Use and generation of a session key in a secure socket layer connection
First Claim
1. A method for establishing a secure connection and authenticating a server in connections formed with PKI procedures, wherein a server public key, obtained from the server by a client, is used with asymmetric cryptography to establish a symmetric session key for encryption of communications with symmetric cryptography during the connection, said method offering an alternative for authenticating the server public key, and comprising:
- generating a symmetric server authentication key by the server, the server authentication key used for encrypting server authentication information;
transmitting a server public key by the server to the client in clear text form;
generating a symmetric client authentication key by the client, the server authentication key and the client authentication key being identical to each other as both are generated using a common secret known to both the client and server, said common secret generated by;
generating a strong authentication token time-based response by a strong authentication token at the client;
deriving a client authentication key from the response by the client;
sending a synchronization challenge from the server to the client;
encrypting the synchronization challenge with the client authentication key by the client;
sending the encrypted synchronization challenge from the client to the server; and
generating said server authentication key by the server that corresponds to the client authentication key used by the client,sending server authentication information to the client to authenticate the server, the server authentication information including data related to the server'"'"'s public key, the server authentication information encrypted by the server using the server authentication key and a symmetric encryption algorithm,decrypting, at the client, received server authentication information with the client authentication key and a symmetric decryption algorithm to obtain data related to the server public key, andverifying the correctness of the server authentication information at the client in order to authenticate the server by comparing the decrypted data related to the server public key with the server public key used in establishing the secure connection and received from the server.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention describes a method and system for verifying the link between a public key and a server'"'"'s identity as claimed in the server'"'"'s certificate without relying on the trustworthiness of the root certificate of the server'"'"'s certificate chain. The system establishes a secure socket layer type connection between a client and a server, wherein the server transmits information including the server'"'"'s public key to the client while establishing the connection. Next, a first information is sent from the client to the server. The client and the server create an identical authentication key using a shared secret known to the server and the client. Next, the server transmits a first encrypted message to the client, wherein the first encrypted message includes the server'"'"'s public key encrypted with the authentication key. Then, the client decrypts the first encrypted message and verifies the correctness of that message including comparing the public key included in the decrypted first encrypted message to the public key transmitted during the set-up of the secure socket layer type connection to authenticate the client and to establish the trustworthiness of the server'"'"'s public key and thereby the entire SSL connection. The client then transmits a second encrypted message to the server, wherein the second encrypted message is the first information encrypted with the authentication key. Finally, the server then decrypts the second encrypted message and verifies the correctness of the decrypted second encrypted message to authenticate the client.
-
Citations
39 Claims
-
1. A method for establishing a secure connection and authenticating a server in connections formed with PKI procedures, wherein a server public key, obtained from the server by a client, is used with asymmetric cryptography to establish a symmetric session key for encryption of communications with symmetric cryptography during the connection, said method offering an alternative for authenticating the server public key, and comprising:
-
generating a symmetric server authentication key by the server, the server authentication key used for encrypting server authentication information; transmitting a server public key by the server to the client in clear text form; generating a symmetric client authentication key by the client, the server authentication key and the client authentication key being identical to each other as both are generated using a common secret known to both the client and server, said common secret generated by; generating a strong authentication token time-based response by a strong authentication token at the client; deriving a client authentication key from the response by the client; sending a synchronization challenge from the server to the client; encrypting the synchronization challenge with the client authentication key by the client; sending the encrypted synchronization challenge from the client to the server; and generating said server authentication key by the server that corresponds to the client authentication key used by the client, sending server authentication information to the client to authenticate the server, the server authentication information including data related to the server'"'"'s public key, the server authentication information encrypted by the server using the server authentication key and a symmetric encryption algorithm, decrypting, at the client, received server authentication information with the client authentication key and a symmetric decryption algorithm to obtain data related to the server public key, and verifying the correctness of the server authentication information at the client in order to authenticate the server by comparing the decrypted data related to the server public key with the server public key used in establishing the secure connection and received from the server. - View Dependent Claims (2, 3, 4, 5, 6, 11, 14, 15, 16)
-
-
