Systems and methods for mutual authentication of network nodes

US 7,760,882 B2
Filed: 06/16/2005
Issued: 07/20/2010
Est. Priority Date: 06/28/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at an authentication server, a communication from a client, the communication having been sent wirelessly from the client to an access point and from the access point to the authentication server, the communication associated with a credential, the credential having a user identifier and a first token;

determining, at the authentication server, a second token associated with the user identifier, wherein the second token is independently stored on the client such that the second token is not transmitted between the client and authentication server but is available on both the client and the authentication server;

generating, at the authentication server, an encryption key based at least in part on the second token, wherein the encryption key is not transmitted between the client and authentication server but is available on both the client and authentication server since each can generate the encryption key using the second token;

receiving, at the authentication server, an authentication message from the client, wherein the authentication message was encrypted at the client using the encryption key, wherein the encryption key was generated at the client using the second token;

decrypting, at the authentication server, the authentication message using the encryption key, wherein the authentication message encrypted using the encryption key allows the authentication server to authenticate the client; and

transmitting, from the authentication server to the client, an authentication reply encrypted using the encryption key, wherein the authentication reply encrypted using the encryption key allows the client to authenticate the authentication server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for mutual encryption of network nodes are described. One described method includes transmitting a communication from a client to a server, the communication associated with a credential, the credential having a user identifier and a first token and receiving the communication at the server. The method further includes determining a second token associated with the user identifier on the server and on the client and generating an encryption key based at least in part on the second token on the server and on the client. The method further includes generating and encrypting an encrypted authentication request on the client; transmitting the encrypted authentication request to the server; receiving the encrypted authentication request on the server; decrypting the encrypted authentication request using the encryption key on the server; generating and encrypting an encrypted authentication response on the server; and transmitting the encrypted authentication response to the client.

89 Citations

View as Search Results

26 Claims

1. A method comprising:
- receiving, at an authentication server, a communication from a client, the communication having been sent wirelessly from the client to an access point and from the access point to the authentication server, the communication associated with a credential, the credential having a user identifier and a first token;
  
  determining, at the authentication server, a second token associated with the user identifier, wherein the second token is independently stored on the client such that the second token is not transmitted between the client and authentication server but is available on both the client and the authentication server;
  
  generating, at the authentication server, an encryption key based at least in part on the second token, wherein the encryption key is not transmitted between the client and authentication server but is available on both the client and authentication server since each can generate the encryption key using the second token;
  
  receiving, at the authentication server, an authentication message from the client, wherein the authentication message was encrypted at the client using the encryption key, wherein the encryption key was generated at the client using the second token;
  
  decrypting, at the authentication server, the authentication message using the encryption key, wherein the authentication message encrypted using the encryption key allows the authentication server to authenticate the client; and
  
  transmitting, from the authentication server to the client, an authentication reply encrypted using the encryption key, wherein the authentication reply encrypted using the encryption key allows the client to authenticate the authentication server.
- View Dependent Claims (2)
- - 2. The method of claim 1, further comprising:
    - receiving a second communication encrypted using the encryption key from the client; and
      
      decrypting the second communication using the encryption key.

3. A method comprising:
- transmitting from a client a communication, the communication associated with a credential, the credential having a user identifier and a first token, wherein the communication is sent wirelessly via a first communication channel from the client to an access point and via a second communication channel from the access point to an authentication server;
  
  determining, at the client, a second token associated with the user identifier, wherein the second token is independently stored on the client such that the second token is not transmitted between the client and authentication server but is available on both the client and the authentication server;
  
  generating, at the client, an encryption key based at least in part on the second token, wherein the encryption key is not transmitted between the client and authentication server but is available on both the client and authentication server since each can generate the encryption key using the second token;
  
  transmitting an authentication message from the client to the authentication server, wherein the authentication message was encrypted using the encryption key, wherein the authentication message encrypted using the encryption key allows the authentication server to authenticate the client;
  
  receiving, at the client, from the authentication server an authentication response encrypted using the encryption key, wherein the encryption key on the authentication server was generated on the authentication server using the second token; and
  
  decrypting, at the client, the authentication response using the encryption key, wherein the authentication response encrypted using the encryption key allows the client to authenticate the authentication server.
- View Dependent Claims (4, 5, 6, 7, 8, 9)
- - 4. The method of claim 3, wherein the first communication channel comprises a wireless network channel and the second communication channel comprises a wired network channel.
  - 5. The method of claim 3, further comprisingencrypting a second communication using the encryption key;
    - andtransmitting the second communication.
  - 6. The method of claim 3, wherein the authentication response further comprises a verification message associated with the access point.
  - 7. The method of claim 6, further comprising determining whether the verification message is valid.
  - 8. The method of claim 6, further comprising continuing communication if the verification message is valid.
  - 9. The method of claim 6, further comprising discontinuing communication if the verification message is not valid.

