Method for Securing an Authentication and Key Agreement Protocol

US 20070250712A1
Filed: 06/20/2005
Published: 10/25/2007
Est. Priority Date: 06/21/2004
Status: Active Grant

First Claim

Patent Images

1. An authentication method in a network including a secure server, an authentication server, and at least a terminal (HT) which hosts an personal token (SE) said authentication method comprising;

a. in the secure server, performing a calculation on the basis of a random (RAND) and a secret key thereby producing derived key material (Ck, Ik);

b. sending said derived key material (Ck, Ik) together with said random and together with additional data (AUTN, XRES, MAC, SQN, Ak, AMF) from the secure server (SS) to the authentication server (AS);

c. in said authentication server, modifying at least part of said additional data (MAC*, SQN*) by means of at least part of said derived key material (Ck, Ik);

d. sending said additional data (AUTN, AUTN*, XRES, MAC, SQN, Ak, AMF, Mac*, SQN*) and said random (RAND) through the hosting terminal to said personal token;

e. in the personal token, performing a calculation based on the received random (RAND) for re-computing said at least part of said derived key material (Ck, Ik) as used in the authentication server for modifying said part of the additional data;

f. in the token, using said re-computed at least part of the derived key material for interpreting the modified part of the received additional data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention concerns a personal token for a terminal in a communication network including an authentication server and a secure server producing derived key material on the basis of a random and a secret key (K), said personal token including program instructions for re-computing the derived key material (Ck, Ik) on the basis of the received random and the secret key (K) as stored in the personal token, characterized in that the personal token includes program instructions for using a re-computed part of the derived key material in order to interpret the received additional data.

Citations

31 Claims

1. An authentication method in a network including a secure server, an authentication server, and at least a terminal (HT) which hosts an personal token (SE) said authentication method comprising;
- a. in the secure server, performing a calculation on the basis of a random (RAND) and a secret key thereby producing derived key material (Ck, Ik);
  
  b. sending said derived key material (Ck, Ik) together with said random and together with additional data (AUTN, XRES, MAC, SQN, Ak, AMF) from the secure server (SS) to the authentication server (AS);
  
  c. in said authentication server, modifying at least part of said additional data (MAC*, SQN*) by means of at least part of said derived key material (Ck, Ik);
  
  d. sending said additional data (AUTN, AUTN*, XRES, MAC, SQN, Ak, AMF, Mac*, SQN*) and said random (RAND) through the hosting terminal to said personal token;
  
  e. in the personal token, performing a calculation based on the received random (RAND) for re-computing said at least part of said derived key material (Ck, Ik) as used in the authentication server for modifying said part of the additional data;
  
  f. in the token, using said re-computed at least part of the derived key material for interpreting the modified part of the received additional data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, wherein the modified part of the received additional data includes identifying whether said part of the received additional data has been modified prior to sending such additional data to the personal token or not.
  - 3. The method according to claim 1, wherein the modified part of the received additional data includes checking validity of an expected value for the received additional data.
  - 4. The method according to claim 1, wherein the recomputed part of the derived key material is maintained in the personal token.
  - 5. The method according to claim 1, wherein the method includes the token performing a re-computing of said part of the additional data on the basis of said received random and performing a re-modification of said part of the additional data on the basis of said derived key material, and comparison of the re-computing and re-modified additional data part with the received modified part of the additional data.
  - 6. The method according to claim 1, wherein the token performing an inverse modification of the received modified part of the additional data so as to retrieve the non modified part of the additional data as initially produced by the secure server, re-computing in the token said part of the additional data on the basis of said received random and on the basis of the secret key, and performing a comparison of the non-modified part of the additional data as initially produced by the secure server with the re-computed part of the additional data.
  - 7. The method according claim 1, wherein the modified part of the additional data is the MAC (message authentication Code) as usually used for authenticating a server to the token.
  - 8. The method according to claim 7, wherein the token performs a re-computing of the MAC.
  - 9. The method according to claim 8, the personal token performs a modification of the re-computed MAC based on the derived key material and compares said modified re-computed MAC with the modified MAC received from the authentication server through the hosting terminal.
  - 10. The method according to claim 7, wherein the token uses the derived key material to perform a reverse modification of the received modified MAC and compares the re-computed MAC with the reversely modified received MAC.
  - 11. The method according to claim 1, wherein the derived key material includes at least a part of the ciphering key (Ck).
  - 12. The method according to claim 1, wherein at least part of the derived key material includes the Integrity key (Ik).
  - 13. The method according to claim 1, wherein it includes the following alternative steps:
    - g1) if the said part of the additional data has been modified with said at least part of the derived key material, maintaining in the token at least a portion of the derived key material;
      
