Method and apparatus for conducting crypto-ignition processes between thin client devices and server devices over data networks
First Claim
1. A method for establishing a secure communication channel between a client device and a server device over a data network, the method comprising:
- generating a client private value in said client device;
generating a client public value based upon said client private value in said client device;
sending a key request message from said client device to the server device;
verifying said client device using a user account associated with the client device that is accessible by the server, said user account specifying a key state defining a state of a secret key negotiation;
transferring said client public value from the client device to the server device;
generating a server-side secret key using a server private value and said client public value; and
transferring a server public value from the server device to the client device.
6 Assignments
0 Petitions
Accused Products
Abstract
A crypto-ignition process is needed to establish an encrypted communication protocol between two devices connected by an insecure communication link. The present invention introduces a method of creating an identical secret key to two communicating parties is conducted between a thin device and a server computer over an insecure data network. The thin device generally has limited computing power and working memory and the server computer may communicate with a plurality of such thin devices. To ensure the security of the secret key on both sides and reduce traffic in the network, only a pair of public values is exchanged between the thin device and the server computer over the data network. Each side generates its own secret key from a self-generated private value along with the received counterpart'"'"'s public value according to a commonly used key agreement protocol, such as the Diffie-Hellman key agreement protocol. To ensure that the generated secret keys are identical on both sides, a verification process is followed by exchanging a message encrypted by one of two generated secret keys. The secret keys are proved to be identical and secret when the encrypted message is successfully decrypted by the other secret key. To reduce network traffic, the verification process is piggybacked with a session request from the thin device to establish a secure and authentic communication session with the server computer. The present invention enables the automatic delivery of the secret keys, without requiring significant computing power and working memory, between each of the thin clients respectively with the server computer.
206 Citations
25 Claims
-
1. A method for establishing a secure communication channel between a client device and a server device over a data network, the method comprising:
-
generating a client private value in said client device;
generating a client public value based upon said client private value in said client device;
sending a key request message from said client device to the server device;
verifying said client device using a user account associated with the client device that is accessible by the server, said user account specifying a key state defining a state of a secret key negotiation;
transferring said client public value from the client device to the server device;
generating a server-side secret key using a server private value and said client public value; and
transferring a server public value from the server device to the client device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
generating a client-side secret key in said client device using said client private value and said server public value.
-
-
3. The method as recited in claim 2 further comprising:
conducting a third verification process using an out-of-band communication of signatures.
-
4. The method as recited in claim 3 further comprising:
regenerating a server-side secret key if said server-side secret key does not meet a predefined secret key requirement.
-
5. The method as recited in claim 1 further comprising:
testing a cryptographic property of said server-side secret key.
-
6. The method as recited in claim 5 further comprising:
regenerating a server-side secret key if said server-side secret key does not meet a predefined secret key requirement.
-
7. The method as recited in claim 1 wherein a key state of “
- Exchange”
causes said client device to send said key request message.
- Exchange”
-
8. The method as recited in claim 1 wherein said sending a key request message and transferring a client public value are performed with a single message.
-
9. The method as recited in claim 1 wherein the key request message comprises a device ID of the client device.
-
10. The method as recited in claim 1 wherein verifying said client device comprises ensuring said user account associated with said client device is enabled.
-
11. The method as recited in claim 1 further comprising:
creating a proto session for the client device if the said verification succeeds.
-
12. The method as recited in claim 1 further comprising:
generating the server public value from said server private value according to a mutually agreed key agreement.
-
13. The method as recited in claim 2 further comprising generating a server signature from the server-side secret key.
-
14. The method as recited in claim 13 further comprising generating a client signature from the client-side secret key.
-
15. The method as recited in claim 14 further comprising:
-
comparing the client signature and the server signature; and
loading to a persistent memory the client-side secret key and the server-side secret key to a pair of shared secret keys if the client signature and the server signature are matched.
-
-
16. The method as recited in claim 1 further comprising verifying said server side secret key by:
-
initiating a session request by the client device to establish a communication session with the server device;
wherein the session request comprises the device ID of the client device, an encrypted message by the client-side secret key according to a mutually accepted cipher;
decrypting the encrypted message by the server device using the server-side secret key; and
loading the server-side secret key to a proto-session when the encrypted message is successfully decrypted by the server device.
-
-
17. A method for establishing a secure communication channel between a client device and a server device over a data network, the method comprising:
-
transmitting a secure session request from said client device to said server device over said data network, said secure session request comprising a pair of encrypted values using a client-side secret key, said pair of encrypted values related by a specified function;
verifying said pair of encrypted values in said secure session request using a server-side secret key in said server device by decrypting said encrypted values and testing if said decrypted values are related by said specified function, verifying said pair of encrypted values comprising substeps of decrypting said pair of encrypted values using a new server-side secret key; and
decrypting said encrypted message using an old server-side secret key if said new server-side secret key fails to decrypt said pair of encrypted values; and
transmitting a secure session reply to said client device from server device. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
verifying, within said server device, a signature sent from client device to said server device.
-
-
24. The method as recited in claim 17 wherein said server device uses said new server-side secret key for a session if said new server-side secret key successfully decrypted said pair of encrypted values and said server device uses said old server-side secret key if said old server-side secret key successfully decrypted said pair of encrypted values.
-
25. The method as recited in claim 17 wherein said server device transmits a secure session reply containing an error indication if neither said new server-side secret key nor said old server-side secret key successfully decrypts said pair of encrypted values.
Specification