Proximity check server

US 8,276,209 B2
Filed: 09/05/2005
Issued: 09/25/2012
Est. Priority Date: 09/17/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for determining a level of allowed communication between a first device and a second device, comprising the acts of:

performing, using a trusted first proximity check server, a communication protocol with the first device to reliably determine a first distance between the trusted first proximity check server and the first device, the first device generating and transmitting a first identity certificate to identify itself to the trusted first proximity check server, the first identity certificate comprising a random number and KIC signature, the trusted first proximity check server verifying the first identity certificate received from the first device and generating a first proximity certificate comprising the first determined distance, the identity of the first device, and a nonce;

performing, using a trusted second proximity check server, a communication protocol with the second device to reliably determine a second distance between the trusted second proximity check server and the second device, the second device generating and transmitting a second identify certificate to identify itself to the trusted second proximity check server, the identity certificate comprising a random number and KIC signature, the trusted second proximity check server verifying the second identity certificate received from the second device and generating a second proximity certificate comprising the second determined distance, the identity of the second device, and a nonce, wherein the trusted first and second proximity check servers are either the same proximity check server or different proximity check server, wherein the first and second device perform an authentication and key exchange protocol;

determining, using the first device, whether the first determined distance from the first proximity certificate and second determined distance from the second proximity certificate satisfy a predetermined rule, the predetermined rule being distance requirements related to the first and second devices; and

determining, using the first device, the level of allowed communication in dependence on whether the predetermined rule is satisfied, wherein the first proximity certificate comprises information when the first distance was determined.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for determining the level of allowed communication between devices. By addition of one or more tamper-resistant proximity check server(s), round-trip time measurements to estimate the distance between the communication devices are performed in order to determine the amount of communication allowed between these devices. In one embodiment, a single tamper-resistant proximity server computes the distance between communication devices that are implemented as trusted applications on open platforms.

49 Citations

View as Search Results

30 Claims

1. A method for determining a level of allowed communication between a first device and a second device, comprising the acts of:
- performing, using a trusted first proximity check server, a communication protocol with the first device to reliably determine a first distance between the trusted first proximity check server and the first device, the first device generating and transmitting a first identity certificate to identify itself to the trusted first proximity check server, the first identity certificate comprising a random number and KIC signature, the trusted first proximity check server verifying the first identity certificate received from the first device and generating a first proximity certificate comprising the first determined distance, the identity of the first device, and a nonce;
  
  performing, using a trusted second proximity check server, a communication protocol with the second device to reliably determine a second distance between the trusted second proximity check server and the second device, the second device generating and transmitting a second identify certificate to identify itself to the trusted second proximity check server, the identity certificate comprising a random number and KIC signature, the trusted second proximity check server verifying the second identity certificate received from the second device and generating a second proximity certificate comprising the second determined distance, the identity of the second device, and a nonce, wherein the trusted first and second proximity check servers are either the same proximity check server or different proximity check server, wherein the first and second device perform an authentication and key exchange protocol;
  
  determining, using the first device, whether the first determined distance from the first proximity certificate and second determined distance from the second proximity certificate satisfy a predetermined rule, the predetermined rule being distance requirements related to the first and second devices; and
  
  determining, using the first device, the level of allowed communication in dependence on whether the predetermined rule is satisfied, wherein the first proximity certificate comprises information when the first distance was determined.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method as claimed in claim 1, wherein the first distance is determined by the trusted first proximity check server by measuring a round-trip time in the communication protocol.
  - 3. The method as claimed in claim 1, wherein the trusted first proximity check server and the trusted second proximity check server are the same trusted proximity check server.
  - 4. The method as claimed in claim 1, wherein the predetermined rule is satisfied only if a sum of the first determined distance and the second determined distance and a distance between the trusted first and second proximity check servers is below a predetermined threshold.
  - 5. The method as claimed in claim 1, wherein the predetermined rule is satisfied if the first determined distance and the second determined distance are both below predetermined thresholds.
  - 6. The method as claimed in claim 1, wherein additional trusted proximity check servers are used.
  - 7. The method as claimed in claim 1, wherein the trusted first proximity check server is located at a distribution point in the network comprising the first and second devices and the trusted first and second proximity check servers.
  - 8. The method as claimed in claim 1, wherein a challenge response protocol to determine the first distance between the first device and the trusted first proximity check server is part of an authentication protocol between the first device and the trusted proximity check server.
  - 9. The method as claimed in claim 1, wherein said method further comprises the acts of:
    - the first device requesting the first proximity certificate from the trusted first proximity check server;
      
      the second device requesting the second proximity certificate from the trusted second proximity check server; and
      
      the first device communicating the first proximity certificate to the second device, andthe second device verifying whether the first determined distance from the first proximity certificate and the second determined distance from the second proximity certificate satisfy the predetermined rule.
  - 10. The method as claimed in claim 1, wherein said method further comprises the acts of:
    - the second device requesting the first proximity certificate from the trusted first proximity check server;
      
      the second device requesting the second proximity certificate from the trusted second proximity check server; and
      
      the second device verifying whether the first determined distance from the first proximity certificate and the second determined distance from the second proximity certificate satisfy the predetermined rule.
  - 11. The method as claimed in claim 1, wherein the first device adds a random number in requesting the first proximity certificate from the trusted first proximity check server,the trusted proximity check server adds the random number to the first proximity certificate in generating the proximity certificate, andthe first device verifies whether the distance certificate was created after the request of the distance certificate was made based on presence of the random number in the distance certificate.
  - 12. The method as claimed in claim 1, wherein said method further comprises the acts of:
    - the trusted first proximity check server determining a distance between first device and the second device based on the determined distance between the trusted first proximity check server and the first device and the distance between the trusted second proximity check server and the second device, andthe trusted first proximity check server generating a distance certificate comprising the determined distance between the first device and the second device.
  - 13. The method as claimed in claim 12, wherein said method further comprises at least one of the first device and the second device performing the acts of:
    - requesting the distance certificate for the distance between the first and the second device from the trusted first proximity check server,retrieving the distance certificate from the trusting first proximity check server, verifying whether the distance between the first and the second device in the distance certificate from the trusted first proximity check server is below a predetermined threshold.
  - 14. The method of claim 13, wherein in response to the requesting act, the method further comprises the acts of:
    - determining by the trusted first proximity check server whether the distance certificate is valid, and if not, thenperform distance measurements to generate a valid distance certificate.
  - 15. The method as claimed in claim 12, wherein said method further comprises at least one of the first device and the second device performing the acts of:
    - requesting the trusted first proximity check server to verify the determined distance between the first and the second device against a predetermined threshold, to which the trusted first proximity check server generates an answer to this request, retrieving the answer from the proximity check server.
  - 16. The method as claimed in claim 12, wherein:
    - the first device adds a random number requesting the distance certificate from the trusted first proximity check server,the trusted first proximity check server adds the random number to the distance certificate in generating the distance certificate, andthe first device verifies whether the distance certificate was created after the request of the distance certificate was made based on presence of the random number in the distance certificate.
  - 17. The method as claimed in claim 1, wherein the first and second distance determinations require a communication over a wireless link.
  - 18. The method as claimed in claim 1, wherein:
    - the first device requests the trusted first proximity check server to set up a connection between the first device and the second device,the trusted first proximity check server sets up the connection if the distance from the trusted first proximity check server to the first device and the distance from the trusted second proximity check server to the second device satisfy the predetermined rule.
  - 19. The method of claim 1, further comprising the acts of:
    - performing, using a trusted third proximity check server, a communication protocol with the first device to determine a third distance between the trusted third proximity check server and the first device; and
      
      using the first distance and the third distance from the first device to the trusted first proximity check serve and the trusted third proximity check serve, respectively, to determine a location of the first device.
  - 20. The method of claim 1, wherein the first device has a higher interest in guarding protection of content.
  - 21. The method of claim 1, wherein the act of determining, using the first device, the level of allowed communication includes sharing of content between the first device and the second through the allowed communication if the predetermined rule is satisfied, and preventing exchange of the content between the first device and the second if the predetermined rule is not satisfied, andwherein at least one of the first proximity certificate and the second proximity certificate includes a cryptographic signature used to determine that the allowed communication is authentic and has not been tampered with.

22. A trusted proximity check server for enabling determination of an allowed level of communication between a first device and a second device, comprising:
- a transmitting configured to transmit messages during a communication protocol with at least one of the first device and the second device,a receiver configured to receive messages during the communication protocol, a tamper-resistant processor configured to execute the communication protocol,a tamper-resistant measuring device configured to measure a distance while executing the communication protocol;
  
  said tamper-resistant processing processor being further configured to generate at least one of a distance certificate and a proximity certificate; and
  
  tamper-resistant signing device configured to cryptographically sign the generate at least one of the distance certificate and the proximity certificate for determining a level of the allowed communication in dependence on whether a predetermined rule about distance requirements related to the first device and the second device is satisfiedwherein the proximity certificate comprises information when the distance was measured;
  
  performing, using the trusted proximity check server, a communication protocol with the first device to reliably determine a first distance between the trusted proximity check server and the first device, the first device generating and transmitting a first identity certificate to identify itself to the trusted proximity check server, the first identity certificate comprising a random number and KIC signature, the trusted proximity check server verifying the first identity certificate received from the first device and generating a first proximity certificate comprising the first determined distance, the identity of the first device, and a nonce; and
  
  performing, using the trusted proximity check server, a communication protocol with the second device to reliably determine a second distance between the trusted proximity check server and the second device, the second device generating and transmitting a second identity certificate to identify itself to the trusted proximity check server, the second identity certificate comprising a random number and KIC signature, the trusted proximity check server verifying the second identity certificate received from the second device and generating a second proximity certificate comprising the second determined distance, the identity of the second device, and a nonce.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The trusted proximity check server as claimed in claim 22, wherein said trusted proximity check server further comprises tamper-resistant estimation device configured to estimate a distance based on a round-trip time.
  - 24. The trusted proximity check server as claimed in claim 22, wherein the trusted proximity check server is integrated in a network device.
  - 25. The trusted proximity check server as claimed in claim 22, wherein the proximity check server is implemented as a dongle.
  - 26. The trusted proximity check server of claim 22, wherein the tamper-resistant signing device is further configured to allow sharing of content between the first device and the second through the allowed communication if the predetermined rule is satisfied, and preventing exchange of the content between the first device and the second if the predetermined rule is not satisfied, andwherein the proximity certificate includes a cryptographic signature used to determine that the messages are authentic and have not been tampered with.

27. A system for determining a level of allowed communication between a first device and a second device, the system comprising:
- the first device, wherein the first device determines the level of allowed communication in dependence of whether a predetermined rule was satisfied, said predetermined rule relating to distances requirements regarding said first and second devices;
  
  the second device;
  
  a trusted first proximity check server for performing a communication protocol with the first device to reliably determine a first distance between the first proximity check server and the first device, the first device generating and transmitting a first identity certificate to identify itself to the trusted first proximity check server, the first identity certificate comprising a random number and KIC signature, the trusted first proximity check server verifying the first identity certificate received from the first device and the first proximity check server generating a first proximity certificate comprising the first determined distance, the identity of the first device, and a nonce; and
  
  a trusted second proximity check server for performing a communication protocol with the second device to reliably determine a second distance between the second proximity check server and the second device, the second device generating and transmitting a second identity certificate to identify itself to the trusted second proximity check server, the identity certificate comprising a random number and KIC signature, the trusted second proximity check server verifying the second identity certificate received from the second device and the second proximity check server generating a second proximity certificate comprising the second determined distance, the identity of the second device, and a nonce, wherein the first and the second proximity check server are the same proximity check server or different proximity check servers, wherein the first and second devices perform an authentication and key exchange protocol,wherein the first device determines whether the first determined distance from the first proximity certificate and the second determined distance from the second proximity certificate satisfy the predetermined rule,wherein the first proximity certificate comprises information when the first distance was determined.
- View Dependent Claims (28)
- - 28. The system as claimed in claim 27, wherein at least one of the first device and the second device is implemented as a software application running on a programmable device.

