assignment
0 Petitions
Accused Products
Abstract
The invention provides an establishment of a secret session key shared Between two network elements (NEa, NEb) belonging to different network domains (NDa, NDb). A first network element (NEa) of a first network domain (NDa) requests security parameters from an associated key management center (KMC) (AAAa). Upon reception of the request, the KMC (AAAa) generates a freshness token (FRESH) and calculates the session key (K) based on this token (FRESH) and a master key (KAB) shared with a second network domain (NDb). The security parameters are (securely) provided to the network element (NEa), which extracts the session key (K) and forwards the freshness token (FRESH) to the KMC (AAAb) of the second domain (NDb) through a second network element (NEb). Based on the token (FRESH) and the shared master key (KAB), the KMC (AAAb) generates a copy of the session key (K), which is (securely) provided to the second network element (NEb). The two network elements (NEa, NEb) now have shares the session key (K), enabling them to securely communicate with each other.
100 Citations
58 Claims
-
1-29. -29. (canceled)
-
30. A method of establishing a session key shared between a first network element of a first network domain and a second network element of a second network domain, said first network domain comprising first cryptographic means and means for sharing a secret key with said second network domain comprising second cryptographic means, said method comprising the steps of:
-
said first cryptographic means generating a freshness token;
said first cryptographic means generating said session key based on said shared secret key and said generated freshness token;
providing said session key (K) to said first network element;
providing said freshness token to said second cryptographic means;
said second cryptographic means generating a copy of said session key based on said shared secret key and said provided freshness token; and
,providing said copy of said session key to said second network element. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
31. A method of enabling secure communication between a first network element of a first network domain and a second network element of a second network domain, said first network domain comprising first cryptographic means and means for sharing a secret key with said second network domain comprising second cryptographic means, said method comprising the steps of:
-
said first cryptographic means generating a freshness token;
said first cryptographic means generating said session key based on said shared secret key and said generated freshness token;
providing said session key to said first network element;
providing said freshness token to said second cryptographic means;
said second cryptographic means generating a copy of said session key based on said shared secret key and said provided freshness token;
providing said copy of said session key to said second network element; and
,said first network element and said second network element securely communicating based on said session key and said copy of said session key.
-
-
42. A system of establishing a session key shared between a first network element of a first network domain and a second network element of a second network domain, said first network domain sharing a secret key with said second network domain, wherein said first network domain comprises:
-
first cryptographic means for generating a freshness token and for generating a session key based on said shared secret key and said generated freshness token;
means for providing said session key from said first cryptographic means to said first network element; and
,means for providing said freshness token to said second network domain;
wherein said second network domain comprises;
second cryptographic means for generating a copy of said session key based on said shared secret key and said provided freshness token; and
,means for providing said copy of said session key from said second cryptographic means to said second network element. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50)
-
-
43. A system of enabling secure communication between a first network element of a first network domain and a second network element of a second network domain, said first network domain sharing a secret key with said second network domain, wherein said first network domain comprises:
-
first cryptographic means for generating a freshness token and for generating a session key based on said shared secret key and said generated freshness token;
means for providing said session key from said first cryptographic means to said first network element; and
,means for providing said freshness token to said second network domain;
said second network domain comprises;
second cryptographic means for generating a copy of said session key based on said shared secret key and said provided freshness token; and
,means for providing said copy of said session key from said second cryptographic means to said second network element, said first network element comprises means for conducting secure communication with said second network element based said session key and said second network element comprises means for conducting secure communication with said first network element based on said copy of said session key.
-
-
51. A network domain comprising:
-
a first network element adapted for communication with a second network element of an external network domain, wherein said network domain and said external network domain sharing a secret key;
cryptographic means for generating a freshness token and for generating a session key based on said shared secret key and said generated freshness token;
means for providing said session key from said cryptographic means to said first network element; and
,means for providing said freshness token to said external network domain, wherein said external network domain comprises means for generating a copy of said session key for said second network element based on said shared secret key and said provided freshness token. - View Dependent Claims (52, 53, 54)
-
-
55. A network domain comprising:
-
a first network element adapted for communication with a second network element of an external network domain, wherein said network domain and said external network domain sharing a secret key;
cryptographic means for generating a session key based on said shared secret key and a freshness token provided from said external network domain; and
,means for providing said session key from said cryptographic means to said first network element, wherein said external network domain comprises means for generating said freshness token and for generating a copy of said session key for said second network element based on said shared secret key and said generated freshness token. - View Dependent Claims (56, 57, 58)
-
Specification