AUTHENTICATION OF DATA TRANSMISSION DEVICES
First Claim
1. A method for authentication of a communications connection between a server and a remote terminal using an intermediate device, in which:
- the server generates first and second key codes, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device,the server transmits the first and second key codes to the intermediate devicethe remote terminal uses the shared secret to generate a duplicate of the first key code,the remote terminal transmits the first key code to the intermediate devicethe intermediate device compares the first key code and the duplicate of the first key code to verify the authenticity of the remote terminalthe intermediate device transmits the second key code to the remote terminalthe remote terminal uses the shared secret to generate a duplicate of the second key code the remote terminal compares the second key code and the duplicate of the second key code to verify the authenticity of the intermediate device.
1 Assignment
0 Petitions
Accused Products
Abstract
An intermediate data transmission device arranges for mutual authentication between itself and a remote terminal (4) to allow data to be exchanged between the remote terminal (4) and a server (1) through the device. The server (1) sends first and second key codes (CK, RK) to the intermediate device (step 105), the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device. In response to a challenge (107) from the intermediate device the remote terminal (4) uses the shared secret to generate a duplicate (CK*) of the first key code and transmits the duplicate to the intermediate device (step 109). The intermediate device compares the first key code and the duplicate of the first key code (CK, CK*) received respectively from the server (1) and the remote terminal (4) to verify the authenticity of the remote terminal (4). The intermediate device then transmits the second key code (RK) to the remote terminal (4) (step 112), to be compared by the remote terminal with a duplicate (RK*) of the second key code to verify the authenticity of the intermediate device (3). This process allows the intermediate device (3) to be used without itself having the shared secret. The codes (RK, CK) generated by the server (1) may be encoded with a network identity of the intermediate device using the shared secret, such that the remote terminal (4) can only respond to the same intermediate device (3) that transmitted the codes (CK, RK). This prevents a “man-in-the middle” attack by another intermediate device, as without the shared secret no intermediate device can modify the codes (CK, RK) to include a different network identity.
16 Citations
20 Claims
-
1. A method for authentication of a communications connection between a server and a remote terminal using an intermediate device, in which:
-
the server generates first and second key codes, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device, the server transmits the first and second key codes to the intermediate device the remote terminal uses the shared secret to generate a duplicate of the first key code, the remote terminal transmits the first key code to the intermediate device the intermediate device compares the first key code and the duplicate of the first key code to verify the authenticity of the remote terminal the intermediate device transmits the second key code to the remote terminal the remote terminal uses the shared secret to generate a duplicate of the second key code the remote terminal compares the second key code and the duplicate of the second key code to verify the authenticity of the intermediate device. - View Dependent Claims (2, 3, 4, 5)
-
-
6-13. -13. (canceled)
-
14. A data communications device configured to operate as an intermediate relay between a server and one or more remote data communications terminals, having
one or more communications interfaces for communication with the server and the or each remote communications terminal, an authentication system configured to: -
receive challenge and response data from the server relating to the or each remote communications terminal and comprising, for each remote communications device a first challenge, a first response key and a second response key, transmit the first challenge to the respective remote data communications terminal;
receive a version of the first response key from the remote data communications terminalcompare the version of the first response key received from the remote data communications terminal with the first response key received from the server and transmit the second key to the remote data communications terminal. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification