DISCOVERY OF SECURITY ASSOCIATIONS

US 20120272064A1
Filed: 04/29/2011
Published: 10/25/2012
Est. Priority Date: 04/22/2011
Status: Active Grant

First Claim

Patent Images

1. A method for forming a discoverable security association between a first computing device and a second computing device, comprising:

the first computing device being provided with a seed that is used by the first computing device to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device, wherein the secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device can use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for discovering security associations formed in communication environments. For example, a method for forming a discoverable security association between a first computing device (e.g., a first client) and a second computing device (e.g., a second client) comprises the following steps. The first computing device is provided with a seed that is used by the first computing device to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device. The secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device (e.g., an intercepting server) can use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device. By way of example, the key may be a result of an identity based authenticated key exchange.

Citations

30 Claims

1. A method for forming a discoverable security association between a first computing device and a second computing device, comprising:
- the first computing device being provided with a seed that is used by the first computing device to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device, wherein the secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device can use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the first computing device obtains an application program that comprises a pseudo-random number generator.
  - 3. The method of claim 2, wherein the first computing device obtains the application program from a fourth computing device.
  - 4. The method of claim 2, wherein the application program is provided with the seed and the seed is associated with an identifier associated with the first computing device.
  - 5. The method of claim 1, wherein the application program invokes the pseudo-random generator to generate the secret based on the seed.
  - 6. The method of claim 5, wherein the pseudo-random generator uses the seed and a value to generate the secret.
  - 7. The method of claim 6, wherein the value is a deterministic and monotonically increasing value.
  - 8. The method of claim 7, wherein the value comprises one of a time stamp value or a counter value.
  - 9. The method of claim 1, wherein the first computing device and the second computing device respectively comprise clients.
  - 10. The method of claim 1, wherein the third computing device comprises an intercepting server.
  - 11. The method of claim 3, wherein the fourth computing device comprises a server operated by a provider.
  - 12. The method of claim 11, wherein the provider comprises one of an application provider, a network provider, and an enterprise.
  - 13. The method of claim 1, wherein the third computing device comprises a conference server wherein the key is a group key used by participants in a conference call.
  - 14. The method of claim 1, wherein the seed comprises a set of numbers comprising at least one random number.
  - 15. The method of claim 1, wherein the key comprises a session key.
  - 16. The method of claim 1, wherein the key is a result of a mutually authenticated key exchange.
  - 17. The method of claim 16, wherein the mutually authenticated key exchange comprises an identity based authenticated key exchange.

18. A method for discovering a security association formed between a first computing device and a second computing device, comprising:
- a third computing device obtaining a secret from a fourth computing device, wherein the secret is the same secret generated by the first computing device, wherein the first computing device generated the secret based on a seed provided thereto by the fourth computing device and wherein the first computing device used the seed to generate the secret and used the secret to compute a key for use in securing communications with the second computing device; and
  
  the third computing device re-computing the key based on the secret in order to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. The method of claim 18, wherein the third computing device provides a value associated with an identity associated with the first computing device to the fourth computing device such that the fourth computing device returns the secret needed by the third computing device to re-compute the key in order to intercept communications between the first computing device and the second computing device.
  - 20. The method of claim 18, wherein the third computing device requests from a fifth computing device one or more of respective private keys associated with the first computing device and the second computing device.
  - 21. The method of claim 20, wherein the third computing device also uses at least one of the private keys to re-compute the key.
  - 22. The method of claim 18, wherein the first computing device and the second computing device respectively comprise clients.
  - 23. The method of claim 18, wherein the third computing device comprises an intercepting server.
  - 24. The method of claim 18, wherein the fourth computing device comprises a server operated by a provider.
  - 25. The method of claim 24, wherein the provider comprises one of an application provider, a network provider, and an enterprise.
  - 26. The method of claim 18, wherein the key is a result of an identity based authenticated key exchange
  - 27. The method of claim 18, wherein the third computing device comprises a conference server wherein the key is a group key used by participants in a conference call.
  - 28. The method of claim 20, wherein the fifth computing device comprises a key management server.

29. Apparatus for forming a discoverable security association between a first computing device and a second computing device, comprising:
- a memory; and
  
  a processor coupled to the memory and configured such that the first computing device is provided with a seed that is used by the first computing device to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device, wherein the secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device can use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device.

30. Apparatus for discovering a security association formed between a first computing device and a second computing device, comprising:
- a memory; and
  
  a processor coupled to the memory and configured such that a third computing device obtains a secret from a fourth computing device, wherein the secret is the same secret generated by the first computing device, wherein the first computing device generated the secret based on a seed provided thereto by the fourth computing device and wherein the first computing device used the seed to generate the secret and used the secret to compute a key for use in securing communications with the second computing device, and such that the third computing device re-computes the key based on the secret in order to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Sundaram, Ganapathy S., Mizikovsky, Semyon B.

Granted Patent

US 8,769,288 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/306   intercepting packet switche...

H04L 9/0894   Escrow, recovery or storing...

DISCOVERY OF SECURITY ASSOCIATIONS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

DISCOVERY OF SECURITY ASSOCIATIONS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links