System for proximity determination

US 8,051,292 B2
Filed: 05/11/2005
Issued: 11/01/2011
Est. Priority Date: 06/28/2004
Status: Active Grant

First Claim

Patent Images

1. A method for determining proximity between a first device and a second device, the method comprising:

providing a first device storing a first device private key, the first device having an associated secure first device certificate storing secured information, the secured information comprising;

a first device public key corresponding to the first device private key;

providing a second device storing a second device private key, the second device having an associated secure second device certificate storing secured information, the secured information comprising;

a second device public key corresponding to the second device private key; and

a second device processing delay;

providing a copy of the second device certificate to the first device;

establishing a secure authenticated channel between the first device and the second device;

sending a first proximity challenge from the first device to the second device, the proximity challenge including a numeric challenge value;

receiving the first proximity challenge at the second device, processing the proximity challenge at the second device to produce a response to the first proximity challenge, and sending the response to the first proximity challenge from the second device to the first device;

receiving the response to the first proximity challenge at the first device; and

performing the following at the first device;

verifying, at the first device, that the response to the first proximity challenge is legitimate;

determining a gross time between sending the first proximity challenge and receiving the response to the first proximity challenge;

subtracting the second device processing delay from the gross time to produce a first net response time; and

comparing the first net response time to a first threshold and determining whether the first device and the second device are in proximity based on a result of the comparing.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In connection with network elements in a network, enhancing security by measuring proximity between elements, that are communicating with each other, by using facilities of secure devices and secure elements in the network. In some embodiments, secured information stored in a device certificate comprises a device processing delay, and the device processing delay is used in calculating a net response time which is compared to a threshold.

Citations

35 Claims

1. A method for determining proximity between a first device and a second device, the method comprising:
- providing a first device storing a first device private key, the first device having an associated secure first device certificate storing secured information, the secured information comprising;
  
  a first device public key corresponding to the first device private key;
  
  providing a second device storing a second device private key, the second device having an associated secure second device certificate storing secured information, the secured information comprising;
  
  a second device public key corresponding to the second device private key; and
  
  a second device processing delay;
  
  providing a copy of the second device certificate to the first device;
  
  establishing a secure authenticated channel between the first device and the second device;
  
  sending a first proximity challenge from the first device to the second device, the proximity challenge including a numeric challenge value;
  
  receiving the first proximity challenge at the second device, processing the proximity challenge at the second device to produce a response to the first proximity challenge, and sending the response to the first proximity challenge from the second device to the first device;
  
  receiving the response to the first proximity challenge at the first device; and
  
  performing the following at the first device;
  
  verifying, at the first device, that the response to the first proximity challenge is legitimate;
  
  determining a gross time between sending the first proximity challenge and receiving the response to the first proximity challenge;
  
  subtracting the second device processing delay from the gross time to produce a first net response time; and
  
  comparing the first net response time to a first threshold and determining whether the first device and the second device are in proximity based on a result of the comparing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 2. The method according to claim 1 and wherein the first proximity challenge from the first device to the second device is digitally signed.
  - 3. The method according to claim 1 and wherein the first proximity challenge from the first device to the second device is encrypted.
  - 4. The method according to claim 1 and wherein the determining a gross time comprises:
    - starting a first timer upon the sending the first proximity challenge from the first device to the second device; and
      
      stopping the timer upon the receiving the response to the first proximity challenge at the first device.
  - 5. The method according to claim 1 and wherein the determining a gross time comprises:
    - recording a time of sending the first proximity challenge from the first device to the second device;
      
      recording a time of the receiving the response to the first proximity challenge from the second device to the first device; and
      
      subtracting the recorded time of the sending from the recorded time of the receiving, thereby determining the gross time between sending the first proximity challenge and receiving the response to the first proximity challenge.
  - 6. The method according to claim 1 wherein the first threshold is comprised in a first content segment license.
  - 7. The method according to claim 6 and wherein the first content segment license defines an average allowable time for the first threshold.
  - 8. The method according to claim 7 and wherein the average allowable time for the first threshold is a moving average allowable time.
  - 9. The method according to claim 6 and wherein the first content segment license defines a maximum allowable time for the first threshold.
  - 10. The method according to claim 6 and wherein the first content segment license defines a first repetition rate.
  - 11. The method according to claim 10 and wherein the first repetition rate defines a repetition at a fixed interval.
  - 12. The method according to claim 10 and wherein the first repetition rate defines a repetition at a variable interval.
  - 13. The method according to claim 9 and wherein the maximum allowable time is set to zero.
  - 14. The method according to claim 6 and wherein the first content segment license is digitally signed in order to prevent tampering.
  - 15. The method according to claim 1 and wherein the first device certificate also comprises a field specifying a sum of time required for the first device to perform all computations involved in responding to a proximity challenge.
  - 16. The method according to claim 1 and wherein the establishing the Secure Authenticated Channel (SAC) occurs before sending the first proximity challenge from the first device.
  - 17. The method according to claim 1 and wherein the secure first device certificate comprises a first device processing delay.
  - 18. The method according to claim 17 and also comprising:
    - providing a copy of the first device certificate to the second device;
      
      sending a second proximity challenge from the second device to the first device, the second proximity challenge including a numeric challenge value;
      
      receiving the second proximity challenge at the first device, processing the second proximity challenge at the first device to produce a response to the second proximity challenge, and sending the response to the second proximity challenge from the first device to the second device;
      
      receiving the response to the sec and proximity challenge at the second device; and
      
      performing the following at the second device;
      
      verifying, at the second device, that the response to the second proximity challenge is legitimate;
      
      determining a gross time between sending the second proximity challenge and receiving the response to the second proximity challenge;
      
      subtracting the first device processing delay from the gross time between sending the second proximity challenge and receiving the response to the second proximity challenge to produce a second net response time; and
      
      comparing the second net response time to a second threshold and determining whether the second device and the first device are in proximity based on a result of comparing the second net response time to the second threshold.
  - 19. The method according to claim 18 and wherein the second proximity challenge from the second device to the first device is digitally signed.
  - 20. The method according to claim 18 and wherein the second proximity challenge from the second device to the first device is encrypted.
  - 21. The method according to claim 18 and wherein the determining a gross time at the second device comprises:
    - starting a timer to upon the sending the second proximity challenge from the second device to the first device; and
      
      stopping the timer upon the receiving the response to the second proximity challenge at the second device.
  - 22. The method according to claim 18 and wherein the determining a gross time at the second device comprises:
    - recording a time of sending the second proximity challenge from the second device to the first device;
      
      recording a time of the receiving the response to the second proximity challenge from the first device to the second device; and
      
      subtracting the recorded time of sending the second proximity challenge from the recorded time of receiving the response to the second proximity challenge, thereby determining the gross time between sending the second proximity challenge and receiving the response to the second proximity challenge.
  - 23. The method according to claim 18 wherein the second threshold is comprised in a second content segment license.
  - 24. The method according to claim 23 and wherein the second content segment license defines an average allowable time for the second threshold.
  - 25. The method according to claim 24 and wherein the average allowable time for the second threshold is a moving average allowable time.
  - 26. The method according to claim 23 and wherein the second content segment license defines a maximum allowable time for the second threshold.
  - 27. The method according to claim 23 and wherein the second content segment license defines a second repetition rate.
  - 28. The method according to claim 27 and wherein the second repetition rate defines a repetition at a fixed interval.
  - 29. The method according to claim 27 and wherein the second repetition rate defines a repetition at a variable interval.
  - 30. The method according to claim 26 and wherein the maximum allowable time for the second threshold is set to zero.
  - 31. The method according to claim 23 and wherein the second content segment license is digitally signed in order to prevent tampering.
  - 32. The method according to claim 18 and wherein the establishing the Secure Authenticated Channel (SAC) occurs before sending the second proximity challenge from the second device.
  - 33. A device comprising:
    - a communications system operative to communicate with other devices; and
      
      wherein the device is operative to perform the steps performed by at least one of the first device and the second device in accordance with the method of claim 1.
  - 34. The device according to claim 33 and wherein the communication system comprises a wireless communication system.
  - 35. The device according to claim 33 and wherein the communication system comprises a wire based communication system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
NDS Limited (Cisco Systems, Inc.)
Inventors
Belenky, Yaacov, Shen-Orr, Chaim D., Hibshoosh, Eliphaz
Primary Examiner(s)
Srivastava; Vivek
Assistant Examiner(s)
BROWN, ANTHONY D

Application Number

US11/629,435
Publication Number

US 20070300070A1
Time in Patent Office

2,365 Days
Field of Search

713/176, 713/161, 380/270, 726/2
US Class Current

713/176
CPC Class Codes

G06F 21/33   using certificates

G06F 2221/2103   Challenge-response

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2129   Authenticate client device ...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04W 12/02   Protecting privacy or anony...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/63   Location-dependent; Proximi...

H04W 24/00   Supervisory, monitoring or ...

System for proximity determination

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System for proximity determination

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links