Secure proximity verification of a node on a network

US 7,991,998 B2
Filed: 09/22/2003
Issued: 08/02/2011
Est. Priority Date: 09/30/2002
Status: Active Grant

First Claim

Patent Images

1. A method of determining proximity of a target node to a source node, comprising:

preparing a first response at the target node prior to receiving any part of a query from the source node;

communicating the query from the source node to the target node;

communicating the first response from the target node to the source node, immediately after the query is received and before the query is processed at the target node;

receiving the first response at the source node;

processing the query at the target node to produce therefrom a second response that facilitates a verification of the target node and its first response;

communicating the second response from the target node to the source node;

determining a measure of communication time between communicating the query and receiving the first response; and

determining the proximity of the target node based on the measure of communication time, wherein determining proximity includes comparing the measure of communication time with a threshold value, and if the communication time is below the threshold, the target node is determined to be local, otherwise the target node is determined to be remote, further comparing the measure of communication time with multiple applied thresholds for providing a relative measure of a degree of remoteness of the target node from the source node, and wherein the source node uses the remote/local proximity determination to control subsequent communications with the target node and to control access of the target node to system resources based on the determined proximity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method determines the proximity of the target node to the source node from the time required to communicate messages within the node-verification protocol. The node-verification protocol includes a query-response sequence, wherein the source node communicates a query to the target node, and the target node communicates a corresponding response to the source node. The target node is configured to communicate two responses to the query: a first response that is transmitted immediately upon receipt of the query, and a second response based on the contents of the query. The communication time is determined based on the time duration between the transmission of the query and receipt of the first response at the source node and the second response is compared for correspondence to the query, to verify the authenticity of the target node.

Citations

28 Claims

1. A method of determining proximity of a target node to a source node, comprising:
- preparing a first response at the target node prior to receiving any part of a query from the source node;
  
  communicating the query from the source node to the target node;
  
  communicating the first response from the target node to the source node, immediately after the query is received and before the query is processed at the target node;
  
  receiving the first response at the source node;
  
  processing the query at the target node to produce therefrom a second response that facilitates a verification of the target node and its first response;
  
  communicating the second response from the target node to the source node;
  
  determining a measure of communication time between communicating the query and receiving the first response; and
  
  determining the proximity of the target node based on the measure of communication time, wherein determining proximity includes comparing the measure of communication time with a threshold value, and if the communication time is below the threshold, the target node is determined to be local, otherwise the target node is determined to be remote, further comparing the measure of communication time with multiple applied thresholds for providing a relative measure of a degree of remoteness of the target node from the source node, and wherein the source node uses the remote/local proximity determination to control subsequent communications with the target node and to control access of the target node to system resources based on the determined proximity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the query and at least one of the first and second responses correspond to at least a portion of a cryptographic key-exchange protocol.
  - 3. The method of claim 2, wherein the key-exchange protocol corresponds to a Needham-Schroeder key-exchange protocol.
  - 4. The method of claim 1, wherein the query and at least one of the first and second responses correspond to at least a portion of an OCPS protocol.
  - 5. The method of claim 1, wherein the query includes an encryption of an item based on a public key of the target node, and the processing of the query includes decrypting the item based on a private key of the target node, for inclusion in the second response.
  - 6. The method of claim 5, wherein the first response includes a random number, and the processing of the query further includes encrypting the item and the random number using a public key of the source node to form at least a portion of the second response.
  - 7. The method of claim 5, wherein the first response includes an encryption of a random number based on a public key of the source node.
  - 8. The method of claim 1, wherein determining the proximity includes comparing the communication time to a threshold value that distinguishes between local and remote nodes.
  - 9. The method of claim 1, further including restricting communications with the target node based on the proximity.
  - 10. The method of claim 1, further including restricting access of the target node to system resources based on the proximity.