      g2) if the said part of the additional data is non modified, transmitting from the token to the terminal said portion of the derived key material.
  - 14. The method according to claim 13, wherein the method includes the personal token performing a re-computation of said part of the additional data on the basis of said received random and the personal token maintaining said portion of the derived key material inside the token in case the said received part of the additional data corresponds neither to the recomputed part of the additional data, neither to the said recomputed part of the additional data as re-modified with derived key material.
  - 15. The method according to claim 1, wherein the personal token sends through the terminal a response (RES) to the authentication server and the authentication server authenticates the personal token by means of said response, and in that once the authentication server and the personal token are mutually authentified, the personal token derives an internal key (KsNAFint) and an external key (KsNAFext) from the derived key material (Ck, Ik), said internal key (KsNAFint) being used for establishing a secure channel between the personal token and a remote server through the terminal but hidden to the terminal, and said external key (KsNAFext) being used for establishing a secure channel between the terminal and a remote server.

16. An authentication method in a network including a secure server, an authentication server, and at least a terminal which hosts a personal token said authentication method comprising the following steps:
- a. in the secure server, performing a calculation on the basis of a random (RAND) and a secret key for producing derived key material (Ck, Ik);
  
  b. sending said derived key material (Ck, Ik) together with said random and together with additional data (AUTN, XRES, MAC, SQN, Ak, AMF) from the secure server (SS) to the authentication server (AS);
  
  b′
  
  . in said authentication server, using a data basis of the personal tokens in the network for determining whether the token to be authenticated is a first type personal token or a second type personal token in the case the token is a first type personal token;
  
  c1. modifying at least part of said additional data (MAC*, SQN*) by means of at least part of said derived key material (Ck, Ik), d1. sending said additional data (AUTN, AUTN*, XRES, MAC, SQN, Ak, AMF, Mac*, SQN*) and said random (RAND) through the hosting terminal to said personal token. e1. in the personal token, re-computing said at least part of said derived key material (Ck, Ik) on the basis of the received RAND and the secret key K;
  
  f1. in the token, using said re-computed at least part of the derived key material for interpreting the modified part of the received additional data; and
  
  g1. maintaining in the token said re-computed part of the derived key material;
  
  in the case the token is a second type personal token;
  
  c2. sending said additional data (AUTN, AUTN*, XRES, MAC, SQN, Ak, AMF, Mac*, SQN*) and said random (RAND) through the hosting terminal to said personal token without performing said modification based on said part of the derived key material. d2. in the personal token, re-computing said at least part of said derived key material (Ck, Ik) on the basis of the received RAND and the secret key K and transmitting from the personal token to the terminal said at least part of the derived key material.

