Method and apparatus for privacy and authentication in wireless networks
First Claim
1. An improved method for providing secure communications between. a first data processing device and a second data processing device, comprising the steps of:
- (a) said first data processing device transmitting a first message including;
a Mobile Certificate (Cert-- Mobile) including a mobile public key (Pub-- Mobile), a chosen challenge value (CH1), and a list of supported shared key algorithms (SKCS), to said second data processing device;
(b) said second data processing device receiving said first message and verifying a first signature of a first certificate authority (CA), said second data processing device validating said received Cert-- Mobile, and if said Cert-- Mobile is valid, said second data processing device transmitting a second message including;
a Base Certificate (Cert-- Base) including a base public key (Pub-- Base), a second digital signature, a random number (RN1), and an identifier of one of said SKCS chosen from said list of supported shared key algorithms, to said first data processing device;
(c) said first data processing device receiving said second message and validating said Cert-- Base, and if said Cert-- Base is valid, said first data processing device validating said second signature of said Cert-- Base using said Pub-- Base, such that if said second signature is valid, said first data processing device determining the value of RN1 by decrypting the value of E(Pub-- Mobile, RN1) using a private key of said first data processing device (Priv-- Mobile);
(d) said first data processing device generating a value RN2 and a first session key having the value (RN1⊕
RN2), said first data processing device encrypting the value of RN2 using said base public key (Pub-- Base), and sending a third message to said second data processing device including said encrypted RN2 and the value of E(Pub-- Mobile, RN1) along with a digital signature corresponding to said first data processing device;
(e) said second data processing device receiving said third message and verifying said digital signature of said first data processing device using Pub-- Mobile obtained from said Cert-- Mobile, and if said signature of said first data processing device is verified, said second data processing device decrypting the value of E(Pub-- Base, RN2) using a private key of said second data processing device (Priv-- Base), said second data processing device using said first session key having the value of (RN1⊕
RN2);
(f) said first and second data processing devices transferring data using encrypted data which is decrypted using said first session key.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus is disclosed for providing a secure wireless communication link between a mobile nomadic device and a base computing unit. A mobile sends a host certificate (Cert-- Mobile) to the base along with a randomly chosen challenge value (CH1) and a list of supported shared key algorithms ("SKCS"). The base determines if the Cert-- Mobile is valid. If the Cert-- Mobile is not valid, then the base unit rejects the connection attempt. The base then sends a Cert-- Base, random number (RN1) encrypted in mobile'"'"'s public key and an identifier for the chosen SKCS to the mobile. The base saves the RN1 value and adds the CH1 value and the chosen SKCS to messages sent to the base. The mobile unit then validates the Cert-- Base, and if the certificate is valid, the mobile verifies under the public key of the base (Pub-- Base) the signature on the message. The signature is verified by taking the base message and appending it to CH1 and the list of shared key algorithms that the mobile provided in the first message. If the base signature is not valid, then the communication attempt is aborted. In the event that the base signature is valid, the mobile determines the value of RN1 by decrypting Pub-- Mobile, RN1 under the private key of the mobile. The mobile then generates RN2 and the session key, and encrypts RN2 under the Pub-- Base. The mobile sends the encrypted RN2 and E(Pub-- Mobile, RN1) to the base. The base then verifies the mobile signature using the Pub-- Mobile obtained from the Cert-- Mobile. If the mobile signature is verified, the base decrypts E(Pub-- Base, RN2) using its private key. The base then determines the session key. The mobile and base may then enter a data transfer phase using encrypted data which is decrypted using the session key which is RN1 ⊕RN2.
-
Citations
32 Claims
-
1. An improved method for providing secure communications between. a first data processing device and a second data processing device, comprising the steps of:
-
(a) said first data processing device transmitting a first message including;
a Mobile Certificate (Cert-- Mobile) including a mobile public key (Pub-- Mobile), a chosen challenge value (CH1), and a list of supported shared key algorithms (SKCS), to said second data processing device;(b) said second data processing device receiving said first message and verifying a first signature of a first certificate authority (CA), said second data processing device validating said received Cert-- Mobile, and if said Cert-- Mobile is valid, said second data processing device transmitting a second message including;
a Base Certificate (Cert-- Base) including a base public key (Pub-- Base), a second digital signature, a random number (RN1), and an identifier of one of said SKCS chosen from said list of supported shared key algorithms, to said first data processing device;(c) said first data processing device receiving said second message and validating said Cert-- Base, and if said Cert-- Base is valid, said first data processing device validating said second signature of said Cert-- Base using said Pub-- Base, such that if said second signature is valid, said first data processing device determining the value of RN1 by decrypting the value of E(Pub-- Mobile, RN1) using a private key of said first data processing device (Priv-- Mobile); (d) said first data processing device generating a value RN2 and a first session key having the value (RN1⊕
RN2), said first data processing device encrypting the value of RN2 using said base public key (Pub-- Base), and sending a third message to said second data processing device including said encrypted RN2 and the value of E(Pub-- Mobile, RN1) along with a digital signature corresponding to said first data processing device;(e) said second data processing device receiving said third message and verifying said digital signature of said first data processing device using Pub-- Mobile obtained from said Cert-- Mobile, and if said signature of said first data processing device is verified, said second data processing device decrypting the value of E(Pub-- Base, RN2) using a private key of said second data processing device (Priv-- Base), said second data processing device using said first session key having the value of (RN1⊕
RN2);(f) said first and second data processing devices transferring data using encrypted data which is decrypted using said first session key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. In a network having a first data processing device in communication with a second data processing device, an apparatus for providing a secure data transfer between said first data processing device and said second data processing device, comprising:
-
a first message generation and transmission/receiving circuit coupled to said first data processing device for transmitting a first message including;
a Mobile Certificate (Cert-- Mobile) having a mobile public key (Pub-- Mobile), a chosen challenge value (CH1), and a list of supported shared key algorithms (SKCS), to said second data processing device;second message generation and transmission/receiving circuit coupled to said second data processing device for receiving said first message, said second data processing device validating said received Cert-- Mobile, and if said Cert-- Mobile is valid, said second data processing device transmitting a second message including;
a Base Certificate (Cert-- Base) including a base public key (Pub-- Base), a second digital signature, a random number (RN1), and an identifier of one of said SKCS chosen from said list of supported shared key algorithms, to said first data processing device;said first data processing device receiving said second message using said first message and transmission/receiving means and validating said Cert-- Base, and if said Cert-- Base is valid, said first data processing device validating said second signature of said message using said Pub-- Base, such that if said second signature is valid, said first data processing device determines the value of RN1 by decrypting the value of E(Pub-- Mobile, RN1) using a private key of said first data processing device (Priv-- Mobile); said first data processing device generating a value RN2 and a first session key having the value (RN1⊕
RN2), said first data processing device encrypting the value of RN2 using said base public key (Pub-- Base), and sending a third message to said second data processing device including said encrypted RN2 and the value of E(Pub-- Mobile, RN1) along with a digital signature corresponding to said first data processing device;said second data processing device receiving said third message using said second message and transmission/receiving means and verifying said digital signature of said first data processing device using Pub-- Mobile obtained from said Cert-- Mobile, and if said signature of said first data processing device is verified, said second data processing device decrypting the value of E(Pub-- Base, RN2) using a private key of said second data processing device (Priv-- Base), said second data processing device using said first session key having the value of (RN1⊕
RN2);said first and second data processing devices transferring data using encrypted data which is decrypted using said first session key. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification