Secure, efficient, and mutually authenticated cryptographic key distribution

US 7,418,596 B1
Filed: 07/23/2002
Issued: 08/26/2008
Est. Priority Date: 03/26/2002
Status: Active Grant

First Claim

Patent Images

1. A method of distribution of at least one encryption key for use in controlling access of a mobile node to packet communication service via a wireless communication network, the method comprising:

receiving a key update instruction in the mobile node via the wireless communication network;

in response to the key update instruction, producing an encrypted key payload in the mobile node, wherein;

the encrypted key payload comprises the at least one encryption key for the mobile node and a first authenticator value generated from the at least one encryption key; and

the payload is encrypted with a public encryption key of a packet communication service control node of the wireless communication network;

sending the encrypted key payload through the wireless communication network, from the mobile node to the packet communication service control node, for decryption thereof with a private key of the packet communication service control node corresponding to the public encryption key;

receiving a reply message in the mobile node via the wireless communication network, the reply message containing a second authenticator value from the packet communication service control node; and

designating the at least one encryption key in the mobile node for use in future procedures to obtain access to the packet communication service of the wireless communication network via the service control node, upon determining that the second authenticator value matches the first authenticator value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods disclosed herein provide secure, efficient, and mutually authenticated cryptographic key distribution. A client or client manufacturer may pre-generate and pre-encrypt the cryptographic keys, store the encrypted keys within the client, and deliver such keys to the serving network'"'"'s access server via the client, while also relying upon, if available, the authentication performed by a trusted access server of an intermediate network which the client must traverse in order to obtain access the serving network. If not available, a client password stored within the client may be used to enable client authentication by the serving network prior to acceptance of the delivered cryptographic keys.

Citations

27 Claims

1. A method of distribution of at least one encryption key for use in controlling access of a mobile node to packet communication service via a wireless communication network, the method comprising:
- receiving a key update instruction in the mobile node via the wireless communication network;
  
  in response to the key update instruction, producing an encrypted key payload in the mobile node, wherein;
  
  the encrypted key payload comprises the at least one encryption key for the mobile node and a first authenticator value generated from the at least one encryption key; and
  
  the payload is encrypted with a public encryption key of a packet communication service control node of the wireless communication network;
  
  sending the encrypted key payload through the wireless communication network, from the mobile node to the packet communication service control node, for decryption thereof with a private key of the packet communication service control node corresponding to the public encryption key;
  
  receiving a reply message in the mobile node via the wireless communication network, the reply message containing a second authenticator value from the packet communication service control node; and
  
  designating the at least one encryption key in the mobile node for use in future procedures to obtain access to the packet communication service of the wireless communication network via the service control node, upon determining that the second authenticator value matches the first authenticator value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the at least one encryption key comprises one or more encryption keys for mobile internet protocol (MIP) service.
  - 3. The method of claim 2, wherein the one or more encryption keys for MIP service comprise:
    - a mobile node to home Authentication Authorization and Accounting server (MN-AAAh) encryption key; and
      
      amobile node to home agent (MN-HA) encryption key.
  - 4. The method of claim 1, wherein the at least one encryption key comprises a Challenge Handshake Authentication Protocol (CHAP) encryption key.
  - 5. The method of claim 4, wherein the at least one encryption key further comprises:
    - a mobile node to home Authentication Authorization and Accounting server (MN-AAAh) encryption key; and
      
      amobile node to home agent (MN-HA) encryption key.
  - 6. The method of claim 1, wherein the encrypted key payload further comprises a mobile authenticator value for authentication of the mobile node by the service control node.
  - 7. The method of claim 1, wherein the producing of the encrypted key payload comprises reading of a selected one of a plurality of encrypted key payloads from pre-loaded storage in the mobile node.
  - 8. The method of claim 1, wherein the producing of the encrypted key payload comprises:
    - generating the at least one encryption key in the mobile node;
      
      generating, in the mobile node, the first authenticator value, using the at least one encryption key;
      
      forming key payload data containing the at least one encryption key and the first authenticator value; and
      
      and encrypting the key payload data with the public encryption key of the packet communication service control node, to form the encrypted key payload in the mobile node.
  - 9. The method of claim 1, further comprising:
    - loading the public encryption key into the mobile node; and
      
      loading the private decryption key corresponding to the public encryption key into the packet communication service control node, to associate the public encryption key and the corresponding private decryption key with the packet communication service control node.
  - 10. The method of claim 1, wherein the mobile node comprises a Code Division Multiple Access (CDMA) mobile station.
  - 11. The method of claim 10, wherein:
    - the wireless communication network is a CDMA network; and
      
      the packet communication service control node comprises a home Authentication Authorization and Accounting (AAA) server of the CDMA network.

