Method and system for secure lightweight transactions in wireless data networks

US 6,148,405 A
Filed: 11/10/1997
Issued: 11/14/2000
Est. Priority Date: 11/10/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, the method comprising:

the client sending a session-request signal to the server for creating the session therebetween, the session-request signal comprising at least one client message encrypted according to a shared secret encrypt key previously residing on both the client and the server;

the server conducting a first client authentication by decrypting the encrypted client message according to the shared secret encrypt key upon receiving the session-request signal;

the server generating a session key for the session in creation, a first derivative from the decrypted client message, and a server message;

the server sending a session-reply signal comprising the session key, the first derivative and the server message, with the session key, the first derivative and the server message being encrypted according to the shared secret encrypt key;

the client conducting a first server authentication by decrypting the first derivative and the server message being encrypted according to the shared secret encrypt key; and

the client conducting a second server authentication by validating the first derivative with the client message.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a method and system for establishing an authenticated and secure communication session for transactions between a server and a client in a wireless data network that generally comprises an airnet, a landline network and a link server therebetween. The client having limited computing resources is remotely located with respect to the server and communicates to the server through the wireless data network. To authenticate each other, the client and the server conduct two rounds of authentication, the client authentication and the server authentication, independently and respectively, each of the authentication processes is based on a shared secret encrypt key and challenge/response mechanism. To reach for a mutually accepted cipher in the subsequent transactions, the server looks up for a commonly used cipher and forwards the cipher along with a session key to the client. The subsequent transactions between the client and the server are then proceeded in the authenticated and secure communication session and further each transaction secured by the session key is labeled by a transaction ID that is examined before a transaction thereof takes place.

259 Citations

34 Claims

1. A method for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, the method comprising:
- the client sending a session-request signal to the server for creating the session therebetween, the session-request signal comprising at least one client message encrypted according to a shared secret encrypt key previously residing on both the client and the server;
  
  the server conducting a first client authentication by decrypting the encrypted client message according to the shared secret encrypt key upon receiving the session-request signal;
  
  the server generating a session key for the session in creation, a first derivative from the decrypted client message, and a server message;
  
  the server sending a session-reply signal comprising the session key, the first derivative and the server message, with the session key, the first derivative and the server message being encrypted according to the shared secret encrypt key;
  
  the client conducting a first server authentication by decrypting the first derivative and the server message being encrypted according to the shared secret encrypt key; and
  
  the client conducting a second server authentication by validating the first derivative with the client message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method as recited in claim 1 wherein session-request signal further comprises a client cipher indicating what encryption the client currently uses.
  - 3. The method as recited in claim 2 wherein session-request signal further comprises a modified version of the client message, the modified version having a operational relationship with the client message and being encrypted according to the shared secret encrypt key.
  - 4. The method as recited in claim 3 further comprising the server negotiating a mutually accepted cipher with the client for the session in creation.
  - 5. The method as recited in claim 4 wherein the server negotiating the mutually accepted cipher with the client comprises examining the client cipher;
    - looking up a server cipher and determining the mutually accepted cipher.
  - 6. The method as recited in claim 5 further comprising:
    - the client initiating a transaction signal comprising a transaction ID to interact with the server;
      
      the client coupling the second derivative from the server message with the transaction signal, thereby a combined signal is formed;
      
      the client sending the combined signal to the server;
      
      the server conducting a second client authentication by validating the second derivative with the server message upon receiving and decoupling the combined signal; and
      
      thereby the authenticated and secure communication session is established between the client and the server after the first and second client authentication as well as the first and the second server authentication are all successful;
      
      the server examining the transaction ID to see if the transaction ID is in a trans-sequence;
      
      the server replying to the client with a reply signal; and
      
      the client sending an acknowledge signal to commit an transaction specified in the transaction signal initiated by the client.
  - 7. The method as recited in claim 6 wherein the transaction request is a service-request signal comprising a URL.
  - 8. The method as recited in claim 7 wherein the server replying to the client with a reply signal comprises contacting a service identified by the URL and sending a result in form of digest from the contacting the service identified by the URL.
  - 9. The method as recited in claim 8 wherein the server replying to the client with a reply signal comprises contacting a service identified by the URL and sending a result in form of digest from contacting the service identified by the URL.
  - 10. The method as recited in claim 6 wherein the transaction request is a post signal comprising a URL and editorial information.
  - 11. The method as recited in claim 1 further comprising:
    - the client generating a second derivative from the server message if the second server authentication succeeds;
      
      the client sending a session-complete signal comprising the second derivative; and
      
      the server conducting a second client authentication by validating the second derivative with the server message; and
      
      thereby the authenticated and secure communication session is established between the client and the server after the first and the second client authentication as well as the first and the second server authentication are all successful.
  - 12. The method as recited in claim 11 further comprising:
    - the client initiating a client transaction request and generating a transaction ID thereof, the client transaction request being encrypted according to the session key;
      
      the server examining the transaction ID to see if the transaction ID is in a trans-sequence upon receiving the client transaction request after decrypting the client transaction request according to the session key;
      
      the server replying to the client with a reply signal if the server examining the transaction ID is true; and
      
      the client sending an acknowledge signal to commit a transaction specified in the client transaction signal.
  - 13. The method as recited in claim 11 further comprising:
    - the server initiating a server transaction signal comprising at least one notification therein;
      
      the client replying to the server with a get-notify signal comprising a transaction ID to fetch the notification;
      
      the server examining the transaction ID to see if the transaction ID is in a transsequence;
      
      the server replying to the client with a reply signal if the server examining the second transaction ID is successful; and
      
      the client sending an acknowledge signal to commit an transaction specified in the transaction signal initiated by the server.
  - 14. A method as recited in claim 11,wherein the session-request signal further comprises a device identifier associated with the client, andwherein the server determines the shared secret encrypt key used to decrypt the encrypted client message based on the device identifier.
  - 15. A method as recited in claim 11,wherein the session-request signal further comprises a device identifier associated with the client,wherein the server supports a plurality of clients,wherein the server stores a plurality of shared secret encrypt keys, each of the shared secret encrypt keys being associated with one of the clients, andwherein the server determines the shared secret encrypt key used to decrypt the encrypted client message based on the device identifier.
  - 16. The method as recited in claim 1 wherein the client message is a client nonce represented by a sequence of digits.
  - 17. The method as recited in claim 16 wherein the client nonce is a non-repeatable two-byte numeral.
  - 18. The method as recited in claim 17 wherein the first derivative has a first relationship with the client nonce.
  - 19. The method as recited in claim 18 wherein the session-reply signal further comprises a session ID of the session, the session key and the server cipher, all being encrypted according to the shared secret encrypt key.
  - 20. The method as recited in claim 19 wherein the server message is a server nonce.
  - 21. The method as recited in claim 20 wherein the second nonce is a non-repeatable two-byte numeral.
  - 22. The method as recited in claim 21 wherein the second derivative has a second relationship with the server nonce.
  - 23. A method as recited in claim 1,wherein the session-request signal further comprises a device identifier associated with the client, andwherein the server determines the shared secret encrypt key used to decrypt the encrypted client message based on the device identifier.
  - 24. A method as recited in claim 1,wherein the session-request signal further comprises a device identifier associated with the client,wherein the server supports a plurality of clients,wherein the server stores a plurality of shared secret encrypt keys, each of the shared secret encrypt keys being associated with one of the clients, andwherein the server determines the shared secret encrypt key used to decrypt the encrypted client message based on the device identifier.

25. A system for establishing an authenticated and secure communication session, the system comprising:
- a landline network running on a first communication protocol;
  
  at least one server coupled into the landline network and communicating with the landline network;
  
  an airnet running on a second communication protocol;
  
  a client remotely located with respect to the server and communicating with the airnet by radio transmission means;
  
  a link server, coupling the airnet to the landline network, for linking the first communication protocol to the second communication protocol, whereby the client can communicate with the server;
  
  means, in the client, for generating a session-request signal comprising at least one client message encrypted according to a shared secret encrypt key;
  
  the session-request signal being transmitted to the airnet;
  
  means, in the server, for sending a session-reply signal comprising at lease one server message encrypted according to the shared secret encrypt key;
  
  the session-reply signal sending means comprising;
  
  means for conducting a first client authentication when the session-request signal is received, the first client authentication comprising means for decrypting the encrypted client message from the received session-request signal; and
  
  means for generating a first derivative from the client message;
  
  means for conducting server authentication upon receiving the session-reply signal, the conducting server authentication means comprising;
  
  means for recovering the encrypted server message when the session-reply signal is received; and
  
  means for verifying the received first derivative with the client message; and
  
  means for generating a second derivative from the server message.
- View Dependent Claims (26, 27, 28)
- - 26. The system as recited in claim 25 further comprising:
    - means, in the client, for generating a session-complete signal comprising the second derivative;
      
      means, in the server, for conducting a second client authentication, the second client authentication means comprising means for verifying the received second derivative with the server message when the session-complete signal is received; and
      
      whereby the authenticated and secure communication session between the client and the server is established when the first and second client authentication and the server authentication are complete.
  - 27. The system as recited in claim 26, further comprising:
    - means, in the client, for initiating a transaction request signal comprising a transaction ID; and
      
      means, in the server, for verifying the transaction ID after the transaction request signal is received.
  - 28. The system as recited in claim 27, further comprising means, in the server, for sending a reply signal to the client and means, in the client, for acknowledging the reply signal to commit a transaction requested in the transaction request signal.

29. A method for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, the method comprising:
- the client sending a session-request signal to the server for creating the session therebetween, the session-request signal comprising a client session ID, a client cipher, a C-nonce and a C-nonceModified, at least the C-nonce and the C-nonceModified being encrypted by the client cipher according to a shared secret encrypt key with the server;
  
  the server conducting a first client authentication by decrypting the encrypted C-nonce and C-nonceModified according to the shared secret encrypt key upon receiving the session-request signal;
  
  the server generating a server session ID and a session key for the session in creation, deriving a first derivative from the decrypted C-nonce and generating a S-nonce upon examining the client session ID;
  
  the server negotiating a mutually accepted cipher with the client for the session in creation, the negotiating comprising examining the client cipher, looking up a server cipher and determining the mutually accepted cipher therefor;
  
  the server sending a session-reply signal comprising the session key, the first derivative and the S-nonce;
  
  the session key, the first derivative and the S-nonce being encrypted therein according to the shared secret encrypt key;
  
  the client conducting a first server authentication by decrypting the session key, the first derivative and the S-nonce according to the shared secret encrypt key;
  
  the client conducting a second server authentication by validating the first derivative with the C-nonce generated originally in the client;
  
  the client generating a second derivative from the S-nonce if the second server authentication succeeds;
  
  the server decrypting the second derivative upon receiving the second derivative that is encrypted at the client according to the shared secret encrypt key; and
  
  the server conducting a second client authentication by decrypting the second derivative and verifying the decrypted second derivative with the S-nonce upon receiving the second derivative from the client;
  
  thereby the authenticated and secure communication session for transactions between the client and the server is established.
- View Dependent Claims (30, 31)
- - 30. The method as recited in claim 29 further comprising:
    - the client initiating a transaction request comprising a transaction identified by a transaction ID and encrypted by the mutually accepted cipher according to the session key;
      
      the transaction request comprising a URL identifying a service server in the wireless data network;
      
      the server verifying the transaction ID, performing a MAC verification and replying to the client with a service reply comprising a result of contacting the service server if the transaction ID is in trans-sequence; and
      