7. A method for authenticating a server public key and establishing a secure connection between a client and a server, the connection formed with PKI procedures and including a symmetric key established using the server public key with asymmetric cryptography, said symmetric key used to encrypt communications during the connection with symmetric cryptography, the method, offering an alternative for authenticating the server public key, and comprising:
-
transmitting a server certificate from the server to the client, the server certificate including server public key information; generating separate symmetric authentication keys by the server and the client, the keys being identical as generated using a common secret known to both client and server, said generating separate authentication keys including; sending user authentication information from the client to the server; exchanging dynamic information between the client and the server; generating a secret by the client and the server from the response of a strong authentication token, said strong authentication token including a time-based token or an event-based token; and generating symmetric authentication keys at client and server using the user authentication information, the dynamic information, and the secret;
thereaftersending server authentication information to the client, the server authentication information including data related to the server public key, the server authentication information encrypted by the server using the symmetric authentication key generated by the server and a symmetric encryption algorithm; receiving and decrypting the server authentication information by the client, the client decrypting the server authentication information using a symmetric decryption algorithm and the symmetric authentication key created by the client, and verifying the correctness of the server information at the client by comparing the decrypted server authentication information with server public key information from the server certificate. - View Dependent Claims (8, 9, 10, 12, 13, 17, 18, 19)
-
-
20. A method for establishing a secure connection and authenticating a server public key in connections formed with PKI procedures, wherein the server public key, obtained from the server by a client, is used with asymmetric cryptography to establish a symmetric session key for encryption of communications with symmetric cryptography during the connection and offering an alternative for authenticating the server public key where a symmetric server authentication key is generated by the server and used to encrypt server authentication information for transmission to the client, said method comprising
generating a symmetric client authentication key by the client, the server authentication key and the client authentication key being identical to each other as both are generated using a common secret known to both server and client, said generating said client authentication key including; -
generating a strong authentication token time-based response by a strong authentication token at the client; deriving a client authentication key from the response by the client; receiving, at the client, a synchronization challenge from the server; encrypting the synchronization challenge with the client authentication key by the client; and sending the encrypted synchronization challenge from the client to the server for generating a server authentication key by the server that corresponds to the client authentication key used by the client, receiving the server public key in clear text form from the server; receiving encrypted server authentication information at the client to authenticate the server, the server authentication information including data related to the server'"'"'s public key encrypted with a symmetric encryption algorithm; decrypting, at the client, the received server authentication information with the symmetric client authentication key and a symmetric decryption algorithm to obtain data related to the server public key, and verifying the correctness of the server authentication information at the client in order to authenticate the server by comparing the decrypted data related to the server public key with the server public key used in establishing the secure connection and received from the server. - View Dependent Claims (21, 22, 23, 24, 25, 31, 34, 35, 36)
-
-
26. A method for authenticating a server public key and establishing a secure connection between a client and a server, the connection formed with PKI procedures and including a symmetric key, established using the server public key with asymmetric cryptography, to encrypt communications during the connection with symmetric cryptography, the method offering an alternative for authenticating the server public key, and comprising:
-
receiving a server certificate at the client, the server certificate including server public key information in clear text form; generating a symmetric authentication key by the client corresponding to a symmetric authentication key generated at the server, the keys being identical as generated using a common secret known to both client and server, said generating an authentication key by the client including; sending user authentication information from the client to the server; exchanging dynamic information between the client and server, generating a secret by the client from a response of a client strong authentication token corresponding to a secret generated by the server, said strong authentication token including a time-based or event-based token; and the client generating said symmetric authentication key, corresponding to a symmetric authentication key generated at the server, using the user authentication information, the dynamic information, and the secret;
thereafterreceiving server authentication information at the client, the server authentication information including data related to the server public key encrypted using the symmetric authentication key generated by the server and a symmetric encryption algorithm; decrypting the server authentication information by the client, the client decrypting the server authentication information using a symmetric decryption algorithm and the authentication key created by the client, and verifying the correctness of the server information at the client by comparing the decrypted server authentication information with server public key information received in clear text form. - View Dependent Claims (27, 28, 29, 30, 32, 33, 37, 38, 39)
-
Specification