Secure, efficient, and mutually authenticated cryptographic key distribution
First Claim
1. A method of distribution of at least one encryption key for use in controlling access of a mobile node to packet communication service via a wireless communication network, the method comprising:
- receiving a key update instruction in the mobile node via the wireless communication network;
in response to the key update instruction, producing an encrypted key payload in the mobile node, wherein;
the encrypted key payload comprises the at least one encryption key for the mobile node and a first authenticator value generated from the at least one encryption key; and
the payload is encrypted with a public encryption key of a packet communication service control node of the wireless communication network;
sending the encrypted key payload through the wireless communication network, from the mobile node to the packet communication service control node, for decryption thereof with a private key of the packet communication service control node corresponding to the public encryption key;
receiving a reply message in the mobile node via the wireless communication network, the reply message containing a second authenticator value from the packet communication service control node; and
designating the at least one encryption key in the mobile node for use in future procedures to obtain access to the packet communication service of the wireless communication network via the service control node, upon determining that the second authenticator value matches the first authenticator value.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods disclosed herein provide secure, efficient, and mutually authenticated cryptographic key distribution. A client or client manufacturer may pre-generate and pre-encrypt the cryptographic keys, store the encrypted keys within the client, and deliver such keys to the serving network'"'"'s access server via the client, while also relying upon, if available, the authentication performed by a trusted access server of an intermediate network which the client must traverse in order to obtain access the serving network. If not available, a client password stored within the client may be used to enable client authentication by the serving network prior to acceptance of the delivered cryptographic keys.
-
Citations
27 Claims
-
1. A method of distribution of at least one encryption key for use in controlling access of a mobile node to packet communication service via a wireless communication network, the method comprising:
-
receiving a key update instruction in the mobile node via the wireless communication network; in response to the key update instruction, producing an encrypted key payload in the mobile node, wherein; the encrypted key payload comprises the at least one encryption key for the mobile node and a first authenticator value generated from the at least one encryption key; and the payload is encrypted with a public encryption key of a packet communication service control node of the wireless communication network; sending the encrypted key payload through the wireless communication network, from the mobile node to the packet communication service control node, for decryption thereof with a private key of the packet communication service control node corresponding to the public encryption key; receiving a reply message in the mobile node via the wireless communication network, the reply message containing a second authenticator value from the packet communication service control node; and designating the at least one encryption key in the mobile node for use in future procedures to obtain access to the packet communication service of the wireless communication network via the service control node, upon determining that the second authenticator value matches the first authenticator value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A mobile station for packet communication via a wireless communication network, the mobile station comprising:
-
a transmitter/receiver for transmitting and receiving packet data signals via the wireless communication network; a controller coupled to the transmitter/receiver for controlling operations the mobile station; and memory for storing key related data and programming for execution by the controller; wherein execution of the programming by the controller causes the mobile station to implement operations, including; receiving a key update instruction via the wireless communication network; in response to the key update instruction, producing an encrypted key payload, wherein; the encrypted key payload comprises at least one encryption key for the mobile station and a first authenticator value generated from the at least one encryption key; and the payload is encrypted with a public encryption key of a packet communication service control node of the wireless communication network; sending the encrypted key payload through the wireless communication network, to the packet communication service control node, for decryption thereof with a private key of the packet communication service control node corresponding to the public encryption key; receiving a reply message via the wireless communication network, the reply message containing a second authenticator value from the packet communication service control node; and designating the at least one encryption key in the mobile station for use in future procedures to obtain access to the packet communication service of the wireless communication network via the service control node, upon determining that the second authenticator value matches the first authenticator value. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A method of distribution of at least one encryption key for use in controlling access of a mobile node to packet communication service via a wireless communication network, the method comprising:
-
issuing a key update instruction to the mobile node via the wireless communication network; receiving a message from the mobile node containing an identifier of the mobile node, a key identifier and an encrypted key payload; selecting a private decryption key from among a plurality of private decryption keys, based on the key identifier; decrypting the encrypted key payload using the selected private decryption key, to recover a mobile node authentication value, a server authentication value, and the at least one encryption key for possible association with the mobile node; and responsive to the recovered mobile node authentication value matching a stored mobile node authentication value for the mobile node indicated by the received mobile node identifier, (a) storing the at least one encryption key in an access server for future use in controlling packet communication service via the wireless communication network for the mobile node; and (b) sending a reply message via the wireless communication network to the mobile node, the reply message containing the server authentication value. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
-
Specification