      the client committing to the transaction request by sending an acknowledge signal to the server, thereby the transaction is complete in the authenticated and secure communication session.
  - 31. The method as recited in claim 29 further comprising:
    - the server initiating a notification request comprising at least one message notification;
      
      the notification request being encrypted by the mutually accepted cipher according to the session key;
      
      the client replying to the server with a get-notify signal comprising a transaction ID to fetch the notification;
      
      the server examining the transaction ID to see if the transaction ID is in a transsequence;
      
      the server replying to the client with a reply signal if the server examining the transaction ID is successful; and
      
      the client sending an acknowledge signal to commit an transaction specified in the transaction signal initiated by the server.

32. A system for establishing an authenticated and secure communication session, the system comprising:
- a landline network running on a first communication protocol;
  
  at least one server coupled into the landline network and communicating with the landline network;
  
  an airnet running on a second communication protocol;
  
  a client remotely located with respect to the server and communicating with the airnet by radio transmission means;
  
  a link server, coupling the airnet to the landline network, for linking the first communication protocol to the second communication protocol, whereby the client can communicate with the server;
  
  means, in the client, for generating a session-request signal comprising a client session ID, a client cipher, a C-nonce and a C-nonceModified, at least the C-nonce and the C-nonceModified being encrypted by the client cipher according to a shared secret encrypt key with the server;
  
  the session-request signal being transmitted to the airnet;
  
  means, in the server, for sending a session-reply signal to the landline network, the session-reply signal comprising a server session ID, a server cipher, a S-nonce and a first derivative;
  
  at least the server cipher, the S-nonce and the first derivation being encrypted by the server cipher according to the shared secret encrypt key;
  
  the session-reply signal sending means comprising;
  
  means for conducting a step one client authentication when the session-request signal is received, the first client authentication comprising means for decrypting the encrypted the C-nonce and the C-nonceModified from the received session-request signal; and
  
  means for generating the first derivative from the C-nonce;
  
  means, in the client, for conducting server authentication upon receiving the session-reply signal, the conducting server authentication means comprising;
  
  means for decrypting the encrypted server session ID, server cipher, S-nonce and first derivative when the session-reply signal is received;
  
  means for verifying the decrypted first derivative with the C-nonce therein; and
  
  means for generating a second derivative from the S-nonce;
  
  means, in the client, for generating a session-complete signal comprising the second derivative;
  
  means, in the server, for conducting a second client authentication, the second client authentication means comprising means for verifying the received second derivative with the S-nonce when the session-complete signal is received; and
  
  whereby the authenticated and secure communication session between the client and the server is established when the first and second client authentication and the server authentication are complete.
- View Dependent Claims (33, 34)
- - 33. The system as recited in claim 32, further comprising:
    - means, in the client, for initiating a transaction signal comprising a transaction identified by a transaction ID; and
      
      means, in the server, for verifying the transaction ID after the transaction signal is received.
  - 34. The system as recited in claim 33, further comprising:
    - means, in the server, for replying to the client with a reply signal if the step of the server examining the transaction ID is successful; and
      
      means, in the client, for sending an acknowledge signal to commit the transaction specified in the transaction signal initiated by the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unwired Planet LLC (JP Morgan Chase & Co)
Original Assignee
Phone.com Incorporated
Inventors
Liao, Hanqing, Boyle, Stephen S., King, Peter F., Schwartz, Bruce V.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US08/966,988
Time in Patent Office

1,100 Days
Field of Search

713/201, 713/150, 713/168, 713/170, 380/255, 380/278, 380/282
US Class Current

726/2
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0428   wherein the data content is...

H04L 63/0869   for achieving mutual authen...

H04L 67/01   Protocols

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3273   for mutual authentication n...

Method and system for secure lightweight transactions in wireless data networks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

259 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for secure lightweight transactions in wireless data networks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

259 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links