10. A method comprising:
- transmitting a communication from a client to an authentication server, the communication associated with a credential, the credential having a user identifier and a first token, wherein the communication is sent wirelessly from the client to an access point and from the access point to an authentication server;
  
  receiving the communication at the authentication server;
  
  determining a second token associated with the user identifier on the authentication server and on the client, wherein the second token is independently stored on the client such that the second token is not transmitted between the client and authentication server but is available on both the client and the authentication server;
  
  generating an encryption key based at least in part on the second token on the authentication server and on the client, wherein the encryption key is not transmitted between the client and authentication server but is available on both the client and authentication server since each can generate the encryption key using the second token;
  
  generating and encrypting an encrypted authentication request using the encryption key on the client;
  
  transmitting the encrypted authentication request from the client to the authentication server;
  
  receiving the encrypted authentication request on the authentication server;
  
  decrypting the encrypted authentication request using the encryption key on the authentication server, wherein the authentication request encrypted using the encryption key allows the authentication server to authenticate the client;
  
  generating and encrypting an encrypted authentication response using the encryption key on the authentication server; and
  
  transmitting the encrypted authentication response to the client, wherein the authentication response encrypted using the encryption key allows the client to authenticate the authentication server.

11. A non-transitory computer-readable medium on which is encoded program code, the program code comprising:
- program code for receiving at an authentication server, a communication from a client, the communication having been sent wirelessly from the client to an access point and from the access point to the authentication server, the communication associated with a credential, the credential having a user identifier and a first token;
  
  program code for determining, at the authentication server, a second token associated with the user identifier, wherein the second token is independently stored on the client such that the second token is not transmitted between the client and authentication server but is available on both the client and the authentication server;
  
  program code for generating, at the authentication server, an encryption key based at least in part on the second token, wherein the encryption key is not transmitted between the client and authentication server but is available on both the client and authentication server since each can generate the encryption key using the second token;
  
  program code for receiving, at the authentication server, an authentication message from the client, wherein the authentication message was encrypted at the client using the encryption key, wherein the encryption key was generated on the client using the second token;
  
  program code for decrypting, at the authentication server, the authentication message using the encryption key, wherein the authentication message encrypted using the encryption key allows the authentication server to authenticate the client; and
  
  program code for transmitting, at the authentication server to the client, an authentication reply encrypted using the encryption key, wherein the authentication reply encrypted using the encryption key allows the client to authenticate the authentication server.
- View Dependent Claims (12)
- - 12. The computer-readable medium of claim 11, further comprising:
    - program code for receiving at the authentication server a second communication encrypted using the encryption key from the client; and
      
      program code for decrypting the second communication using the encryption key.

13. A non-transitory computer-readable medium on which is encoded program code, the program code comprising:
- program code for transmitting from a client a communication, the communication associated with a credential, the credential having a user identifier and a first token, wherein the communication is sent wirelessly via a first communication channel from the client to an access point and via a second communication channel from the access point to an authentication server;
  
  program code for determining, at the client, a second token associated with the user identifier, wherein the second token is independently stored on the client such that the second token is not transmitted between the client and authentication server but is available on both the client and the authentication server;
  
  program code for generating, at the client, an encryption key based at least in part on the second token, wherein the encryption key is not transmitted between the client and authentication server but is available on both the client and authentication server since each can generate the encryption key using the second token;
  
  program code for transmitting an authentication message from the client to the authentication server, wherein the authentication message was encrypted using the encryption key, wherein the authentication message encrypted using the encryption key allows the authentication server to authenticate the client;
  
  program code for receiving, at the client, from the authentication server an authentication response encrypted using the encryption key, wherein the encryption key on the authentication server was generated on the authentication server using the second token; and
  
  program code for decrypting, at the client, the authentication response using the encryption key, wherein the authentication response encrypted using the encryption key allows the client to authenticate the authentication server.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer-readable medium of claim 13, further comprisingprogram code for encrypting a second communication using the encryption key;
    - andprogram code for transmitting the second communication.
  - 15. The computer-readable medium of claim 13, wherein the authentication response further comprises a verification message associated with the access point, further comprising program code for determining whether the verification message is valid.
  - 16. The computer-readable medium of claim 15, further comprising program code for continuing communication if the verification message is valid.
  - 17. The computer-readable medium of claim 15, further comprising program code for discontinuing communication if the verification message is not valid.

18. A non-transitory computer-readable medium on which is encoded program code, the program code comprising:
- program code for transmitting a communication from a client to an authentication server, the communication associated with a credential, the credential having a user identifier and a first token, wherein the communication is sent wirelessly from the client to an access point and from the access point to an authentication server;
  
  program code for receiving the communication at the authentication server;
  
  program code for determining a second token associated with the user identifier on the authentication server and on the client, wherein the second token is independently stored on the client such that the second token is not transmitted between the client and authentication server but is available on both the client and the authentication server;
  
  program code for generating an encryption key based at least in part on the second token on the authentication server and on the client, wherein the encryption key is not transmitted between the client and authentication server but is available on both the client and authentication server since each can generate the encryption key using the second token;
  
  program code for generating and encrypting an encrypted authentication request using the encryption key on the client;
  
  program code for transmitting the encrypted authentication request from the client to the authentication server;
  
  program code for receiving the encrypted authentication request on the authentication server;
  
  program code for decrypting the encrypted authentication request using the encryption key on the authentication server, wherein the authentication request encrypted using the encryption key allows the authentication server to authenticate the client;
  
  program code for generating and encrypting an encrypted authentication response using the encryption key on the authentication server; and
  
  program code for transmitting the encrypted authentication response to the client, wherein the authentication response encrypted using the encryption key allows the client to authenticate the authentication server.

