Clone resistant mutual authentication in a radio communication network

US 20070192602A1
Filed: 12/16/2005
Published: 08/16/2007
Est. Priority Date: 12/17/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method of preventing unauthorized duplication of an identity module (IM), said method comprising:

generating internally within the IM, at least a first key (K1) and a second, different key (K2), wherein the generating step includes assuring that K1 cannot be derived from K2, and K2 cannot be derived from K1; and

exporting K2 and an identifier (ID) from the IM to an authentication server (AS) while keeping K1 internally secret within the IM.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for preventing unauthorized duplication of an identity module, IM, and authenticating valid IMs. Different information is stored in the IM and an authentication center, AuC, and if the information in the AuC is leaked, it is insufficient to clone the IM. The IM generates a first key, K1, and a second key, K2, while assuring that K1 cannot be derived from K2, and optionally that K2 cannot be derived from K1. The IM exports K2 and an identifier to the AuC while keeping K1 secret within the IM. During authentication, the IM provides to a third party such as a VLR, information containing the identifier. The VLR forwards the information to the AuC, which retrieves K2 based on the identifier and generates a first value, R, and a second value, X, based on at least K2. The AuC then returns R and X to the VLR, which forwards R to the IM. The IM then generates a response, RES, based on at least K1 and R, and sends the RES to the VLR. The VLR then verifies the RES based on X.

36 Citations

View as Search Results

24 Claims

1. A method of preventing unauthorized duplication of an identity module (IM), said method comprising:
- generating internally within the IM, at least a first key (K1) and a second, different key (K2), wherein the generating step includes assuring that K1 cannot be derived from K2, and K2 cannot be derived from K1; and
  
  exporting K2 and an identifier (ID) from the IM to an authentication server (AS) while keeping K1 internally secret within the IM.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein K1 and K2 constitute a secret/public key pair for asymmetric cryptography, and wherein the method further comprises keeping the public key K2 secret in the AS.
  - 3. The method of claim 2, wherein the step of assuring K2 cannot be derived from K1 includes erasing internal information in the IM utilized to generate K1 and K2.
  - 4. The method of claim 1, wherein the step of exporting includes initializing the IM to receive K2 at an output for export to the AS while keeping K1 internally secret within the IM.
  - 5. The method of claim 4, wherein the step of initializing includes applying an initializing code to an input port of the IM.
  - 6. The method of claim 1, further comprising an authentication phase, wherein a third party authenticates the IM, said authentication phase comprising:
    - providing from the IM to the third party, information initiating authentication, said information containing at least the ID;
      
      forwarding the information from the third party to the AS;
      
      retrieving K2 by the AS based on the ID received from the third party;
      
      generating by the AS, at least a first value (R) and a second value (X), based on at least K2;
      
      returning R and X from the AS to the third party;
      
      forwarding R from the third party to the IM;
      
      generating by the IM, a response (RES) based on at least K1 and R;
      
      returning the RES from the IM to the third party; and
      
      verifying the RES by the third party based on X.
  - 7. The method of claim 6, wherein:
    - the step of generating R includes encrypting a value V using K2, wherein V contains information for deriving X;
      
      the step of generating the RES includes decrypting R and verifying information derived from the decryption of R; and
      
      the step of verifying the RES by the third party based on X is a comparison that RES is equal to X.
  - 8. The method of claim 1, wherein K1 is a first secret for a public key exchange system, and K2 is a corresponding public parameter.

9. An identity module (IM), resistant to duplication, comprising:
- means for generating internally within the IM, at least a first key (K1) and a second key (K2) while assuring that K1 cannot be derived from K2, and K2 cannot be derived from K1; and
  
  means for exporting K2 and an identifier (ID) from the IM to an authentication server (AS) while keeping K1 internally secret within the IM.
- View Dependent Claims (10)
- - 10. The identity module of claim 9, wherein the IM is implemented in a terminal that contains an e-commerce application, said e-commerce application performing payments based on the IM.

11. An authentication server for authenticating an accessing identity module (IM) while preventing unauthorized duplication of the accessing IM, said authentication server comprising:
- means for receiving an access request from the accessing IM;
  
  means for generating a challenge utilizing information stored in the authentication server but not in the accessing IM, wherein the information stored in the authentication server is not sufficient to generate an IM clone capable of responding as a valid IM;
  
  means for generating an expected response that is expected from a valid IM; and
  
  means for sending the challenge to the accessing IM, wherein the challenge varies for each access attempt.

