Localized network authentication and security using tamper-resistant keys

US 7,325,134 B2
Filed: 10/07/2003
Issued: 01/29/2008
Est. Priority Date: 10/08/2002
Status: Expired due to Term

First Claim

Patent Images

1. A system for mutually authenticating a client operatively coupled to a communications network to a device operatively coupled to the communications network, the communications network comprising the client and the device, the device operatively coupled to a key database, the key database comprising client keys stored in association with unique client identifiers, the system comprising:

a client physical token adapted to be operatively coupled to the client, the client physical token comprising a client random number generator, a unique client identifier, and a client key;

a device physical token adapted to be operatively coupled to the device, the device physical token comprising a device random number generator;

client software adapted to be installed on the client to send a first challenge to the device, the first challenge comprising a first random number generated by the client random number generator and encrypted using the client key, the first challenge further comprising the unique client identifier; and

device software adapted to be installed on the device to retrieve a stored client key associated with the client identification in the first challenge and decrypt the first random number in the first challenge using the retrieved client key, whereby decrypting the first random number authenticates the client computer to the device;

wherein the device software, when installed in the device, sends a second challenge to the client, the second challenge comprising a second random number different from the first random number and generated by the device random number generator and encrypted using the client key;

wherein the client software, when installed in the client, decrypts the second random number using the client key, whereby decrypting the second random number authenticates the access point to the client computer;

wherein subsequent data sent between the device and the client is encrypted using a key derived from the first random number and the second random number.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a secure Wi-Fi communications method and system. In an embodiment of the invention, unique physical keys, or tokens, are installed at an access point and each client device of the network. Each key comprises a unique serial number and a common network send cryptographic key and a common network receive cryptographic key used only during the authentication phase by all components on the LAN. Each client key further includes a secret cryptographic key unique to each client device. During authentication, two random numbers are generated per communications session and are known by both sides of the wireless channel. Only the random numbers are sent across the wireless channel and in each case these numbers are encrypted. A transposed cryptographic key is derived from the unique secret cryptographic key using the random numbers generated during authentication. Thus, both sides of the wireless channel know the transposed cryptographic key without it ever being transmitted between the two.

83 Citations

View as Search Results

14 Claims

1. A system for mutually authenticating a client operatively coupled to a communications network to a device operatively coupled to the communications network, the communications network comprising the client and the device, the device operatively coupled to a key database, the key database comprising client keys stored in association with unique client identifiers, the system comprising:
- a client physical token adapted to be operatively coupled to the client, the client physical token comprising a client random number generator, a unique client identifier, and a client key;
  
  a device physical token adapted to be operatively coupled to the device, the device physical token comprising a device random number generator;
  
  client software adapted to be installed on the client to send a first challenge to the device, the first challenge comprising a first random number generated by the client random number generator and encrypted using the client key, the first challenge further comprising the unique client identifier; and
  
  device software adapted to be installed on the device to retrieve a stored client key associated with the client identification in the first challenge and decrypt the first random number in the first challenge using the retrieved client key, whereby decrypting the first random number authenticates the client computer to the device;
  
  wherein the device software, when installed in the device, sends a second challenge to the client, the second challenge comprising a second random number different from the first random number and generated by the device random number generator and encrypted using the client key;
  
  wherein the client software, when installed in the client, decrypts the second random number using the client key, whereby decrypting the second random number authenticates the access point to the client computer;
  
  wherein subsequent data sent between the device and the client is encrypted using a key derived from the first random number and the second random number.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1 in which the device is a wireless access point.
  - 3. The system of claim 1 wherein the client physical token is removable from client.
  - 4. The system of claim 3 wherein the client physical token is removable from client by a user.
  - 5. The system of claim 1 wherein the device physical token is removable from the device.
  - 6. The system of claim 5 wherein the device physical token is removable from the device by a user.
  - 7. The system of claim 1 wherein no key is exchanged between the device and the client during authentication.

8. A method of mutually authenticating a client operatively coupled to a communications network to a device operatively coupled to the communications network, the communications network comprising the client and the device, the device operatively coupled to a key database, the key database comprising client keys stored in association with unique client identifiers, the method comprising:
- providing a client physical token adapted to be operatively coupled to the client, the client physical token comprising a client random number generator, a unique client identifier, and a client key;
  
  providing a device physical token adapted to be operatively coupled to the device, the device physical token comprising a device random number generator;
  
  providing client software adapted to be installed on the client to send a first challenge to the device, the first challenge comprising a first random number generated by the client random number generator and encrypted using the client key, the first challenge further comprising the unique client identifier; and
  
  providing device software adapted to be installed on the device to retrieve a stored client key associated with the client identification in the first challenge and decrypt the first random number in the first challenge using the retrieved client key, whereby decrypting the first random number authenticates the client computer to the device;
  
  wherein the device software, when installed in the device, sends a second challenge to the client, the second challenge comprising a second random number different from the first random number and generated by the device random number generator and encrypted using the client key;
  
  wherein the client software, when installed in the client, decrypts the second random number using the client key, whereby decrypting the second random number authenticates the access point to the client computer;
  
  wherein subsequent data sent between the device and the client is encrypted using a key derived from the first random number and the second random number.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 in which the device is a wireless access point.
  - 10. The method of claim 8 wherein the client physical token is removable from client.
  - 11. The method of claim 10 wherein the client physical token is removable from client by a user.
  - 12. The method of claim 8 wherein the device physical token is removable from the device.
  - 13. The method of claim 12 wherein the device physical token is removable from the device by a user.
  - 14. The method of claim 8 wherein no key is exchanged between the device and the client during authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KoolSpan, Inc.
Original Assignee
KoolSpan, Inc.
Inventors
Fascenda, Anthony C.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US10/679,371
Publication Number

US 20040073797A1
Time in Patent Office

1,575 Days
Field of Search

713/155, 713/168, 713/172, 713/200, 713/150, 713/169, 713/170, 380/247, 380/44, 380/46, 726 1- 4
US Class Current

713/169
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 9/3234   involving additional secure...

H04W 12/06   Authentication

H04W 12/50   Secure pairing of devices

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/08   Access point devices

Localized network authentication and security using tamper-resistant keys

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Localized network authentication and security using tamper-resistant keys

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links