11. A node on a network including:
- a processor that is configured to prepare a first response at the node prior to receiving any part of a query from a source node,a communication device that is configured to;
  
  receive the query from the source node,transmit the first response to facilitate proximity verification of the node, to the source node immediately upon receipt of the query and before the query is processed, andtransmit a second response that facilitates a verification of the node to the source node, andthe processor configured to process the query and produce therefrom the second response, wherein the source node determines a measure of communication time between communicating the query and receiving the first response, determines a proximity of the node based on the measure of communication time, wherein determining proximity includes comparing the measure of communication time with a threshold value, and if the communication time is below the threshold, the node is determined to be local, otherwise the node is determined to be remote, further comparing the measure of communication time with multiple applied thresholds for providing a relative measure of a degree of remoteness of the node from the source node, and wherein the source node uses the remote/local proximity determination to control subsequent communications with the node and to control access of the node to system resources based on the determined proximity.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The node of claim 11, wherein the processor is configured to process the query and produce the response as part of a cryptographic key-exchange protocol.
  - 13. The node of claim 12, wherein the key-exchange protocol corresponds to a Needham-Schroeder key-exchange protocol.
  - 14. The node of claim 11, wherein the query and at least one of the first and second responses correspond to at least a portion of an OCPS protocol initiated by the source node.
  - 15. The node of claim 11, wherein the query includes an encryption of an item based on a public key of the node, and the processor is configured to decrypt the item based on a private key of the node, for inclusion in the second response.
  - 16. The node of claim 15, wherein the first response includes a random number, and the processor is configured to encrypt the item and the random number using a public key of the source node to form at least a portion of the second response.
  - 17. The node of claim 15, wherein the first response includes an encryption of a random number based on a public key of the source node.

18. A node on a network including:
- a communication device that is configured to;
  
  transmit a query to a target node,receive an immediate first response that has been prepared before receipt of any part of the query by the target node and transmitted by the target node before the query is processed at the target node, andreceive a second response from the target node; and
  
  a processor that is configured to;
  
  measure a communication time between transmitting the query and receiving the first response,determine a proximity of the target node relative to the node based on the communication time, andverify the target node based on the second response, wherein determining proximity includes comparing the measure of communication time with a threshold value, and if the communication time is below the threshold, the target node is determined to be local, otherwise the target node is determined to be remote, further comparing the measure of communication time with multiple applied thresholds for providing a relative measure of a degree of remoteness of the target node from the source node, and wherein the source node uses the remote/local proximity determination to control subsequent communications with the target node and to control access of the target node to system resources based on the determined proximity.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. The node of claim 18, wherein the processor is configured to generate the query and process at least one of the first and second responses as part of a cryptographic key-exchange protocol.
  - 20. The node of claim 19, wherein the key-exchange protocol corresponds to a Needham-Schroeder key-exchange protocol.
  - 21. The node of claim 18, wherein the query and at least one of the first and second responses correspond to at least a portion of an OCPS protocol initiated by the node.
  - 22. The node of claim 18, wherein the query includes an encryption of an item based on a public key of the target node, and the second response includes a decryption of the item based on a private key of the target node.
  - 23. The node of claim 22, wherein the first response includes a random number, and the second response includes an encryption of the decryption of the item and the random number, using a public key of the node.
  - 24. The node of claim 23, wherein the second response further includes a signature of the decryption of the item and the random number, using a private key of the target node.
  - 25. The node of claim 22, wherein the first response includes an encryption of a random number based on a public key of the node.
  - 26. The node of claim 18, wherein the processor is configured to determine the proximity based on a comparison of the communication time to a threshold value that distinguishes between local and remote nodes.
  - 27. The node of claim 18, wherein the processor is further configured to control subsequent communications with the target node based on the proximity.
  - 28. The node of claim 18, wherein the processor is further configured to control access of the target node to system resources based on the proximity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Koninklijke Philips Electronics N.V. (Koninklijke Philips N.V.)
Original Assignee
Koninklijke Philips Electronics N.V. (Koninklijke Philips N.V.)
Inventors
Rosner, Martin C., Krasinski, Raymond J., Epstein, Michael A.
Primary Examiner(s)
Dinh; Minh
Assistant Examiner(s)
Okeke; Izunna

Application Number

US10/529,353
Publication Number

US 20060041642A1
Time in Patent Office

2,871 Days
Field of Search

713/156, 713/168, 713/170, 713/171, 713/178, 713/181, 709/238, 709/225, 709/229, 380/258, 726/3
US Class Current

713/168
CPC Class Codes

H04L 43/50   Testing arrangements

H04L 63/0428   wherein the data content is...

H04L 63/0442   wherein the sending and rec...

H04L 63/0492   by using a location-limited...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

Secure proximity verification of a node on a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Secure proximity verification of a node on a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links