17. A personal token for a terminal in a communication network including an authentication server and a secure server producing derived key material on the basis of a random and a secret key (K), said personal token including program instructions for re-computing the derived key material (Ck, Ik) on the basis of the received random and the secret key (K) as stored in the personal token, wherein the personal token includes program instructions for using a re-computed part of the derived key material in order to interpret the received additional data.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. The personal token according to claim 17, wherein the token includes program instructions for maintaining re-computed derived key material in the personal token.
  - 19. The personal token according to claim 17, wherein the token includes program instructions for performing re-computation of said part of the additional data on the basis of said received random, re-modifying said part on the basis of said part of the derived key material, and comparing the re-computed and re-modified additional data part with the received modified part of the additional data.
  - 20. The personal token according to claim 17, wherein the token includes program instructions for performing an inverse modification of the received modified part of the additional data so as to retrieve the non modified part of the additional data as initially produced by a secure server, re-computing said part of the additional data on the basis of said received random and on the basis of the secret key (K), and comparing the non-modified part of the additional data s initially produced by the secure server with the re-computed part of the additional data.
  - 21. The personal token according to claim 17, wherein the modified part of the additional data is the MAC (message authentication Code) as usually used for authenticating a server to the token.
  - 22. The personal token according to the claim 21, wherein the token performs a re-computing of the MAC.
  - 23. The personal token according to claim 21, wherein the personal token performs a modification of the re-computed MAC based on said part of the derived key material and compares said re-computed and re-modified MAC with the modified MAC received from the authentication server through the hosting terminal.
  - 24. The personal token according to claim 21, wherein the token uses said part of the derived key material to perform a reverse modification of the received modified MAC and compares the re-computed MAC with the reversely modified received MAC.
  - 25. The personal token according to claim 17, wherein the derived key material includes at least a part of the ciphering key (Ck).
  - 26. The personal token according to claim 17, wherein the derived key material includes at least a part of the Integrity key (Ik).
  - 27. The personal token according to claim 17, wherein the interpreting of the received additional data includes identifying whether said part of the received additional data has been modified with said derived key material or not and the personal token performs the following alternative steps:
    - g1) if the said part of the additional data has been modified with said at least part of the derived key material, the token maintains at least a given portion of the derived key material;
      
      g2) if the said part of the additional data is non modified, the token transmits to the terminal said given portion of the derived key material.
  - 28. The personal token according to claim 27, wherein the token performs a re-computing of said part of the additional data on the basis of said received random and on the basis of the secret key (K) and maintains a given portion of the derived key material inside the token in case the said received part of the additional data corresponds neither to the recomputed part of the additional data, neither to said recomputed part modified with the derived key material.
  - 29. The personal token according to claim 17, wherein the personal token sends through the terminal a response (RES) to the authentication server and the authentication server authenticates the token by means of said response, and in that once the authentication server and the authentication server mutually authentified, the personal token derives an internal key (KsNAFint) and an external key (KsNAFext) from the said part of the derived key material (Ck, Ik), said internal key (KsNAFint) being used for establishing a secure channel between the personal token and a remote server through the terminal but hidden to the terminal, and said external key (KsNAFext) being used for establishing a secure channel between the terminal and a remote server.

30. An authentication server in a communication network, which authenticates terminals each of which terminals hosts an personal token, said authentication server comprising the following:
- a. receiving from a secure server a random, derived key material (Ck, Ik) produced on the basis of said random and additional data (AUTN, XRES, MAC, SQN, Ak, AMF);
  
  b. modifying at least part of said additional data (MAC*, SQN*) by means of at least part of said derived key material (Ck, Ik); and
  
  c. sending said additional data (AUTN, AUTN*, XRES, MAC, SQN, Ak, AMF, Mac*, SQN*) and said random (RAND) through a terminal to the personal token hosted in a terminal.

31. A computer program for an authentication server in a communication network, which server authenticates terminals in the network each of which terminals hosts an personal token, said computer program including program instructions for executing the following steps:
- a. receiving from a secure server a random, derived key material (Ck, Ik) produced on the basis of said random and additional data (AUTN, XRES, MAC, SQN, Ak, AMF);
  
  b. modifying at least part of said additional data (MAC*, SQN*) by means of at least part of said derived key material (Ck, Ik); and
  
  c. sending said additional data (AUTN, AUTN*, XRES, MAC, SQN, Ak, AMF, Mac*, SQN*) and said random (RAND) through a terminal to the personal token hosted in the terminal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gemalto SA (Thales SA)
Original Assignee
Axalto SA (Thales SA)
Inventors
Salgado, Stephanie, Abellan, Jorge

Granted Patent

US 7,991,994 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/0853   using an additional device,...

H04L 9/0844   with user authentication or...

H04W 12/069   using certificates or pre-s...

Method for Securing an Authentication and Key Agreement Protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method for Securing an Authentication and Key Agreement Protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links