AUTHENTICATION OF DATA TRANSMISSION DEVICES

US 20190014114A1
Filed: 01/05/2017
Published: 01/10/2019
Est. Priority Date: 01/19/2016
Status: Active Grant

First Claim

Patent Images

1. A method for authentication of a communications connection between a server and a remote terminal using an intermediate device, in which:

the server generates first and second key codes, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device,the server transmits the first and second key codes to the intermediate devicethe remote terminal uses the shared secret to generate a duplicate of the first key code,the remote terminal transmits the first key code to the intermediate devicethe intermediate device compares the first key code and the duplicate of the first key code to verify the authenticity of the remote terminalthe intermediate device transmits the second key code to the remote terminalthe remote terminal uses the shared secret to generate a duplicate of the second key code the remote terminal compares the second key code and the duplicate of the second key code to verify the authenticity of the intermediate device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediate data transmission device arranges for mutual authentication between itself and a remote terminal (4) to allow data to be exchanged between the remote terminal (4) and a server (1) through the device. The server (1) sends first and second key codes (CK, RK) to the intermediate device (step 105), the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device. In response to a challenge (107) from the intermediate device the remote terminal (4) uses the shared secret to generate a duplicate (CK*) of the first key code and transmits the duplicate to the intermediate device (step 109). The intermediate device compares the first key code and the duplicate of the first key code (CK, CK*) received respectively from the server (1) and the remote terminal (4) to verify the authenticity of the remote terminal (4). The intermediate device then transmits the second key code (RK) to the remote terminal (4) (step 112), to be compared by the remote terminal with a duplicate (RK*) of the second key code to verify the authenticity of the intermediate device (3). This process allows the intermediate device (3) to be used without itself having the shared secret. The codes (RK, CK) generated by the server (1) may be encoded with a network identity of the intermediate device using the shared secret, such that the remote terminal (4) can only respond to the same intermediate device (3) that transmitted the codes (CK, RK). This prevents a “man-in-the middle” attack by another intermediate device, as without the shared secret no intermediate device can modify the codes (CK, RK) to include a different network identity.

16 Citations

View as Search Results

20 Claims

1. A method for authentication of a communications connection between a server and a remote terminal using an intermediate device, in which:
- the server generates first and second key codes, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device,the server transmits the first and second key codes to the intermediate devicethe remote terminal uses the shared secret to generate a duplicate of the first key code,the remote terminal transmits the first key code to the intermediate devicethe intermediate device compares the first key code and the duplicate of the first key code to verify the authenticity of the remote terminalthe intermediate device transmits the second key code to the remote terminalthe remote terminal uses the shared secret to generate a duplicate of the second key code the remote terminal compares the second key code and the duplicate of the second key code to verify the authenticity of the intermediate device.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method according to claim 1, in which the first and second key codes are generated from the shared secret, and are changed after each use.
  - 3. A method according to claim 2, in which the server generates a plurality of one-use key code pairs and transmits them to the intermediate device, and the intermediate device uses each key-code pair in turn for a series of authentication interactions with the remote terminal.
  - 4. A method according to claim 1, in which the first and second key codes are combined with encoded address data of the intermediate device, and the remote terminal uses the shared secret to decode the address data, to verify the identity of the intermediate device.
  - 5. A method according to claim 1, wherein the intermediate device is responsive to a flag signal generated by the remote terminal to route the received data either to a data store in the intermediate device for later transmission to the server, in response to a first setting of the flag signal, or to open a connection to the server for relaying the data to the server in response to a second setting of the flag signal.

6-13. -13. (canceled)

14. A data communications device configured to operate as an intermediate relay between a server and one or more remote data communications terminals, havingone or more communications interfaces for communication with the server and the or each remote communications terminal,an authentication system configured to:
- receive challenge and response data from the server relating to the or each remote communications terminal and comprising, for each remote communications device a first challenge, a first response key and a second response key,transmit the first challenge to the respective remote data communications terminal;
  
  receive a version of the first response key from the remote data communications terminalcompare the version of the first response key received from the remote data communications terminal with the first response key received from the serverand transmit the second key to the remote data communications terminal.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. A data communications device according to claim 14, arranged to transmit a signal reporting its location to the server.
  - 16. A data communication device according to claim 14, having a detection system for detecting the or each remote data communications terminal and transmitting the respective challenge and response data in response to such detection
  - 17. A data communications device according to claim 14, having a memory for storing a sequence of first and second key codes for the or each remote terminal, the authentication system being arranged to retrieve each key code in sequence for a plurality of successive connections to the remote communications terminal.
  - 18. A data communications device according to claim 14, in which the authentication system generates the challenge request by using the key code to encode an identity code associated with the device.
  - 19. A data communications device according to claim 14, wherein the communications interface comprises a data store for data received from the remote terminal, and a detection device responsive to a flag signal carried in data received from the remote terminal to route the received data to the data store in response to a first setting of the flag signal or to the server in response to a second setting of the flag signal.
  - 20. A computer program element comprising computer program code to, when loaded into a communications device and executed thereon, configure the communications device to operate in accordance with claim 14.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
BEDDUS, Simon, DEANS, Paul

Granted Patent

US 11,206,260 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0838   using one-time-passwords

H04L 63/0884   by delegation of authentica...

H04L 9/0819   Key transport or distributi...

H04L 9/3228   One-time or temporary data,...

H04L 9/3271   using challenge-response

H04L 9/3273   for mutual authentication n...

H04W 12/06   Authentication

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 88/04   adapted for relaying to or ...

AUTHENTICATION OF DATA TRANSMISSION DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATION OF DATA TRANSMISSION DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links