Localized network authentication and security using tamper-resistant keys
First Claim
1. A system for mutually authenticating a client operatively coupled to a communications network to a device operatively coupled to the communications network, the communications network comprising the client and the device, the device operatively coupled to a key database, the key database comprising client keys stored in association with unique client identifiers, the system comprising:
- a client physical token adapted to be operatively coupled to the client, the client physical token comprising a client random number generator, a unique client identifier, and a client key;
a device physical token adapted to be operatively coupled to the device, the device physical token comprising a device random number generator;
client software adapted to be installed on the client to send a first challenge to the device, the first challenge comprising a first random number generated by the client random number generator and encrypted using the client key, the first challenge further comprising the unique client identifier; and
device software adapted to be installed on the device to retrieve a stored client key associated with the client identification in the first challenge and decrypt the first random number in the first challenge using the retrieved client key, whereby decrypting the first random number authenticates the client computer to the device;
wherein the device software, when installed in the device, sends a second challenge to the client, the second challenge comprising a second random number different from the first random number and generated by the device random number generator and encrypted using the client key;
wherein the client software, when installed in the client, decrypts the second random number using the client key, whereby decrypting the second random number authenticates the access point to the client computer;
wherein subsequent data sent between the device and the client is encrypted using a key derived from the first random number and the second random number.
5 Assignments
0 Petitions
Accused Products
Abstract
The invention provides a secure Wi-Fi communications method and system. In an embodiment of the invention, unique physical keys, or tokens, are installed at an access point and each client device of the network. Each key comprises a unique serial number and a common network send cryptographic key and a common network receive cryptographic key used only during the authentication phase by all components on the LAN. Each client key further includes a secret cryptographic key unique to each client device. During authentication, two random numbers are generated per communications session and are known by both sides of the wireless channel. Only the random numbers are sent across the wireless channel and in each case these numbers are encrypted. A transposed cryptographic key is derived from the unique secret cryptographic key using the random numbers generated during authentication. Thus, both sides of the wireless channel know the transposed cryptographic key without it ever being transmitted between the two.
-
Citations
14 Claims
-
1. A system for mutually authenticating a client operatively coupled to a communications network to a device operatively coupled to the communications network, the communications network comprising the client and the device, the device operatively coupled to a key database, the key database comprising client keys stored in association with unique client identifiers, the system comprising:
-
a client physical token adapted to be operatively coupled to the client, the client physical token comprising a client random number generator, a unique client identifier, and a client key; a device physical token adapted to be operatively coupled to the device, the device physical token comprising a device random number generator; client software adapted to be installed on the client to send a first challenge to the device, the first challenge comprising a first random number generated by the client random number generator and encrypted using the client key, the first challenge further comprising the unique client identifier; and device software adapted to be installed on the device to retrieve a stored client key associated with the client identification in the first challenge and decrypt the first random number in the first challenge using the retrieved client key, whereby decrypting the first random number authenticates the client computer to the device; wherein the device software, when installed in the device, sends a second challenge to the client, the second challenge comprising a second random number different from the first random number and generated by the device random number generator and encrypted using the client key; wherein the client software, when installed in the client, decrypts the second random number using the client key, whereby decrypting the second random number authenticates the access point to the client computer; wherein subsequent data sent between the device and the client is encrypted using a key derived from the first random number and the second random number. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of mutually authenticating a client operatively coupled to a communications network to a device operatively coupled to the communications network, the communications network comprising the client and the device, the device operatively coupled to a key database, the key database comprising client keys stored in association with unique client identifiers, the method comprising:
-
providing a client physical token adapted to be operatively coupled to the client, the client physical token comprising a client random number generator, a unique client identifier, and a client key; providing a device physical token adapted to be operatively coupled to the device, the device physical token comprising a device random number generator; providing client software adapted to be installed on the client to send a first challenge to the device, the first challenge comprising a first random number generated by the client random number generator and encrypted using the client key, the first challenge further comprising the unique client identifier; and providing device software adapted to be installed on the device to retrieve a stored client key associated with the client identification in the first challenge and decrypt the first random number in the first challenge using the retrieved client key, whereby decrypting the first random number authenticates the client computer to the device; wherein the device software, when installed in the device, sends a second challenge to the client, the second challenge comprising a second random number different from the first random number and generated by the device random number generator and encrypted using the client key; wherein the client software, when installed in the client, decrypts the second random number using the client key, whereby decrypting the second random number authenticates the access point to the client computer; wherein subsequent data sent between the device and the client is encrypted using a key derived from the first random number and the second random number. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification