Localized network authentication and security using tamper-resistant keys
First Claim
1. A method of authenticating computing devices on a communications network, the method comprising the steps of:
- receiving a first encrypted challenge from a computing device, wherein said first encrypted challenge comprises a first random number and a computing device identifier associated with said computing device, said first encrypted challenge being encrypted with a first network cryptographic key;
decrypting the first encrypted challenge with a second network cryptographic key, and extracting the first random number and the computing device identifier;
obtaining a first secret cryptographic key associated with said computing device identifier, and encrypting said first random number with said first secret cryptographic key;
generating a second random number;
transmitting a second challenge to said computing device, wherein said second challenge comprises said encrypted first random number and said second random number;
decrypting said encrypted first random number with said first secret cryptographic key;
determining whether said decrypted first random number corresponds to said first random number;
in response to said decrypted first random number not corresponding to said first random number, said communications device aborting authentication; and
in response to said decrypted first random number corresponding to said first random number;
generating a third challenge, wherein said third challenge comprises said second random number encrypted with said first secret cryptographic key;
receiving said third challenge;
decrypting said encrypted second random number with said first secret cryptographic key; and
determining whether said decrypted second random number corresponds to said second random number;
in response to said decrypted second random number not corresponding to said second random number, storing an address identifier associated with the computing device in a database for unauthorized computing devices; and
in response to said decrypted second random number corresponding to said second random number, storing an address identifier associated with the computing device in a database for authorized computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention provides a secure Wi-Fi communications method and system. In an embodiment of the invention, unique physical keys, or tokens, are installed at an access point and each client device of the network. Each key comprises a unique serial number and a common network send cryptographic key and a common network receive cryptographic key used only during the authentication phase by all components on the LAN. Each client key further includes a secret cryptographic key unique to each client device. During authentication, two random numbers are generated per communications session and are known by both sides of the wireless channel. Only the random numbers are sent across the wireless channel and in each case these numbers are encrypted. A transposed cryptographic key is derived from the unique secret cryptographic key using the random numbers generated during authentication. Thus, both sides of the wireless channel know the transposed cryptographic key without it ever being transmitted between the two.
-
Citations
2 Claims
-
1. A method of authenticating computing devices on a communications network, the method comprising the steps of:
-
receiving a first encrypted challenge from a computing device, wherein said first encrypted challenge comprises a first random number and a computing device identifier associated with said computing device, said first encrypted challenge being encrypted with a first network cryptographic key; decrypting the first encrypted challenge with a second network cryptographic key, and extracting the first random number and the computing device identifier; obtaining a first secret cryptographic key associated with said computing device identifier, and encrypting said first random number with said first secret cryptographic key; generating a second random number; transmitting a second challenge to said computing device, wherein said second challenge comprises said encrypted first random number and said second random number; decrypting said encrypted first random number with said first secret cryptographic key; determining whether said decrypted first random number corresponds to said first random number; in response to said decrypted first random number not corresponding to said first random number, said communications device aborting authentication; and in response to said decrypted first random number corresponding to said first random number; generating a third challenge, wherein said third challenge comprises said second random number encrypted with said first secret cryptographic key; receiving said third challenge; decrypting said encrypted second random number with said first secret cryptographic key; and determining whether said decrypted second random number corresponds to said second random number; in response to said decrypted second random number not corresponding to said second random number, storing an address identifier associated with the computing device in a database for unauthorized computing devices; and in response to said decrypted second random number corresponding to said second random number, storing an address identifier associated with the computing device in a database for authorized computing devices.
-
-
2. A method for local provisioning of a cryptographic key database on a host computing device on a communications network including one or more client computing devices, the host computing device having at least two universal serial bus ports, the method comprising the steps of:
-
(a) receiving an initialized master key at one of the at least two universal serial bus ports of the host computing device, the master key having a master key network cryptographic send key and a master key network cryptographic receive key; (b) receiving a code associated with the master key to access data stored on the master key, and to activate the master key; (c) retrieving information indicative of a serial number associated with the master key and a master key cryptographic secret key; (d) providing the retrieved information indicative of the serial number associated with the master key to open a corresponding key database; (e) receiving a client key at the other of the at least two universal serial bus ports of the host computing device, the client key having a token; (f) retrieving information indicative of a serial number associated with the client key; (g) determining whether the client key has been previously initialized by identifying whether a client record corresponding to the client key exists in the key database; (h) in response to determining that the client key has not been previously initialized; copying the master key network cryptographic send key and the master key network cryptographic receive key to the token of the client key; generating a client key cryptographic secret key from the copied master key network cryptographic send key and the copied master key network cryptographic receive key, wherein the client key cryptographic secret key has no mathematical relationship to the information indicative of the serial number associated with the client key; encrypting the client key cryptographic secret key with the master cryptographic secret key; and creating and storing a client record in the key database, the client record comprising;
the encrypted client key cryptographic secret key, the information indicative of the serial number of the client key and administrative information corresponding to a user or computing device associated with the client key;(i) in response to determining that the client key has been previously initialized; providing functionality to view administrative information associated with the previously initialized client key by using the master network cryptographic secret key to decrypt a client record corresponding to the previously initialized client key; (j) determining whether another client key has been received at the other of the at least two universal serial bus ports of the host computing device; and (k) in response to determining that another client key has been received, repeating steps (f)-(j).
-
Specification