12. A system for providing a valid identity module (IM) with access to a network while preventing access to the network by an unauthorized IM clone, said system comprising:
- an authentication server for receiving an access request from an accessing IM, generating a challenge utilizing information stored in the authentication server but not in the accessing IM, generating an expected response that is expected from a valid IM, and sending the challenge to the accessing IM, wherein the challenge varies for each access attempt, and the information stored in or generated by the authentication server is not sufficient to create an IM clone capable of responding as a valid IM;
  
  means within the accessing IM for receiving the challenge, and preparing and sending a response based on information in the challenge and information stored in the accessing IM but not in the authentication server; and
  
  means for providing the accessing IM with access to the network only if the response prepared by the accessing IM equals the expected response generated by the authentication server.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12, wherein the accessing IM also includes means for determining whether a sequence number received from the authentication server is fresh.
  - 14. The system of claim 12, further comprising an intermediary node adapted to receive the challenge and expected response from the authentication server, forward the challenge to the accessing IM, receive the response from the accessing IM, and determine whether the response prepared by the accessing IM equals the expected response generated by the authentication server.

15. A method of providing a valid identity module (IM) with access to a network while preventing access to the network by an unauthorized IM clone, wherein an accessing IM sends an access request to an authentication server, said method comprising:
- in the authentication server;
  
  selecting a random value y;
  
  calculating a random value (RAND) utilizing RAND=g^y;
  
  calculating a value R=g^xy, where x is a Diffie-Hellman private key known to the accessing IM, and g^xis known to the authentication server;
  
  calculating a shared secret key (K) utilizing K=KDF(R, . . . ), where KDF is a key derivation function;
  
  sending the RAND and an expected response (XRES) to an intermediary node; and
  
  forwarding the RAND from the intermediary node to the accessing IM; and
  
  in the accessing IM;
  
  determining R utilizing R=RAND^x, where x is the Diffie-Hellman private key;
  
  calculating the shared secret key, K=KDF(R, . . . ) using the key derivation function;
  
  calculating a response (RES) utilizing RES=f2(K, RAND); and
  
  sending the RES to the intermediary node;
  
  determining by the intermediary node, whether the RES received from the accessing IM is equal to the XRES received from the authentication server; and
  
  providing the accessing IM with access to the network only if the RES received from the accessing IM is equal to the XRES received from the authentication server.
- View Dependent Claims (16)
- - 16. The method according to claim 15, further comprising:
    - in the authentication server;
      
      updating a sequence number (SQN_HE);
      
      calculating a keyed Message Authentication Code (MAC) utilizing MAC=f1(K, RAND∥
      
      SQN∥
      
      AMF . . . );
      
      calculating the XRES utilizing XRES=f2(K, RAND);
      
      calculating a key Ck utilizing Ck=f3(K, RAND);
      
      calculating a key Ik utilizing Ik=f4(K, RAND);
      
      calculating AK utilizing AK=f5(K, RAND);
      
      constructing an authentication message AUTN utilizing AUTN=SQN XOR AK∥
      
      AMF∥
      
      MAC; and
      
      sending the AUTN to the intermediary node together with the RAND and the XRES;
      
      in the intermediary node;
      
      forwarding the AUTN to the accessing IM together with the RAND; and
      
      in the accessing IM;
      
      calculating AK using AK=f5(K, RAND); and
      
      extracting and checking the SQN_HE, AMF, and MAC from the AUTN.

17. A method of authenticating an accessing identity module (IM) while preventing unauthorized duplication of the accessing IM, said method comprising:
- generating internally within the accessing IM, at least a first key (K1) and a second, different key (K2); and
  
  exporting K2 and an identifier (ID) from the accessing IM to an authentication server (AS) while keeping K1 internally secret within the accessing IM;
  
  sending from the accessing IM to a third party, information containing at least the ID;
  
  forwarding the information from the third party to the AS;
  
  retrieving K2 by the AS based on the ID received from the third party;
  
  selecting by the AS a random number R;
  
  generating by the AS, at least a value (RAND) based on at least the number R;
  
  generating by the AS a key K based on at least the number R;
  
  generating by the AS a value (X) based on at least the value (RAND) and the key K;
  
  returning the value RAND and X from the AS to the third party;
  
  forwarding the value RAND from the third party to the accessing IM;
  
