DYNAMIC CRYPTOGRAPHIC SUBSCRIBER-DEVICE IDENTITY BINDING FOR SUBSCRIBER MOBILITY

US 20110213969A1
Filed: 02/28/2011
Published: 09/01/2011
Est. Priority Date: 02/26/2010
Status: Active Grant

First Claim

Patent Images

1. A method of authentication and authorization over a communication system, comprising:

performing a first authentication of a device based on a set of device identity and credentials, said first authentication including creation of a first set of keying material;

performing a second authentication of a subscriber based on a set of subscriber identity and credentials, said second authentication including creation of a second set of keying material;

creating a set of compound key material with a key derivation mechanism that uses the first set of keying material and the second set of keying material;

creating a binding token by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material; and

exchanging the signed binding token for verification with an authenticating and authorizing party.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authentication and authorization over a communication system is provided. The method performs a first authentication of a device based on a set of device identity and credentials. The first authentication includes creation of a first set of keying material. The method also includes performing a second authentication of a subscriber based on a set of subscriber identity and credentials. The second authentication includes creation of a second set of keying material. A set of compound key material is created with a key derivation mechanism that uses the first set of keying material and the second set of keying material. A binding token is created by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material. The signed binding token is exchanged for verification with an authenticating and authorizing party.

75 Citations

View as Search Results

40 Claims

1. A method of authentication and authorization over a communication system, comprising:
- performing a first authentication of a device based on a set of device identity and credentials, said first authentication including creation of a first set of keying material;
  
  performing a second authentication of a subscriber based on a set of subscriber identity and credentials, said second authentication including creation of a second set of keying material;
  
  creating a set of compound key material with a key derivation mechanism that uses the first set of keying material and the second set of keying material;
  
  creating a binding token by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material; and
  
  exchanging the signed binding token for verification with an authenticating and authorizing party.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, further comprising using the first set of keying material to protect the second authentication of the subscriber.
  - 3. The method of claim 1, further comprising using the first set of keying material to protect the binding token exchange.
  - 4. The method of claim 1, wherein the device credentials are digital certificates and the first authentication is performed using Transport Layer Security (TLS) protocol.
  - 5. The method of claim 1, wherein the binding token also includes service related attributes.
  - 6. The method of claim 1, wherein at least one of the device authentication and the binding token includes a device security robustness profile declaration.
  - 7. The method of claim 1, further comprising authorizing the subscriber identified by the second authentication for receipt of a service on the device identified by the first authentication.
  - 8. The method of claim 6, further comprising rejecting any service requests received from the subscriber authenticated in the second authentication but from a second device having an identity different from the device authenticated in the first authentication.
  - 9. The method of claim 1, wherein the compound key material includes additional key material to be used for further key derivation for further security applications.
  - 10. The method of claim of 8 further comprising generating master session keys for derivation of application specific keys.
  - 11. The method of claim of 8 further comprising generating session resumption keys for expediting future resumption of service for a previously authenticated subscriber and device pair.
  - 12. The method of claim of 7 further comprising authorizing the subscriber by issuing a signed service token for consumption by at least one of the device and an external third party, wherein the signed service token includes at least one of an authenticated device identity and a subscriber identity.
  - 13. The method of claim 12 wherein the signed service token is issued for a limited time, where a period of validity is derivable from information in the signed service token.
  - 14. The method of claim of 12 wherein the service token is signed with an authorizing server public key so that the signed service token can be verified by third party servers.
  - 15. The method of claim 12, wherein the signed service token includes at least one of a service identifier and a third party server identifier to limit use of the signed service token for a specific service or a specific server.
  - 16. The method of claim 14 wherein the device identity and credentials used in the first authentication are different from the device identity and credentials used towards the third party servers and wherein the service token includes a signed version of both of the device identities.
  - 17. The method of claim 12 wherein the signed token is sent to the device and the device also signs the service token with its own credentials understandable by the third party server.
  - 18. The method of claim 14 where the device identity and credentials used in the first authentication are different from the device identity and credentials used towards the third party servers and a mapping of both device identities is provided to the third party servers in an out-of-band fashion.
  - 19. The method of claim 15, wherein the signed service token includes a multiple entitlement flag indicating a number of times the token can be used to request the specific service.
  - 20. The method of claim 12, wherein the signed service token is also encrypted with a key that is known only to an authenticating server.
  - 21. The method of claim 12, wherein the signed service token is also encrypted with a key that is known only to a third party application server.
  - 22. The method of claim 1, wherein at least one of the first and second authentication is performed using Extensible Authentication Protocol (EAP) messaging.
  - 23. The method of claim 1 wherein the set of subscriber identity and credentials includes a set of group identities and credentials representing a plurality of individuals.
  - 24. The method of claim 20 wherein each of the individuals in the group is assigned an individual identity associated with the group identity.

