MUTUAL AUTHENTICATION WITH SYMMETRIC SECRETS AND SIGNATURES
First Claim
Patent Images
1. A computer-implemented method, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, from a client computer system and in accordance with a communication protocol for establishing a secure communication channel, a message and a digital signature, the message specifying a set of key derivation parameters, the communication protocol comprising a handshake protocol;
transmitting the message and the digital signature to an authentication server operable to verify authenticity of the message based at least in part on the digital signature and contingent on successful verification of the authenticity of the message, derive a pre-shared cryptographic key that is available to the client computer system and to provide the pre-shared cryptographic key;
receiving, from the authentication server, the pre-shared cryptographic key; and
using the pre-shared cryptographic key to establish, as part of the handshake protocol, the secure communication channel with the client computer system to result in an established secure communication channel.
1 Assignment
0 Petitions
Accused Products
Abstract
A client and server negotiate a secure communication channel using a pre-shared key where the server, at the time the negotiation initiates, lacks access to the pre-shared key. The server obtains the pre-shared key from another server that shares a secret with the client. A digital signature or other authentication information generated by the client may be used to enable the other server to determine whether to provide the pre-shared key.
20 Citations
20 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems configured with executable instructions, receiving, from a client computer system and in accordance with a communication protocol for establishing a secure communication channel, a message and a digital signature, the message specifying a set of key derivation parameters, the communication protocol comprising a handshake protocol; transmitting the message and the digital signature to an authentication server operable to verify authenticity of the message based at least in part on the digital signature and contingent on successful verification of the authenticity of the message, derive a pre-shared cryptographic key that is available to the client computer system and to provide the pre-shared cryptographic key; receiving, from the authentication server, the pre-shared cryptographic key; and using the pre-shared cryptographic key to establish, as part of the handshake protocol, the secure communication channel with the client computer system to result in an established secure communication channel. - View Dependent Claims (2, 3, 4, 5)
-
6. A system, comprising a set of computing devices configured to implement at least:
a first server that negotiates, in accordance with a handshake protocol, a secure communication channel with a client computer system by executing executable code that causes the first server to; provide a message and a digital signature received from a client computer system to a second server; if the digital signature matches the message, receive, from the second server, a pre-shared key accessible to the client computer system and usable to transmit encrypted messages to the client computer system to communicate over the secure communication channel; and if the digital signature fails to match the message, operate in accordance with the digital signature being unverified. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
15. A non-transitory computer-readable storage medium having stored thereon instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to:
-
access a cryptographic key usable to derive a signing key, the signing key accessible to a second computer system and usable to generate a digital signature of a request to the second computer system such that the request and the digital signature of the request are collectively sufficient to cause the second computer system to fulfill the request; derive, from the accessed cryptographic key, a session key; and use the session key to encrypt at least a portion of one or more communications to the second computer system, the one or more communications comprising a first request that is digitally signed using the signing key. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification