Method and system for secure lightweight transactions in wireless data networks
First Claim
1. A method for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, the method comprising:
- the client sending a session-request signal to the server for creating the session therebetween, the session-request signal comprising at least one client message encrypted according to a shared secret encrypt key;
the server conducting a first client authentication by decrypting the encrypted client message according to the shared secret encrypt key upon receiving the session-request signal;
the server generating a session key for the session in creation, a first derivative from the decrypted client messages and a server message;
the server sending a session-reply signal comprising the session key, the first derivative and the server message, with the session key, the first derivative and the server message being encrypted according to the shared secret encrypt key;
the client conducting a first server authentication by decrypting the first derivative and the server message being encrypted according to the shared secret encrypt key; and
the client conducting a second server authentication by validating the first derivative with the client message.
4 Assignments
0 Petitions
Accused Products
Abstract
The present invention is a method and system for establishing an authenticated and secure communication session for transactions between a server and a client in a wireless data network that generally comprises an airnet, a landline network and a link server therebetween. The client having limited computing resources is remotely located with respect to the server and communicates to the server through the wireless data network. To authenticate each other, the client and the server conduct two rounds of authentication, the client authentication and the server authentication, independently and respectively, each of the authentication processes is based on a shared secret encrypt key and challenge/response mechanism. To reach for a mutually accepted cipher in the subsequent transactions, the server looks up for a commonly used cipher and forwards the cipher along with a session key to the client. The subsequent transactions between the client and the server are then proceeded in the authenticated and secure communication session and further each transaction secured by the session key is labeled by a transaction ID that is examined before a transaction thereof takes place.
-
Citations
19 Claims
-
1. A method for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, the method comprising:
-
the client sending a session-request signal to the server for creating the session therebetween, the session-request signal comprising at least one client message encrypted according to a shared secret encrypt key;
the server conducting a first client authentication by decrypting the encrypted client message according to the shared secret encrypt key upon receiving the session-request signal;
the server generating a session key for the session in creation, a first derivative from the decrypted client messages and a server message;
the server sending a session-reply signal comprising the session key, the first derivative and the server message, with the session key, the first derivative and the server message being encrypted according to the shared secret encrypt key;
the client conducting a first server authentication by decrypting the first derivative and the server message being encrypted according to the shared secret encrypt key; and
the client conducting a second server authentication by validating the first derivative with the client message.
-
-
2. A method for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, said method comprising:
-
receiving a session-request signal at the server from the client for creating the session therebetween, the session-request signal comprising at least one client message encrypted according to a shared secret encrypt key previously residing on both the client and the server;
conducting a first client authentication by decrypting the encrypted client message according to the shared secret encrypt key upon receiving the session-request signal;
generating a session key for the session in creation, a first derivative from the decrypted client message, and a server message; and
sending a session-reply signal from the server to the client, the session-reply signal comprising the session key, the first derivative and the server message, with the session key, the first derivative and the server message being encrypted according to the shared secret encrypt key. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11)
wherein the session-request signal further comprises a device identifier associated with the client, and wherein the server determines the shared secret encrypt key used to decrypt the encrypted client message based on the device identifier. -
5. A method as recited in claim 3,
wherein the session-request signal further comprises a device identifier associated with the client, wherein the server supports a plurality of clients, wherein the server stores a plurality of shared secret encrypt keys, each of the shared secret encrypt keys being associated with one of the clients, and wherein the server determines the shared secret encrypt key used to decrypt the encrypted client message based on the device identifier. -
6. A method as recited in claim 2, wherein, subsequent to said sending, the client conducts a first server authentication by decrypting the first derivative and the server message, and then conducts a second server authentication by validating the first derivative.
-
7. A method as recited in claim 6, wherein said method further comprises:
negotiating, at the server, a mutually accepted cipher with the client for the session in creation.
-
8. A method as recited in claim 7, wherein said negotiating of the mutually accepted cipher comprises examining a client cipher;
- looking up a server cipher and determining the mutually accepted cipher.
-
9. A method as recited in claim 6, wherein said method further comprises:
-
receiving a session-complete signal comprising a second derivative, the second derivative being generated at the client from the server message if the second server authentication succeeds; and
conducting a second client authentication by validating the second derivative with the server message.
-
-
10. A method as recited in claim 9, whereby the authenticated and secure communication session is established between the client and the server after the first and the second client authentication as well as the first and the second server authentication are all successful.
-
11. A method as recited in claim 9, wherein said method is performed at the server.
-
-
12. A computer readable medium including at least computer program code for establishing an authenticated and secure communication session for transactions between a client and a server in a wireless data network, the client remotely located with respect to the server, said computer readable medium comprising:
-
computer program code for receiving a session-request signal at the server from the client for creating the session therebetween, the session-request signal comprising at least one client message encrypted according to a shared secret encrypt key previously residing on both the client and the server;
computer program code for conducting a first client authentication by decrypting the encrypted client message according to the shared secret encrypt key upon receiving the session-request signal;
computer program code for generating a session key for the session in creation, a first derivative from the decrypted client message, and a server message; and
computer program code for sending a session-reply signal from the server to the client, the session-reply signal comprising the session key, the first derivative and the server message, with the session key, the first derivative and the server message being encrypted according to the shared secret encrypt key. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
wherein the session-request signal further comprises a device identifier associated with the client, and wherein said computer readable medium further comprises: computer program code for determining the shared secret encrypt key used to decrypt the encrypted client message based on the device identifier.
-
-
14. A computer readable medium as recited in claim 12,
wherein the session-request signal further comprises a device identifier associated with the client, wherein the server supports a plurality of clients, wherein the server stores a plurality of shared secret encrypt keys, each of the shared secret encrypt keys being associated with one of the clients, and wherein said computer readable medium further comprises: computer program code for determining the shared secret encrypt key used to decrypt the encrypted client message based on the device identifier.
-
15. A computer readable medium as recited in claim 12, wherein, subsequent to performance of said computer program code for sending, the client conducts a first server authentication by decrypting the first derivative and the server message, and then conducts a second server authentication by validating the first derivative.
-
16. A computer readable medium as recited in claim 15, wherein said computer readable medium further comprises:
computer program code for negotiating a mutually accepted cipher with the client for the session in creation.
-
17. A computer readable medium as recited in claim 16, wherein said computer program code for negotiating of the mutually accepted cipher comprises computer program code for examining a client cipher;
- looking up a server cipher and determining the mutually accepted cipher.
-
18. A computer readable medium as recited in claim 15, wherein said computer readable medium further comprises:
-
computer program code for receiving a session-complete signal comprising a second derivative, the second derivative being generated at the client from the server message if the second server authentication succeeds; and
computer program code for conducting a second client authentication by validating the second derivative with the server message.
-
-
19. A computer readable medium as recited in claim 18, whereby the authenticated and secure communication session is established between the client and the server after the first and the second client authentication as well as the first and the second server authentication are all successful.
Specification