Authenticated diffie-hellman key agreement protocol where the communicating parties share a secret key with a third party
First Claim
1. A method of performing an authenticated Diffie-Hellman key agreement protocol over a network between a first communicator sharing a first secret key with an authentication resource (AR) and a second communicator sharing a second secret key with said AR, said method comprising the steps of:
- a) generating a first message authentication code (MAC) of a first variable using said first secret key for said first communicator;
b) generating a second MAC of a second variable using said second secret key for said second communicator;
c) transmitting over said network to said AR said first variable, said second variable, a first identifier corresponding to said first communicator, a second identifier corresponding to said second communicator, said first MAC, and said second MAC, wherein said AR is configured for determining a secret key corresponding to an identifier transmitted over said network;
d) generating a third MAC of said first variable using said first secret key determined by said AR from said first identifier and a fourth MAC of said second variable using said second secret key determined by said AR from said second identifier;
e) if said first MAC matches said third MAC and said second MAC matches said fourth MAC, generating a fifth MAC of said second variable using said second secret key determined by said AR from said second identifier and a sixth MAC of said first variable using said first secret key determined by said AR from said first identifier;
f) transmitting over said network to said second communicator said fifth MAC, said first variable, said second variable, and said first identifier;
g) generating a seventh MAC of said second variable using said second secret key for said second communicator;
h) transmitting over said network to said first communicator said sixth MAC, said first variable, said second variable, and said second identifier;
i) generating an eighth MAC of said first variable using said first secret key for said first communicator; and
j) if said fifth MAC matches said seventh MAC and said sixth MAC matches said eighth MAC, generating a shared secret key based on said first variable for said second communicator and said shared secret key based on said second variable for said first communicator, wherein said shared secret key facilitates encrypted communication between said first communicator and said second communicator.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a method and system for performing an authenticated Diffie-Hellman key agreement protocol over a network where the communicating parties share a secret key with a third party. In one embodiment, the network is a wireless network, wherein a wireless client electronic system (WC) and a network access point electronic system (AP) are the parties executing the authenticated Diffie-Hellman key agreement protocol. In this embodiment, the WC and the AP exchange a shared secret key for encrypting wireless communications between the wireless client electronic system and the network access point electronic system. In one embodiment, the WC shares a first secret key with a RADIUS server of the network. Similarly, the AP shares a second secret key with the RADIUS server of the network. The first and second secret keys are utilized for performing an authentication protocol.
-
Citations
55 Claims
-
1. A method of performing an authenticated Diffie-Hellman key agreement protocol over a network between a first communicator sharing a first secret key with an authentication resource (AR) and a second communicator sharing a second secret key with said AR, said method comprising the steps of:
-
a) generating a first message authentication code (MAC) of a first variable using said first secret key for said first communicator;
b) generating a second MAC of a second variable using said second secret key for said second communicator;
c) transmitting over said network to said AR said first variable, said second variable, a first identifier corresponding to said first communicator, a second identifier corresponding to said second communicator, said first MAC, and said second MAC, wherein said AR is configured for determining a secret key corresponding to an identifier transmitted over said network;
d) generating a third MAC of said first variable using said first secret key determined by said AR from said first identifier and a fourth MAC of said second variable using said second secret key determined by said AR from said second identifier;
e) if said first MAC matches said third MAC and said second MAC matches said fourth MAC, generating a fifth MAC of said second variable using said second secret key determined by said AR from said second identifier and a sixth MAC of said first variable using said first secret key determined by said AR from said first identifier;
f) transmitting over said network to said second communicator said fifth MAC, said first variable, said second variable, and said first identifier;
g) generating a seventh MAC of said second variable using said second secret key for said second communicator;
h) transmitting over said network to said first communicator said sixth MAC, said first variable, said second variable, and said second identifier;
i) generating an eighth MAC of said first variable using said first secret key for said first communicator; and
j) if said fifth MAC matches said seventh MAC and said sixth MAC matches said eighth MAC, generating a shared secret key based on said first variable for said second communicator and said shared secret key based on said second variable for said first communicator, wherein said shared secret key facilitates encrypted communication between said first communicator and said second communicator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A network comprising:
-
an authentication resource (AR);
a network access point electronic system (AP) coupled to said AR; and
a client electronic system (client) coupled to said AP via a connection, wherein said AR shares a first secret key with said client and shares a second secret key with said AP, wherein said client is configured to generate a first message authentication code (MAC) of a first variable using said first secret key, wherein said client is configured to transmit via said AP to said AR said first variable, said first MAC, and a first identifier corresponding to said client, wherein said AP is configured to generate a second MAC of a second variable using said second secret key, wherein said AP is configured to transmit to said AR said second variable, said second MAC, and a second identifier corresponding to said AP, wherein said AR is configured to determine a secret key corresponding to an identifier transmitted over said network, is configured to generate a third MAC of said first variable using said first secret key determined from said first identifier, and is configured to generate a fourth MAC of said second variable using said second secret key determined from said second identifier, wherein said AR is configured to generate a fifth MAC of said second variable using said second secret key and is configured to generate a sixth MAC of said first variable using said first secret key if said first MAC matches said third MAC and said second MAC matches said fourth MAC, wherein said AR is configured to transmit to said AP said fifth MAC, said first variable, said second variable, and said first identifier, wherein said AR is configured to transmit via said AP to said client said sixth MAC, said first variable, said second variable, and said second identifier, wherein said AP is configured to generate a seventh MAC of said second variable using said second secret key and is configured to generate a shared secret key based on said first variable if said fifth MAC matches said seventh MAC, wherein said shared secret key facilitates encrypted communication between said AP and said client, and wherein said client is configured to generate an eighth MAC of said first variable using said first secret key and is configured to generate said shared secret key based on said second variable if said sixth MAC matches said eighth MAC. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
-
Specification