12. A mobile station for packet communication via a wireless communication network, the mobile station comprising:
- a transmitter/receiver for transmitting and receiving packet data signals via the wireless communication network;
  
  a controller coupled to the transmitter/receiver for controlling operations the mobile station; and
  
  memory for storing key related data and programming for execution by the controller;
  
  wherein execution of the programming by the controller causes the mobile station to implement operations, including;
  
  receiving a key update instruction via the wireless communication network;
  
  in response to the key update instruction, producing an encrypted key payload, wherein;
  
  the encrypted key payload comprises at least one encryption key for the mobile station and a first authenticator value generated from the at least one encryption key; and
  
  the payload is encrypted with a public encryption key of a packet communication service control node of the wireless communication network;
  
  sending the encrypted key payload through the wireless communication network, to the packet communication service control node, for decryption thereof with a private key of the packet communication service control node corresponding to the public encryption key;
  
  receiving a reply message via the wireless communication network, the reply message containing a second authenticator value from the packet communication service control node; and
  
  designating the at least one encryption key in the mobile station for use in future procedures to obtain access to the packet communication service of the wireless communication network via the service control node, upon determining that the second authenticator value matches the first authenticator value.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The mobile station of claim 12, wherein the at least one encryption key comprises one or more encryption keys for mobile internet protocol (MIP) service.
  - 14. The mobile station of claim 13, wherein the one or more encryption keys for MIP service comprise:
    - a mobile node to home Authentication Authorization and Accounting server (MN-AAAh) encryption key; and
      
      amobile node to home agent (MN-HA) encryption key.
  - 15. The mobile station of claim 12, wherein the at least one encryption key comprises a Challenge Handshake Authentication Protocol (CHAP) encryption key.
  - 16. The mobile station of claim 15, wherein the at least one encryption key further comprises:
    - a mobile node to home Authentication Authorization and Accounting server (MN-AAAh) encryption key; and
      
      amobile node to home agent (MN-HA) encryption key.
  - 17. The mobile station of claim 12, wherein the encrypted key payload further comprises a mobile authenticator value for authentication of the mobile station by the service control node.
  - 18. The mobile station of claim 12, wherein:
    - the memory stores a plurality of encrypted key payloads; and
      
      the execution of the programming causes the controller to read a selected one of the encrypted key payloads from the memory in response to the key update instruction.
  - 19. The mobile station of claim 12, wherein the production of the encrypted key payload comprises:
    - generating the at least one encryption key in the mobile station;
      
      generating, in the mobile station, the first authenticator value, using the at least one encryption key;
      
      forming key payload data containing the at least one encryption key and the first authenticator value; and
      
      and encrypting the key payload data with the public encryption key associated with the packet communication service control node, to form the encrypted key payload.

20. A method of distribution of at least one encryption key for use in controlling access of a mobile node to packet communication service via a wireless communication network, the method comprising:
- issuing a key update instruction to the mobile node via the wireless communication network;
  
  receiving a message from the mobile node containing an identifier of the mobile node, a key identifier and an encrypted key payload;
  
  selecting a private decryption key from among a plurality of private decryption keys, based on the key identifier;
  
  decrypting the encrypted key payload using the selected private decryption key, to recover a mobile node authentication value, a server authentication value, and the at least one encryption key for possible association with the mobile node; and
  
  responsive to the recovered mobile node authentication value matching a stored mobile node authentication value for the mobile node indicated by the received mobile node identifier,(a) storing the at least one encryption key in an access server for future use in controlling packet communication service via the wireless communication network for the mobile node; and
  
  (b) sending a reply message via the wireless communication network to the mobile node, the reply message containing the server authentication value.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The method of claim 20, wherein the at least one encryption key comprises one or more encryption keys for mobile internet protocol (MIP) service.
  - 22. The method of claim 21, wherein the one or more encryption keys for MIP service comprise:
    - a mobile node to home Authentication Authorization and Accounting server (MN-AAAh) encryption key; and
      
      amobile node to home agent (MN-HA) encryption key.
  - 23. The method of claim 20, wherein the at least one encryption key comprises a Challenge Handshake Authentication Protocol (CHAP) encryption key.
  - 24. The method of claim 23, wherein the at least one encryption key further comprises:
    - a mobile node to home Authentication Authorization and Accounting server (MN-AAAh) encryption key; and
      
      amobile node to home agent (MN-HA) encryption key.
  - 25. The method of claim 20, further comprising:
    - generating the public encryption key, private decryption key and key identifier;
      
      loading the public encryption key and key identifier into the mobile node; and
      
      storing the private decryption key as one of the plurality of private decryption keys in the access server in such a manner as to be accessible using the key identifier.
  - 26. The method of claim 20, wherein the mobile node comprises a CDMA mobile station.
  - 27. The method of claim 26, wherein:
    - the wireless communication network is a CDMA network; and
      
      the access server comprises a home Authentication Authorization and Accounting (AAA) server of the CDMA network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Original Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Inventors
Clare, Varsha, Green, Brian, Thomas, Steve, Carroll, Christopher, Flynn, Gerry, Rados, Steve
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US10/200,922
Time in Patent Office

2,226 Days
Field of Search

713/169
US Class Current

713/169
CPC Class Codes

H04L 2209/80   Wireless

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/068   using time-dependent keys, ...

H04L 63/0869   for achieving mutual authen...

H04L 67/2876   Pairs of inter-processing e...

H04L 9/0891   Revocation or update of sec...

H04L 9/302   involving the integer facto...

H04L 9/3273   for mutual authentication n...

H04W 12/03   Protecting confidentiality,...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 80/04   Network layer protocols, e....

Secure, efficient, and mutually authenticated cryptographic key distribution

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Secure, efficient, and mutually authenticated cryptographic key distribution

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links