Dynamic cryptographic subscriber-device identity binding for subscriber mobility
First Claim
1. A method of authentication and authorization over a communication system, comprising:
- performing a first authentication of a device based on a set of device identity and credentials, said first authentication including creation of a first set of keying material;
performing a second authentication of a subscriber based on a set of subscriber identity and credentials, said second authentication including creation of a second set of keying material;
creating a set of compound key material with a key derivation mechanism that uses the first set of keying material and the second set of keying material;
creating a binding token by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material; and
exchanging the signed binding token for verification with an authenticating and authorizing party.
4 Assignments
0 Petitions
Accused Products
Abstract
A method of authentication and authorization over a communication system is provided. The method performs a first authentication of a device based on a set of device identity and credentials. The first authentication includes creation of a first set of keying material. The method also includes performing a second authentication of a subscriber based on a set of subscriber identity and credentials. The second authentication includes creation of a second set of keying material. A set of compound key material is created with a key derivation mechanism that uses the first set of keying material and the second set of keying material. A binding token is created by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material. The signed binding token is exchanged for verification with an authenticating and authorizing party.
-
Citations
40 Claims
-
1. A method of authentication and authorization over a communication system, comprising:
-
performing a first authentication of a device based on a set of device identity and credentials, said first authentication including creation of a first set of keying material; performing a second authentication of a subscriber based on a set of subscriber identity and credentials, said second authentication including creation of a second set of keying material; creating a set of compound key material with a key derivation mechanism that uses the first set of keying material and the second set of keying material; creating a binding token by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material; and exchanging the signed binding token for verification with an authenticating and authorizing party. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A network-enabled device for use in a communication system, comprising:
-
an authorization component configured to engage in a first authentication exchange to authenticate the device based on a set of device identity and credentials, and to engage in a second authentication exchange to authenticate a subscriber based on a set of subscriber identity and credentials, the authorization component including a key generating module configured to create a first set of keying material based on the first authentication exchange, a second set of keying material based on the second authentication exchange, and a set of compound key material with a key derivation mechanism that uses the first set of keying material and the second set of keying material; the authorization component further including an encryption module configured to create a binding token by cryptographically signing at least one of the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material; and a communication interface configured to exchange the signed binding token for verification with an authenticating and authorizing party. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. An authentication and authorization arrangement, comprising:
-
a physical device including a first authentication server configured to, in a first authentication, authenticate a device based on a set of device identity and credentials; and a second authentication server configured to, in a second authentication, authenticate a subscriber based on a set of subscriber identity and credentials; wherein the second authentication server is configured to verify a binding token created by cryptographically signing at least one of the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using a set of compound keying material derived using a first set of keying material created during authentication of the device and a second set of keying material created during authentication of the subscriber. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
-
Specification