Method and system for secure lightweight transactions in wireless data networks
First Claim
1. A method for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, the method comprising:
- the client sending a session-request signal to the server for creating the session therebetween, the session-request signal comprising at least one client message encrypted according to a shared secret encrypt key previously residing on both the client and the server;
the server conducting a first client authentication by decrypting the encrypted client message according to the shared secret encrypt key upon receiving the session-request signal;
the server generating a session key for the session in creation, a first derivative from the decrypted client message, and a server message;
the server sending a session-reply signal comprising the session key, the first derivative and the server message, with the session key, the first derivative and the server message being encrypted according to the shared secret encrypt key;
the client conducting a first server authentication by decrypting the first derivative and the server message being encrypted according to the shared secret encrypt key; and
the client conducting a second server authentication by validating the first derivative with the client message.
9 Assignments
0 Petitions
Accused Products
Abstract
The present invention is a method and system for establishing an authenticated and secure communication session for transactions between a server and a client in a wireless data network that generally comprises an airnet, a landline network and a link server therebetween. The client having limited computing resources is remotely located with respect to the server and communicates to the server through the wireless data network. To authenticate each other, the client and the server conduct two rounds of authentication, the client authentication and the server authentication, independently and respectively, each of the authentication processes is based on a shared secret encrypt key and challenge/response mechanism. To reach for a mutually accepted cipher in the subsequent transactions, the server looks up for a commonly used cipher and forwards the cipher along with a session key to the client. The subsequent transactions between the client and the server are then proceeded in the authenticated and secure communication session and further each transaction secured by the session key is labeled by a transaction ID that is examined before a transaction thereof takes place.
259 Citations
34 Claims
-
1. A method for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, the method comprising:
-
the client sending a session-request signal to the server for creating the session therebetween, the session-request signal comprising at least one client message encrypted according to a shared secret encrypt key previously residing on both the client and the server; the server conducting a first client authentication by decrypting the encrypted client message according to the shared secret encrypt key upon receiving the session-request signal; the server generating a session key for the session in creation, a first derivative from the decrypted client message, and a server message; the server sending a session-reply signal comprising the session key, the first derivative and the server message, with the session key, the first derivative and the server message being encrypted according to the shared secret encrypt key; the client conducting a first server authentication by decrypting the first derivative and the server message being encrypted according to the shared secret encrypt key; and the client conducting a second server authentication by validating the first derivative with the client message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A system for establishing an authenticated and secure communication session, the system comprising:
-
a landline network running on a first communication protocol; at least one server coupled into the landline network and communicating with the landline network; an airnet running on a second communication protocol; a client remotely located with respect to the server and communicating with the airnet by radio transmission means; a link server, coupling the airnet to the landline network, for linking the first communication protocol to the second communication protocol, whereby the client can communicate with the server; means, in the client, for generating a session-request signal comprising at least one client message encrypted according to a shared secret encrypt key;
the session-request signal being transmitted to the airnet;means, in the server, for sending a session-reply signal comprising at lease one server message encrypted according to the shared secret encrypt key;
the session-reply signal sending means comprising;means for conducting a first client authentication when the session-request signal is received, the first client authentication comprising means for decrypting the encrypted client message from the received session-request signal; and means for generating a first derivative from the client message; means for conducting server authentication upon receiving the session-reply signal, the conducting server authentication means comprising; means for recovering the encrypted server message when the session-reply signal is received; and means for verifying the received first derivative with the client message; and means for generating a second derivative from the server message. - View Dependent Claims (26, 27, 28)
-
-
29. A method for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, the method comprising:
-
the client sending a session-request signal to the server for creating the session therebetween, the session-request signal comprising a client session ID, a client cipher, a C-nonce and a C-nonceModified, at least the C-nonce and the C-nonceModified being encrypted by the client cipher according to a shared secret encrypt key with the server; the server conducting a first client authentication by decrypting the encrypted C-nonce and C-nonceModified according to the shared secret encrypt key upon receiving the session-request signal; the server generating a server session ID and a session key for the session in creation, deriving a first derivative from the decrypted C-nonce and generating a S-nonce upon examining the client session ID; the server negotiating a mutually accepted cipher with the client for the session in creation, the negotiating comprising examining the client cipher, looking up a server cipher and determining the mutually accepted cipher therefor; the server sending a session-reply signal comprising the session key, the first derivative and the S-nonce;
the session key, the first derivative and the S-nonce being encrypted therein according to the shared secret encrypt key;the client conducting a first server authentication by decrypting the session key, the first derivative and the S-nonce according to the shared secret encrypt key; the client conducting a second server authentication by validating the first derivative with the C-nonce generated originally in the client; the client generating a second derivative from the S-nonce if the second server authentication succeeds; the server decrypting the second derivative upon receiving the second derivative that is encrypted at the client according to the shared secret encrypt key; and the server conducting a second client authentication by decrypting the second derivative and verifying the decrypted second derivative with the S-nonce upon receiving the second derivative from the client;
thereby the authenticated and secure communication session for transactions between the client and the server is established. - View Dependent Claims (30, 31)
-
-
32. A system for establishing an authenticated and secure communication session, the system comprising:
-
a landline network running on a first communication protocol; at least one server coupled into the landline network and communicating with the landline network; an airnet running on a second communication protocol; a client remotely located with respect to the server and communicating with the airnet by radio transmission means; a link server, coupling the airnet to the landline network, for linking the first communication protocol to the second communication protocol, whereby the client can communicate with the server; means, in the client, for generating a session-request signal comprising a client session ID, a client cipher, a C-nonce and a C-nonceModified, at least the C-nonce and the C-nonceModified being encrypted by the client cipher according to a shared secret encrypt key with the server;
the session-request signal being transmitted to the airnet;means, in the server, for sending a session-reply signal to the landline network, the session-reply signal comprising a server session ID, a server cipher, a S-nonce and a first derivative;
at least the server cipher, the S-nonce and the first derivation being encrypted by the server cipher according to the shared secret encrypt key;
the session-reply signal sending means comprising;means for conducting a step one client authentication when the session-request signal is received, the first client authentication comprising means for decrypting the encrypted the C-nonce and the C-nonceModified from the received session-request signal; and means for generating the first derivative from the C-nonce; means, in the client, for conducting server authentication upon receiving the session-reply signal, the conducting server authentication means comprising; means for decrypting the encrypted server session ID, server cipher, S-nonce and first derivative when the session-reply signal is received; means for verifying the decrypted first derivative with the C-nonce therein; and means for generating a second derivative from the S-nonce; means, in the client, for generating a session-complete signal comprising the second derivative; means, in the server, for conducting a second client authentication, the second client authentication means comprising means for verifying the received second derivative with the S-nonce when the session-complete signal is received; and whereby the authenticated and secure communication session between the client and the server is established when the first and second client authentication and the server authentication are complete. - View Dependent Claims (33, 34)
-
Specification