METHOD AND NODES FOR PROVIDING SECURE ACCESS TO CLOUD COMPUTING FOR MOBILE USERS

US 20110264906A1
Filed: 04/27/2010
Published: 10/27/2011
Est. Priority Date: 04/27/2010
Status: Active Grant

First Claim

Patent Images

10. A method of securely storing a content from a mobile node into a remote node, the method comprising the steps of:

sending, from the mobile node towards an authentication server, a request for a first challenge;

receiving at the mobile node the first challenge from the authentication server, the first challenge comprising a random value;

generating at the mobile node a content key based on the random value;

encrypting at the mobile node the content by use of the content key;

transferring the encrypted content from the mobile node towards the remote node;

discarding the content key from the mobile node;

fetching at the mobile node the content from the remote node;

sending, from the mobile node towards the authentication server, a request to generate a second challenge;

receiving, at the mobile node, the second challenge from the authentication server;

regenerating, at the mobile node, the same content key based on the random value; and

decrypting, at the mobile node, the fetched content by use of the regenerated content key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile node, a gateway node and methods are provided for securely storing a content into a remote node. The mobile node, or a gateway node of a network providing access to the mobile node, applies a content key to the content prior to sending the content for storage in the remote node. The content key is generated at the mobile node, based on a random value obtained from an authentication server, or directly at the authentication server if applied by the gateway node. The content key is not preserved in the mobile node or in the gateway node, for security purposes. When the mobile node or the gateway node fetches again the content from the remote node, the same content key is generated again for decrypting the content. The remote node does not have access to the content key and can therefore no read or modify the content.

Citations

25 Claims

10. A method of securely storing a content from a mobile node into a remote node, the method comprising the steps of:
- sending, from the mobile node towards an authentication server, a request for a first challenge;
  
  receiving at the mobile node the first challenge from the authentication server, the first challenge comprising a random value;
  
  generating at the mobile node a content key based on the random value;
  
  encrypting at the mobile node the content by use of the content key;
  
  transferring the encrypted content from the mobile node towards the remote node;
  
  discarding the content key from the mobile node;
  
  fetching at the mobile node the content from the remote node;
  
  sending, from the mobile node towards the authentication server, a request to generate a second challenge;
  
  receiving, at the mobile node, the second challenge from the authentication server;
  
  regenerating, at the mobile node, the same content key based on the random value; and
  
  decrypting, at the mobile node, the fetched content by use of the regenerated content key.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17)
- - 1. A method of securely storing a content from a gateway node into a remote node, the method comprising the steps of:
    - receiving the content, at the gateway node, from a mobile node;
      
      sending, from the gateway node towards an authentication server, a request to generate a content key;
      
      receiving the content key, at the gateway node, from the authentication server;
      
      encrypting at the gateway node the content by use of the content key;
      
      transferring the encrypted content from the gateway node towards the remote node;
      
      fetching at the gateway node the content from the remote node;
      
      sending, from the gateway node towards the authentication server, a request to regenerate the same content key;
      
      receiving, at the gateway node, the regenerated content key from the authentication server; and
      
      decrypting, at the gateway node, the fetched content by use of the regenerated content key.
  - 2. The method of claim 1, wherein:
    - the remote node is a part of a cloud computing network.
  - 3. The method of claim 2, wherein:
    - the gateway node provides access towards the cloud computing network to mobile nodes.
  - 4. The method of claim 1, wherein:
    - the authentication server is a home subscriber server (HSS).
  - 5. The method of claim 4, wherein:
    - the requests to generate and to regenerate the content key comprise an identity of the mobile node; and
      
      the HSS generates and regenerates the content key based on a random value and on a secret key shared between the HSS and the mobile node.
  - 6. The method of claim 1, wherein:
    - the content key protects an integrity of the content.
  - 7. The method of claim 1, wherein:
    - the content received at the gateway node is associated with metadata;
      
      the metadata is included in the request to generate the content key;
      
      the metadata is transferred with the content towards the remote node;
      
      the metadata is included in the fetched content; and
      
      the metadata is included in the request to regenerate the content key.
  - 8. The method of claim 1, further comprising the step of:
    - discarding the content key from the gateway node following the step of transferring the encrypted content towards the remote node.
  - 9. The method of claim 1, further comprising the step of:
    - forwarding the content from the gateway node towards the mobile node following the step of decrypting the fetched content.
  - 11. The method of claim 10, wherein:
    - the step of discarding the content key from the mobile node further comprises discarding the random value from the mobile node; and
      
      the second challenge comprises the same random value.
  - 12. The method of claim 11, wherein:
    - the mobile node associates a plurality of distinct metadata with distinct content keys for storing the same or distinct contents in a plurality of remote nodes.
  - 13. The method of claim 10, wherein:
    - the remote node is a part of a cloud computing network; and
      