  receiving by the third party, a response, RES from the accessing IM; and
  
  verifying the RES by the third party based on X.
- View Dependent Claims (18, 19, 20)
- - 18. The method according to claim 17, further comprising, prior to the step of receiving the RES from the accessing IM, the steps of:
    - calculating by the accessing IM, the random number R based at least on the key K1 and the value (RAND);
      
      calculating by the accessing IM, the key K based on at least the value R; and
      
      calculating by the accessing IM the response RES based on at least the key K and the value RAND.
  - 19. The method according to claim 18, wherein:
    - the accessing IM calculates a value R1 utilizing R1=RAND^K1;
      
      the accessing IM calculates the key K utilizing K=KDF(R1, . . . ); and
      
      the accessing IM calculates the response RES utilizing RES=f2(K, RAND).
  - 20. The method according to claim 17, further comprising determining by the AS, a random number R1=(K2)^Rutilizing the random number R;
    - wherein the AS generates the value RAND according to RAND=g^R;
      
      wherein the AS generates the key K utilizing K=KDF(R1, . . . ), where KDF is a key derivation function; and
      
      wherein the AS generates the value X utilizing X=f2(K, RAND), utilizing a function f2.

21. A method of authenticating an accessing identity module (IM) while preventing unauthorized duplication of the accessing IM in a network utilizing a signature scheme with message recovery, said method comprising:
- generating a public key, U_EK, internally within the accessing IM;
  
  enrolling the public key, U_EK, at an authentication server (AS);
  
  sending an access request from the accessing IM to the AS, said access request including at least an identifier for the accessing IM;
  
  retrieving by the AS, the accessing IM'"'"'s public key, U_EK;
  
  preparing a challenge, CHAL, by the AS, said challenge including at least one of a random value (RAND), a sequence number (SEQ), and additional data (DATA);
  
  sending the challenge and the accessing IM'"'"'s public key, U_EK, from the AS to an intermediary node;
  
  forwarding the challenge from the intermediary node to the accessing IM;
  
  preparing by the accessing IM, a digital signature U_SIGN(CHAL) of the challenge;
  
  sending the digital signature U_SIGN(CHAL) from the accessing IM to the intermediary node as a response, RES, to the challenge; and
  
  verifying the response by the intermediary node by determining whether the challenge (CHAL) equals the public key U_EK(RES).
- View Dependent Claims (22, 23)
- - 22. The method according to claim 21, wherein the challenge (CHAL) includes both RAND and SEQ.
  - 23. The method according to claim 22, wherein the challenge (CHAL) also includes the DATA part, wherein the DATA part includes a service identifier.

24. A method of authenticating an accessing identity module (IM) while preventing unauthorized duplication of the accessing IM in a network utilizing signatures with an appendix, said method comprising:
- generating a public key, U_EK, internally within the accessing IM;
  
  enrolling the public key, U_EK, at an authentication server (AS);
  
  sending an access request from the accessing IM to the AS, said access request including at least an identifier for the accessing IM;
  
  retrieving by the AS, the accessing IM'"'"'s public key, U_EK;
  
  preparing a challenge, CHAL, by the AS, said challenge including at least one of a random value (RAND), a sequence number (SEQ), and additional data (DATA);
  
  sending the challenge and the accessing IM'"'"'s public key, U_EK, from the AS to an intermediary node;
  
  forwarding the challenge from the intermediary node to the accessing IM;
  
  preparing by the accessing IM, a digital signature U_SIGN(hash(CHAL)) of the challenge;
  
  sending the digital signature U_SIGN(hash(CHAL)) from the accessing IM to the intermediary node as a response, RES, to the challenge; and
  
  verifying the response by the intermediary node by determining whether the hash of the challenge, hash(CHAL), equals the public key U_EK(RES).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Naslund, Mats, Blom, Rolf

Application Number

US11/275,166
Publication Number

US 20070192602A1
Time in Patent Office

Days
Field of Search
US Class Current

713/169
CPC Class Codes

H04L 2209/20   Manipulating the length of ...

H04L 2209/80   Wireless network architectu...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/321   involving a third party or ...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

H04L 9/3273   for mutual authentication n...

H04W 12/06   Authentication

H04W 12/126   Anti-theft arrangements, e....

Clone resistant mutual authentication in a radio communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Clone resistant mutual authentication in a radio communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links