ENTITY BIDIRECTIONAL-IDENTIFICATION METHOD FOR SUPPORTING FAST HANDOFF

US 20110078438A1
Filed: 05/27/2009
Published: 03/31/2011
Est. Priority Date: 05/29/2008
Status: Active Grant

First Claim

Patent Images

1. A mutual entity authentication method supporting rapid handoff, the method involving three security elements comprising two authentication elements A and B and a Trusted third Party TP, wherein the trusted third party TP is a trusted third party of the authentication elements A and B;

the authentication element A comprises n authentication entities A1, A2, . . . , An, and the authentication element B comprises m authentication entities B1, B2, . . . , Bm, among which synchronization information is provided; and

all of the authentication entities in the same authentication element share one public key certificate or possess one public key, and for any pair of authentication entities Ai (i=1, 2, . . . , n) and Bj (j=1, 2, . . . , m), the authentication method comprises the steps of;

1) transmitting, by the authentication entity Bj, an authentication activation message INI_Bjto the authentication entity Ai, whereinINI_Bj=R_Bj∥

ID_B∥

Text1, wherein R_Bjdenotes a random number generated by the authentication entity Bj, ID_Bdenotes an identifier of the authentication element B, and Text1 denotes a first optional text;

2) transmitting, by the authentication entity Ai, an access authentication request message AREQ_Aito the authentication entity Bj upon reception of the authentication activation message INI_Bj, wherein
AREQ_Ai=R_Bj∥

R_Ai∥

ID_A∥

Text2∥

TokenAB TokenAB=sS_A(R_Bj∥

R_Ai∥

ID_AText2), wherein R_Aidenotes a random number generated by the authentication entity Ai, ID_Adenotes an identifier of the authentication element A, Text2 denotes a second optional text, TokenAB denotes a token transmitted from the authentication entity Ai to the authentication entity Bj, and sS_Adenotes a signature of the authentication element A;

3) on receiving the access authentication request message AREQ_Ai, verifying, by the authentication entity Bj, R_Bjin AREQ_Aiand R_Bjin INI_Bjfor consistency, and if R_Bjin AREQ_Aiis consistent with R_Bjin INI_Bj, searching, by the authentication entity Bj, for a locally stored authentication result of the authentication element A;

if there is stored an authentication result of the authentication element A, going to step

4);

4) transmitting, by the authentication entity Bj, an access authentication response message ARES_Bjto the authentication entity Ai, and calculating a shared master key between the authentication entities Ai and Bj, wherein
ARES_Bj=IRES_TP∥

R_Ai∥

Text5∥

TokenBA TokenBA=sS_B(TokenAB∥

R_Bj∥

Text5), wherein Text5 denotes a fifth optional text, IRES_TPdenotes an identity authentication response message stored locally at the authentication entity Bj which comprises the authentication result of the authentication element A, TokenBA denotes a token transmitted from the authentication entity Bj to the authentication entity Ai, and sS_Bdenotes a signature of the authentication element B; and

5) verifying, by the authentication entity Ai, the access authentication response message ARES_Bjupon reception thereof.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An entity bidirectional-identification method for supporting fast handoff involves three security elements, which includes two identification elements A and B and a trusted third party (TP). All identification entities of a same element share a public key certification or own a same public key. When any identification entity in identification element A and any identification entity in identification element B need to identify each other, if identification protocol has never been operated between the two identification elements that they belong to respectively, the whole identification protocol process will be operated; otherwise, interaction of identification protocol will be acted only between the two identification entities. Application of the present invention not only centralizes management of public key and simplifies protocol operation condition, but also utilizes the concept of security domain so as to reduce management complexity of public key, shorten identification time and satisfy fast handoff requirements on the premises of guaranteeing security characteristics such as one key for every pair of identification entities, one secret key for every identification and forward secrecy.

32 Citations

View as Search Results

9 Claims

1. A mutual entity authentication method supporting rapid handoff, the method involving three security elements comprising two authentication elements A and B and a Trusted third Party TP, wherein the trusted third party TP is a trusted third party of the authentication elements A and B;
- the authentication element A comprises n authentication entities A1, A2, . . . , An, and the authentication element B comprises m authentication entities B1, B2, . . . , Bm, among which synchronization information is provided; and
  
  all of the authentication entities in the same authentication element share one public key certificate or possess one public key, and for any pair of authentication entities Ai (i=1, 2, . . . , n) and Bj (j=1, 2, . . . , m), the authentication method comprises the steps of;
  
  1) transmitting, by the authentication entity Bj, an authentication activation message INI_Bjto the authentication entity Ai, whereinINI_Bj=R_Bj∥
  
  ID_B∥
  
  Text1, wherein R_Bjdenotes a random number generated by the authentication entity Bj, ID_Bdenotes an identifier of the authentication element B, and Text1 denotes a first optional text;
  