29. A non-transitory computer-readable storage medium having stored thereon a computer program for enabling determination of an allowed level of communication between a first device and a second device, for use with a trusted first proximity check server and a trusted second proximity server, said computer program having computer executable instructions for causing a respective programmable device of the trusted first an second proximity check server to:
- perform, by the trusted first proximity check server, a communication protocol with a first device to reliably determine a first distance between the trusted first proximity check server and the first device, the first device generating and transmitting a first identity certificate to identify itself to the trusted first proximity check server, the first identity certificate comprising a random number and KIC signature, the trusted first proximity check server verifying the first identity certificate received from the first device and the first proximity check server generating a first proximity certificate comprising the first determined distance, the identity of the first device, and a nonce,perform, by the trusted second proximity check server, a communication protocol with the second device to reliably determine a second distance between the trusted second proximity check server and the second device, the second device generating and transmitting a second identity certificate to identify itself to the trusted second proximity check server, the identity certificate comprising a random number and KIC signature, the trusted second proximity check server verifying the second identity certificate received from the second device and generating a second proximity certificate comprising the second determined distance, the identity of the second device, and a nonce, andenabling the first device to determine whether the first determined distance in the first proximity certificate and the second determined distance in the second proximity certificate satisfy a predetermined rule, said predetermined rule relating to distances requirements regarding said first and second devices, and to determine the level of allowed communication in dependence of whether the predetermined rule was satisfied,wherein the first proximity certificate comprises information when the first distance was determined.

30. A non-transitory computer-readable storage medium having stored thereon a computer program for enabling determination of an allowed level of communication between a first device and a second device, for use with a trusted first proximity check server and a trusted second proximity check server, said computer program having computer executable instructions for causing a programmable device to perform:
- requesting a first proximity certificate from the trusted first proximity check server for the first device, the first device generating and transmitting a first identity certificate to identify itself to the trusted first proximity check server, the first identity certificate comprising a random number and KIC signature, the trusted first proximity check server verifying the first identity certificate received from the first device and said first proximity certificate containing a first determined distance between the trusted first proximity check server and the first device, the identity of the first device, and a nonce,requesting a second proximity certificate from at least one of the second device and the first the trusted second proximity check server for the second device, the second device generating and transmitting a second identity certificate to identify itself to the trusted second proximity check server, the identity certificate comprising a random number and KIC signature, the trusted second proximity check server verifying the second identity certificate received from the second device and said second proximity certificate containing a second determined distance between the trusted second proximity check server and the second device, the identity of the second device, and a nonce,determining whether the first determined distance in the first proximity certificate and the second determined distance in the second proximity certificate satisfy a predetermined rule, said predetermined rule relating to distances requirements regarding said first and second device, anddetermining the level of allowed communication in dependence of whether the rule was satisfied,wherein the first proximity certificate comprises information when the first determined distance was determined.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Koninklijke Philips N.V.
Original Assignee
Koninklijke Philips Electronics N.V. (Koninklijke Philips N.V.)
Inventors
Staring, Antonius Adriaan Maria, Treffers, Menno Anne, Frimout, Emmanuel David Lucas Michael, Bernsen, Johannes Arnoldus Cornelis, Knibbeler, Charles Leonardus Corenlius Maria
Primary Examiner(s)
Popham, Jeffrey D
Assistant Examiner(s)
Gracia, Gary

Application Number

US11/575,314
Publication Number

US 20080250147A1
Time in Patent Office

2,577 Days
Field of Search

726/30
US Class Current

726/30
CPC Class Codes

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 2463/101   applying security measures ...

H04L 63/0492   by using a location-limited...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 67/52   specially adapted for the l...

H04L 67/535   Tracking the activity of th...

H04L 69/329   in the application layer [O...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04W 24/00   Supervisory, monitoring or ...

H04W 4/02   Services making use of loca...

H04W 4/029   Location-based management o...

H04W 72/00   Local resource management

H04W 88/14   Backbone network devices

Proximity check server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Proximity check server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others