      the mobile node obtains access to the cloud computing network through a gateway node.
  - 14. The method of claim 10, wherein:
    - the content key protects an integrity of the content.
  - 15. The method of claim 10, wherein:
    - the authentication server is a home subscriber server (HSS).
  - 16. The method of claim 15, wherein:
    - generating and regenerating the content key at the mobile node are further based on a secret key shared between the HSS and the mobile node.
  - 17. The method of claim 10, wherein:
    - the first challenge further comprises a first authentication token;
      
      the mobile node calculates a first sequence number based on the first authentication token;
      
      the mobile node stores the first sequence number;
      
      the second challenge further comprises a second authentication token;
      
      the mobile node calculates a second sequence number based on the second authentication token;
      
      the steps of regenerating and decrypting at the mobile node are conditional to the second sequence number being greater than the first sequence number; and
      
      if the second sequence number is greater than the first sequence number, the mobile node overwrites the first sequence number with the second sequence number.

11-1. The method of claim 10, wherein:
- metadata generated by the mobile node is included in the request for the first challenge;
  
  the metadata is transferred with the content towards the remote node;
  
  the metadata is included in the fetched content; and
  
  the metadata is included in the request to generate the second challenge.

18. A gateway node for securely storing a content into a remote node, comprising:
- an interface configured to communicate with a mobile node, with an authentication server and with the remote node; and
  
  a controller to control the interface and configured to;
  
  receive the content from a mobile node;
  
  send towards the authentication server a request to generate a content key;
  
  receive the content key from the authentication server;
  
  encrypt the content by use of the content key;
  
  transfer the encrypted content towards the remote node;
  
  fetch the content from the remote node;
  
  send towards the authentication server, a request to regenerate the same content key;
  
  receive the regenerated content key from the authentication server; and
  
  decrypt the fetched content by use of the regenerated content key.

19. A mobile node for securely storing a content into a remote node, comprising:
- an interface configured to communicate with an authentication server and with the remote node; and
  
  a controller to control the interface and configured to;
  
  send towards the authentication server a request for a first challenge;
  
  receive the first challenge from the authentication server, the first challenge comprising a random value;
  
  generate a content key based on the random value;
  
  encrypt the content by use of the content key;
  
  transfer the encrypted content towards the remote node;
  
  discard the content key;
  
  fetch the content from the remote node;
  
  send towards the authentication server a request to generate a second challenge;
  
  receive the second challenge from the authentication server;
  
  regenerate the same content key based on the random value; and
  
  decrypt the fetched content by use of the regenerated content key.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The mobile node of claim 19, wherein:
    - the controller is further configured to discard the random value when it discards the content key; and
      
      the second challenge comprises the same random value.
  - 21. The mobile node of claim 19, wherein:
    - the controller comprises a subscriber identity module (SIM) for storing a secret key shared with the authentication server, the SIM further generating and regenerating the content key based on the random value and on the shared secret key.
  - 22. The mobile node of claim 21, wherein:
    - the first challenge further comprises a first authentication token;
      
      the controller calculates a first sequence number based on the first authentication token;
      
      the SIM stores the first sequence number;
      
      the second challenge further comprises a second authentication token;
      
      the controller calculates a second sequence number based on the second authentication token;
      
      regenerating and decrypting at the controller are conditional to the second sequence number being greater than the first sequence number; and
      
      if the second sequence number is greater than the first sequence number, the controller overwrites in the SIM the first sequence number with the second sequence number.
  - 23. The mobile node of claim 19, further comprising:
    - a trusted platform module (TPM);
      
      wherein the random value received from the authentication server is encrypted by a public key of the TPM; and
      
      wherein the TPM is for using its private key to decrypt the random value.
  - 24. The mobile node of claim 23, further comprising:
    - a plurality of virtual machines (VM);
      
      wherein the TPM refuses to decrypt the random value if one or more of the VMs do not comply with a security policy.
  - 25. The mobile node of claim 24, wherein:
    - the TPM refuses to decrypt the random value if one or more of the VMs have a connection outside of a secure network for the mobile node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Naslund, Mats, Pourzandi, Makan

Granted Patent

US 8,452,957 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless

H04L 2463/061   applying further key deriva...

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 9/083   involving central third par...

H04L 9/0869   involving random numbers or...

H04W 12/02   Protecting privacy or anony...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 88/08   Access point devices

METHOD AND NODES FOR PROVIDING SECURE ACCESS TO CLOUD COMPUTING FOR MOBILE USERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND NODES FOR PROVIDING SECURE ACCESS TO CLOUD COMPUTING FOR MOBILE USERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links