  2) transmitting, by the authentication entity Ai, an access authentication request message AREQ_Aito the authentication entity Bj upon reception of the authentication activation message INI_Bj, wherein
  AREQ_Ai=R_Bj∥
  
  R_Ai∥
  
  ID_A∥
  
  Text2∥
  
  TokenAB TokenAB=sS_A(R_Bj∥
  
  R_Ai∥
  
  ID_AText2), wherein R_Aidenotes a random number generated by the authentication entity Ai, ID_Adenotes an identifier of the authentication element A, Text2 denotes a second optional text, TokenAB denotes a token transmitted from the authentication entity Ai to the authentication entity Bj, and sS_Adenotes a signature of the authentication element A;
  
  3) on receiving the access authentication request message AREQ_Ai, verifying, by the authentication entity Bj, R_Bjin AREQ_Aiand R_Bjin INI_Bjfor consistency, and if R_Bjin AREQ_Aiis consistent with R_Bjin INI_Bj, searching, by the authentication entity Bj, for a locally stored authentication result of the authentication element A;
  
  if there is stored an authentication result of the authentication element A, going to step
  
  4);
  
  4) transmitting, by the authentication entity Bj, an access authentication response message ARES_Bjto the authentication entity Ai, and calculating a shared master key between the authentication entities Ai and Bj, wherein
  ARES_Bj=IRES_TP∥
  
  R_Ai∥
  
  Text5∥
  
  TokenBA TokenBA=sS_B(TokenAB∥
  
  R_Bj∥
  
  Text5), wherein Text5 denotes a fifth optional text, IRES_TPdenotes an identity authentication response message stored locally at the authentication entity Bj which comprises the authentication result of the authentication element A, TokenBA denotes a token transmitted from the authentication entity Bj to the authentication entity Ai, and sS_Bdenotes a signature of the authentication element B; and
  
  5) verifying, by the authentication entity Ai, the access authentication response message ARES_Bjupon reception thereof.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein the authentication entity Bj verifies R_Bjin AREQ_Aiand R_Bjin INI_Bjfor consistency upon reception of the access authentication request message AREQ_Ai, and if in case of consistency, if the authentication entity Bj fails to find a locally stored authentication result of the authentication element A, the method further comprises:
    - 6) transmitting, by the authentication entity Bj, an identity authentication request message IREQ_Bjto the trusted third party TP, whereinIREQ_Bj=R_Ai∥
      
      T_Bj∥
      
      ID_A∥
      
      ID_B∥
      
      Text3, wherein Text3 denotes a third optional text;
      
      7) verifying, by the trusted third party TP, the authentication element A and the authentication element B for legality upon reception of the identity authentication request message IREQ_Bj;
      
      8) returning, by the trusted third party TP, an identity authentication response message IRES_TPto the authentication entity Bj after verifying the authentication elements A and B for legality, wherein
      IRES_TP=TokenTB;
      
      TokenTB=R_Ai∥
      
      Pub_B|T_Bj∥
      
      Pub_A∥
      
      Text4∥
      
      sS_TP(R_Ai∥
      
      Pub_B∥
      
      T_Bj∥
      
      Pub_A∥
      
      Text4),wherein TokenTB denotes a token transmitted from the trusted third party TP to the authentication entity Bj, sS_TPdenotes a signature of the trusted third party TP, Pub_Bdenotes a verification result of the authentication element B by the trusted third party, T_Bjdenotes synchronization information generated by the authentication entity Bi, Pub_Adenotes a verification result of the authentication element A by the trusted third party, and Text4 denotes a fourth optional text;
      
      9) upon reception of the identity authentication response message IRES_TP, verifying, by the authentication entity Bj, the identity authentication response message IRES_TP, storing locally the identity authentication response message IRES_TP, and forwarding the identity authentication response message IRES_TPto other authentication entities B1, B2, . . . , Bm (other than Bj) in the authentication element B after the verification is passed;
      
      10) verifying and storing, by the authentication entities B1, B2, . . . , Bm (other than Bj) in the authentication element B, the identity authentication response message IRES_TPupon reception thereof; and
      
      going to the step
      
      4) to proceed with the subsequent flow.
  - 3. The mutual entity authentication method supporting rapid handoff according to claim 2, wherein in the step 7), if the identifiers ID_Aand ID_Bof the authentication elements A and B in the identity authentication request message IREQ_Bjare certificates, the TP verifies the certificates Cert_Aand Cert_Bof the authentication elements A and B for validity, and if the certificates Cert_Aand Cert_Bare invalid, the TP discards directly the identity authentication request message IREQ_Bjor returns the identity authentication response message IRES_TP;
    - or if the certificates Cert_Aand Cert_Bare valid, the TP returns the identity authentication response message IRES_TPand performs the step
      
      8).
  - 4. The mutual entity authentication method supporting rapid handoff according to claim 2, wherein in the step 7), if the identifiers ID_Aand ID_Bof the authentication elements A and B in the identity authentication request message IREQ_Bjare distinguishing identifiers, the TP searches for public keys PublicKeyA and PublicKeyB of the authentication elements A and B and verifies the validities thereof, and if no public key is found or the public keys are invalid, the TP discards directly the identity authentication request message IREQ_Bjor returns the identity authentication response message IRES_TP;
    - or if the public keys PublicKeyA and PublicKeyB are found and valid, the TP returns the identity authentication response message IRES_TPand performs the step
      
      8).
  - 5. The mutual entity authentication method supporting rapid handoff according to claim 3, wherein in the step 9), the authentication entity Bj verifies the identity authentication response message IRES_TPin the following process:
    - verifying the signature of the trusted third party TP in TokenTB, verifying T_Bjin IRES_TPand T_Bjin IREQ_Bjfor consistency, and obtaining a verification result Pub_Aof the authentication element A after the verification is passed; and
      
      if the authentication element A is invalid, ending the process;
      
      or if the authentication element A is valid, obtaining a public key PublicKey_Aof the authentication element A, verifying the signature of the authentication element A in TokenAB, and if the signature is incorrect, ending the process;
      
      or if the signature is correct, storing locally the identity authentication response message IRES_TPand forwarding the identity authentication response message IRES_TPto other authentication entities in the authentication element B, and going to the step
      
      10).
  - 6. The mutual entity authentication method supporting rapid handoff according to claim 5, wherein in the step 10), the authentication entities B1, B2, . . . , Bm (other than Bj) verifies the identity authentication response message IRES_TPin the following process:
    - judging the freshness of the identity authentication response message IRES_TPaccording to T_Bjand local synchronization information, verifying the signature of the trusted third party TP in TokenTB, and if the signature is correct, obtaining the verification result Pub_Aof the authentication element A and storing locally the identity authentication response message IRES_TP.
  - 7. The mutual entity authentication method supporting rapid handoff according to claim 6, wherein in the step 4) the authentication entity Bj performs a Diffie-Hellman calculation from R_Bjand R_Aiand obtains a resultant value as the shared master key between the authentication entities Ai and Bj.
  - 8. The mutual entity authentication method supporting rapid handoff according to claim 7, wherein in the step 5), the authentication entity Ai verifies the access authentication response message ARES_Bjin the following process:
    - verifying the signature of the trusted third party TP in TokenTB, verifying the signature of the authentication element B in TokenBA, verifying R_Aiin the access authentication response message ARES_Bjand R_Aiin the access authentication request message AREQ_Aifor consistency, and obtaining a verification result Pub_Bof the authentication element B after the verification is passed;
      
      if the authentication element B is invalid, failing with the authentication;
      
      or if the authentication element B is valid, obtaining a public key PublicKey_Bof the authentication element B and verifying the signature of the authentication element B in TokenBA, and if the signature is incorrect, failing with authentication;
      
      or if the signature is correct, performing a Diffie-Hellman calculation from R_Bjand R_Aito obtain the shared master key between the authentication entities Ai and Bj, thereby completing the mutual authentication between the authentication entities Ai and Bj.
  - 9. The mutual entity authentication method supporting rapid handoff according to claim 4, wherein in the step 9), the authentication entity Bj verifies the identity authentication response message IRES_TPin the following process:
    - verifying the signature of the trusted third party TP in TokenTB, verifying T_Bjin IRES_TPand T_Bjin IREQ_Bjfor consistency, and obtaining a verification result Pub_Aof the authentication element A after the verification is passed; and
      
      if the authentication element A is invalid, ending the process;
      
      or if the authentication element A is valid, obtaining a public key PublicKey_Aof the authentication element A, verifying the signature of the authentication element A in TokenAB, and if the signature is incorrect, ending the process;
      
      or if the signature is correct, storing locally the identity authentication response message IRES_TPand forwarding the identity authentication response message IRES_TPto other authentication entities in the authentication element B, and going to the step
      
      10).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
China Iwncomm Co., Ltd
Original Assignee
China Iwncomm Co., Ltd
Inventors
Tie, Manxia, Cao, Jun, Huang, Zhenhai, Lai, Xiaolong

Granted Patent

US 8,392,710 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 9/0844   with user authentication or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

ENTITY BIDIRECTIONAL-IDENTIFICATION METHOD FOR SUPPORTING FAST HANDOFF

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

ENTITY BIDIRECTIONAL-IDENTIFICATION METHOD FOR SUPPORTING FAST HANDOFF

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links