25. A network-enabled device for use in a communication system, comprising:
- a first component configured to engage in a first authentication exchange to authenticate the device based on a set of device identity and credentials, said first authentication exchange including creation of a first set of keying material;
  
  a second component configured to engage in a second authentication exchange to authenticate a subscriber based on a set of subscriber identity and credentials, said second authentication exchange including creation of a second set of keying material;
  
  a third component configured to create a set of compound key material with a key derivation mechanism that uses the first set of keying material and the second set of keying material;
  
  a fourth component configured to create a binding token by cryptographically signing at least one of the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material; and
  
  a communication interface configured to exchange the signed binding token for verification with an authenticating and authorizing party.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The network-enabled device of claim 25, wherein the second component is further configured to use the first set of keying material to protect the second authentication of the subscriber.
  - 27. The network-enabled device of claim 25, wherein the fourth component is further configured to use the first set of keying material to protect the binding token exchange.
  - 28. The network-enabled device of claim 25, wherein the device credentials are digital certificates and the first component is further configured to perform the first authentication using Transport Layer Security (TLS) protocol.
  - 29. The network-enabled device of claim 25, wherein the compound key material includes additional key material to be used for further key derivation for further security applications.
  - 30. The network-enabled device of claim 25, wherein at least one of the first component and the second component is using EAP for authentication exchanges.

31. An authentication and authorization arrangement, comprising:
- a first authentication server configured to authenticate a device based on a set of device identity and credentials;
  
  a second authentication server configured to authenticate a subscriber based on a set of subscriber identity and credentials; and
  
  wherein the second authentication server is configured to verify a binding token created by cryptographically signing at least one of the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using a set of compound keying material derived using a first set of keying material created during authentication of the device and a second set of keying material created during authentication of the subscriber.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The authentication and authorization arrangement of claim 31, wherein the second authentication server is further configured to use the first set of keying material to protect the authentication of the subscriber.
  - 33. The authentication and authorization arrangement of claim 31, wherein the second authentication server is further configured to use the first set of keying material to protect the binding token exchange.
  - 34. The authentication and authorization arrangement of claim 31, wherein the device credentials are digital certificates and the first authentication server is configured to perform authentication using Transport Layer Security (TLS) protocol.
  - 35. The authentication and authorization arrangement of claim 31, wherein the second authentication server is further configured to authorize the subscriber for receipt of a service on the device authenticated by the first authentication server.
  - 36. The authentication and authorization arrangement of claim 31, wherein at least one of the first authentication server and the second authentication server is further configured to use EAP as messaging protocol.
  - 37. The authentication and authorization arrangement of claim 35, wherein the second authentication server is further configured to reject any service requests received from the subscriber authenticated in the second authentication but from a second device having an identity different from the device authenticated in the first authentication.
  - 38. The authentication and authorization arrangement of claim of 35 wherein the second authentication server is further configured to authorize the subscriber by issuing a signed service token for consumption by at least one of the device and an external third party, wherein the signed service token includes at least one of an authenticated device identity and a subscriber identity.
  - 39. The authentication and authorization arrangement of claim 38 wherein the signed service token is issued for a limited time, where a period of validity is derivable from information in the signed service token.
  - 40. The authentication and authorization arrangement of claim of 38 wherein the service token is signed with an authorizing server public key so that the signed service token can be verified by third party servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
General Instrument Corporation (CommScope Holding Company, Inc.)
Inventors
Hoeper, Katrin, Medvinsky, Alexander, Nakhjiri, Madjid F.

Granted Patent

US 8,555,361 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/158
CPC Class Codes

H04L 2209/603   Digital right managament [DRM]

H04L 2463/061   applying further key deriva...

H04L 2463/082   applying multi-factor authe...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/126   the source of the received ...

H04L 63/162   at the data link layer

H04L 9/0861   Generation of secret inform...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3263   involving certificates, e.g...

DYNAMIC CRYPTOGRAPHIC SUBSCRIBER-DEVICE IDENTITY BINDING FOR SUBSCRIBER MOBILITY

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC CRYPTOGRAPHIC SUBSCRIBER-DEVICE IDENTITY BINDING FOR SUBSCRIBER MOBILITY

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links