19. A system comprising:
- an authentication server operable to;
  
  receive, at the authentication server, a communication from a client, the communication associated with a credential, the credential having a user identifier and a first token, wherein the communication is sent wirelessly from the client to an access point and from the access point to the authentication server;
  
  determine a second token associated with the user identifier on the authentication server, wherein the second token is independently stored on the client such that the second token is not transmitted between the client and authentication server but is available on both the client and the authentication server;
  
  generate an encryption key based at least in part on the second token on the authentication server, wherein the encryption key is not transmitted between the client and authentication server but is available on both the client and authentication server since each can generate the encryption key using the second token;
  
  receive, at the authentication server, an authentication message from the client, wherein the authentication message was encrypted at the client using the encryption key, wherein the encryption key was generated on the client using the second token;
  
  decrypt, at the authentication server, the authentication message using the encryption key, wherein the authentication message encrypted using the encryption key allows the authentication server to authenticate the client; and
  
  transmit, from the authentication server, an authentication reply encrypted using the encryption key to the client, wherein the authentication reply encrypted using the encryption key allows the client to authenticate the authentication server.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the authentication server is further operable to:
    - receive a second communication encrypted using the encryption key from the client; and
      
      decrypt the second communication using the encryption key.

21. A system comprising:
- a client device operable to;
  
  transmit to an authentication server a communication, the communication associated with a credential, the credential having a user identifier and a first token, wherein the communication is sent wirelessly via a first communication channel from the client to an access point and via a second communication channel from the access point to an authentication server;
  
  determine, at the client, a second token associated with the user identifier, wherein the second token is independently stored on the client such that the second token is not transmitted between the client and authentication server but is available on both the client and the authentication server;
  
  ;
  
  generate, at the client, an encryption key based at least in part on the second token, wherein the encryption key is not transmitted between the client and authentication server but is available on both the client and authentication server since each can generate the encryption key using the second token;
  
  transmit an authentication message from the client to the authentication server, wherein the authentication message was encrypted using the encryption key, wherein the authentication message encrypted using the encryption key allows the authentication server to authenticate the client;
  
  receive, at the client, from the authentication server an authentication response encrypted using the encryption key, wherein the encryption key on the authentication server was generated on the authentication server using the second token; and
  
  decrypt, at the client, the authentication response using the encryption key, wherein the authentication response encrypted using the encryption key allows the client to authenticate the authentication server.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The system of claim 21, wherein the client device is further operable to:
    - encrypt a second communication using the encryption key; and
      
      transmit the second communication.
  - 23. The system of claim 21, wherein the authentication response further comprises a verification message associated with the access point.
  - 24. The system of claim 23, wherein the client device is further operable to determine whether the verification message is valid.
  - 25. The system of claim 23, wherein the client device is further operable to continue communication if the verification message is valid.
  - 26. The system of claim 23, wherein the client device is further operable to discontinue communication if the verification message is not valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Japan Communications Inc.
Original Assignee
Japan Communications Inc.
Inventors
Fukuda, Naohisa, Tidwell, Justin Owen
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Abyaneh; Ali S

Application Number

US11/154,800
Publication Number

US 20060064588A1
Time in Patent Office

1,860 Days
Field of Search

726/5, 380/247, 380/270
US Class Current

380/270
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/6227   where protection concerns t...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 41/0213   Standardised network manage...

H04L 41/0681   Configuration of triggering...

H04L 41/5009   Determining service level p...

H04L 41/5016   based on statistics of serv...

H04L 41/5067   Customer-centric QoS measur...

H04L 41/509   wherein the managed service...

H04L 43/045   for graphical visualisation...

H04L 43/0817   by checking functioning

H04L 47/11   Identifying congestion

H04L 47/22   Traffic shaping

H04L 47/24   Traffic characterised by sp...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0823 : using certificates cryptogr...

H04L 63/0869 : for achieving mutual authen...

H04L 63/102 : Entity profiles

H04L 63/1408 : by monitoring network traff...

H04L 63/145 : the attack involving the pr...

H04L 63/162 : at the data link layer

H04L 63/166 : at the transport layer

H04L 63/20 : for managing network securi...

H04L 67/02 : based on web technology, e....

H04L 67/04 : specially adapted for termi...

H04L 67/14 : Session management for real...

H04L 67/30 : Profiles

H04L 67/61 : taking into account QoS or ...

H04L 69/329 : in the application layer [O...

H04L 9/321 : involving a third party or ...

H04L 9/3273 : for mutual authentication n...

H04W 12/088 : using filters or firewalls

H04W 48/18 : Selecting a network or a co...

View All

Systems and methods for mutual authentication of network nodes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

89 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for mutual authentication of network nodes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links