Method and system for managing security keys for user and M2M devices in a wireless communication network environment
First Claim
1. A system, comprising:
- an identity module having;
one or more application dedicated files wherein each of the one or more application dedicated files points within the identity module to an application authentication algorithm input memory portion for storing application authentication inputs used to authenticate one or more applications for connection to a remote application server;
an authentication algorithm processing engine; and
wherein the authentication algorithm processing engine of the identity module is to;
upon detecting a trigger use the application authentication inputs stored in the authentication algorithm input memory portion to authenticate one of the one or more applications to the remote application server.
1 Assignment
0 Petitions
Accused Products
Abstract
Pre Shared Keys (“PSK”) for application and data session security are generated using application authentication secret values stored in a SIM device/card. The SIM internally uses the secret values as inputs to a security algorithm engine, but the secret values are not accessible outside of the SIM. The application authentication secret values cannot be used to authenticate the SIM, or a device that includes the SIM, to a communication network. Rather, symmetric keys and keying material are generated for use by applications outside of the standard and conventional wireless networking uses of a SIM device. Updated PSKs are generated at different network endpoints such that the PSKs are generated individually and separately at the endpoints; the ‘preshared’ keys are not actually shared. Thus, a client endpoint and a server endpoint, or an endpoint associated with the server, independently generate the same PSK without the PSK being transmitted between the endpoints.
-
Citations
20 Claims
-
1. A system, comprising:
an identity module having; one or more application dedicated files wherein each of the one or more application dedicated files points within the identity module to an application authentication algorithm input memory portion for storing application authentication inputs used to authenticate one or more applications for connection to a remote application server; an authentication algorithm processing engine; and wherein the authentication algorithm processing engine of the identity module is to;
upon detecting a trigger use the application authentication inputs stored in the authentication algorithm input memory portion to authenticate one of the one or more applications to the remote application server.- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method, comprising:
-
receiving at a first network endpoint from a second network endpoint a message requesting that the first endpoint update an existing preshared key for use for a secure communication session; transmitting a preshared key identifier (PSK-ID) from the first endpoint to the second network endpoint; receiving at the first endpoint a first random number, a second random number, and a remote endpoint authentication value from the second network endpoint, wherein the remote endpoint authentication value is based on secret data that is accessible only by the second endpoint and that is associated with the preshared key identifier (PSK-ID) and wherein the remote endpoint authentication value includes a network authentication code (MAC); generating, with an authentication algorithm processing engine of an identity module associated with the first endpoint, an expected network authentication code (XMAC) and a result value (RES) by processing secret data, which is associated in the identity module with the first endpoint, with the first random number if the received network authentication code (MAC) equals the expected network authentication code (XMAC), transmitting the result value RES from the first endpoint to the second endpoint; and generating at the first endpoint a new preshared key to replace the existing preshared key when the first endpoint receives a message from the second endpoint that the second endpoint has successfully generated a new preshared key for use for secure communication by the first endpoint, wherein the new preshared key generated by the first endpoint is based on the second random number, the secret data that is associated with the first endpoint in the identity module, and values included in the remote endpoint authentication value. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method, comprising:
-
determining at a second endpoint of a communication network that an existing preshared key that had been established for use with secure communications sessions with a first endpoint should be updated at the first and second endpoints; transmitting from the second endpoint a message requesting that the first endpoint update an existing preshared key for use for the secure session; receiving a preshared key identifier (PSK-ID) from the first network endpoint at the second network endpoint; transmitting to the first network endpoint a first random number, a second random number, and a remote endpoint authentication value, wherein the remote endpoint authentication value is based on secret data that is accessible only by the second network device and that is associated with the preshared key identifier (PSK-ID) and wherein the remote endpoint authentication value includes a network authentication code (MAC); receiving from the first endpoint a result value RES; evaluating the result value (RES) received from the first endpoint; and transmitting, based on of the evaluation of the result value (RES), a message to the first endpoint that the second endpoint has successfully generated a new preshared key for use for secure communication with the first endpoint, wherein the new preshared key generated by the second network endpoint is based on the second random number, the secret data that is associated with the preshared key identifier (PSK-ID), and the result value (RES). - View Dependent Claims (17, 18, 19, 20)
-
Specification