Method for producing key material for use in communication with network

US 8,582,762 B2
Filed: 09/16/2005
Issued: 11/12/2013
Est. Priority Date: 05/26/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

producing, by a mobile station, authentication information by performing an authentication procedure with a communication system, the authentication procedure performed through a path external to a second system;

exchanging, by the mobile station and through a route external to the communication system, key generation information comprising a shared secret with the second system and wherein the shared secret is not known to the communication system, said exchanging the key generation information comprises providing a time value of a transmission initiated by the mobile station for performing at least one of;

issuing an error message and interrupting said exchanging by the second system, if a delay of said transmission received by the second system exceeds a threshold value; and

generating, by the mobile station, a communication key to communicate with the second system using at least in part the authentication information and the key generation information to establish a communication of the mobile station with the second system using said communication key generated by the mobile station and a second communication key generated by the second system using at least in part the key generation information and said authentication information requested and received by said second system from the communication system,wherein the communication system comprises at least one base station and the second system comprises at least one server node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention relates to security procedures in a communication system, specifically to production of key material. The invention provides a method for producing key material in a highly secure way for use in communication with a local network of a company. The method uses authentication information obtained from the communication system and information exchanged locally between a mobile station and the authentication systems of the company to produce a communication key for use in authentication procedures or e.g. for signing and/or encrypting data.

8 Citations

View as Search Results

35 Claims

1. A method, comprising:
- producing, by a mobile station, authentication information by performing an authentication procedure with a communication system, the authentication procedure performed through a path external to a second system;
  
  exchanging, by the mobile station and through a route external to the communication system, key generation information comprising a shared secret with the second system and wherein the shared secret is not known to the communication system, said exchanging the key generation information comprises providing a time value of a transmission initiated by the mobile station for performing at least one of;
  
  issuing an error message and interrupting said exchanging by the second system, if a delay of said transmission received by the second system exceeds a threshold value; and
  
  generating, by the mobile station, a communication key to communicate with the second system using at least in part the authentication information and the key generation information to establish a communication of the mobile station with the second system using said communication key generated by the mobile station and a second communication key generated by the second system using at least in part the key generation information and said authentication information requested and received by said second system from the communication system,wherein the communication system comprises at least one base station and the second system comprises at least one server node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - encrypting an identification code with the communication key generated by the mobile station; and
      
      transmitting the encrypted identification code.
  - 3. The method of claim 1, further comprising:
    - encrypting a password with the communication key generated by the mobile station; and
      
      transmitting the encrypted password.
  - 4. The method of claim 1, wherein:
    - the communication key is generated based at least in part on time information.
  - 5. The method of claim 1, wherein:
    - the key generation information comprises a password.
  - 6. The method of claim 1, wherein:
    - the key generation information comprises seed information for a sequence;
      
      the generating a communication key comprises generating a next item in the sequence; and
      
      the communication key is generated based at least in part on the generated next item.
  - 7. The method of claim 1, wherein:
    - the authentication procedure performed in the producing the authentication information is a generic authentication architecture authentication procedure.
  - 8. The method of claim 1, wherein:
    - the authentication information is produced based at least in part on a salt value.
  - 9. The method of claim 1, wherein the shared secret comprises at least one of:
    - a personal identification number, a password, or a random seed value for a sequence.

10. A method, comprising:
- requesting and receiving, by a second system, authentication information related to a mobile station from an authentication node of a communication system;
  
  exchanging by the second system, through a route external to the communication system, key generation information comprising a shared secret with the mobile station, wherein the shared secret is not known to the communication system and comprises at least one of;
  
  a personal identification number, a password, or a random seed value for a sequence, said exchanging the key generation information comprises providing a time value of a transmission initiated by the mobile station for performing at least one of;
  
  issuing an error message and interrupting said exchanging by the second system, if a delay of said transmission received by the second system exceeds a threshold value; and
  
  generating a communication key by the second system to communicate with the mobile station using at least in part the authentication information and the key generation information, wherein the communication system comprises at least one base station and-the second system comprises at least one server node.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, comprising:
    - decrypting an identification code with the generated communication key; and
      
      verifying correctness of the decrypted identification code.
  - 12. The method of claim 10, comprising:
    - decrypting a password with the generated communication key; and
      
      verifying correctness of the decrypted password.
  - 13. The method of claim 10, wherein:
    - the communication key is generated based at least in part on time information.
  - 14. The method of claim 10, wherein the exchanging the key generation information comprises exchanging a password.
  - 15. The method of claim 10, wherein:
    - the key generation information comprises seed information for a sequence;
      
      the generating a communication key comprises generating a next item in the sequence; and
      
      the communication key is generated based at least in part on the generated next item.
  - 16. The method of claim 10, wherein exchanging, through a route external to the communication system, key generation information comprising a shared secret further comprises exchanging by the mobile station at least the shared secret using one of an infrared connection or a Bluetooth connection to the second system via a network and wherein the mobile station is configured to communicate directly with the communication system.
  - 17. The method of claim 10, wherein exchanging, through a route external to the communication system, key generation information comprising a shared secret with the mobile station further comprises having a user input the shared secret via a keypad of the mobile station.

18. A non-transitory computer-readable storage medium encoded with instructions configured to control a processor to perform a process, the process comprising:
- producing authentication information by performing an authentication procedure between a mobile station and a communication system, the authentication procedure performed through a path external to a second system;
  
  exchanging between the mobile station and the second system, through a route external to the communication system, key generation information comprising a shared secret with the second system, wherein the shared secret is not known to the communication system, said exchanging the key generation information comprises providing a time value of a transmission initiated by the mobile station for performing at least one of;
  
  issuing an error message and interrupting said exchanging by the second system, if a delay of said transmission received by the second system exceeds a threshold value; and
  
  generating a communication key by the mobile station to communicate with the second system based at least in part on the authentication information and the key generation information to establish a communication of the mobile station with the second system using said communication key generated by the mobile station and a second communication key generated by the second system using at least in part the key generation information and said authentication information requested and received by said second system from the communication system, wherein the communication system comprises at least one base station and the second system comprises at least one server node.

19. A non-transitory computer-readable storage medium encoded with instructions configured to control a processor to perform a process, the process comprising:
- requesting and receiving by a second system, authentication information related to a mobile station from an authentication node of a communication system;
  
  exchanging between the mobile station and the second system, through a route external to the communication system, key generation information comprising a shared secret with the mobile station, wherein the shared secret is not known to the communication system and comprises a personal identification number, a password, or a random seed value for a sequence, said exchanging the key generation information comprises providing a time value of a transmission initiated by the mobile station for performing at least one of;
  
  issuing an error message and interrupting said exchanging by the second system, if a delay of said transmission received by the second system exceeds a threshold value; and
  
  generating a communication key for communication of the second system with the mobile station using at least in part the authentication information and the key generation information, wherein the communication system comprises at least one base station and the second system comprises at least one server node.

20. A mobile station, comprising:
- a processor; and
  
  a memory including computer program code,the memory and the computer program code configured to, with the processor, cause the mobile station at least toproduce authentication information by performing an authentication procedure with a communication system, the authentication procedure performed through a path external to a second system,perform exchanging, through a route external to the communication system, key generation information comprising a shared secret with the second system, wherein the shared secret is not known to the communication system, said exchanging the key generation information comprises providing a time value of a transmission initiated by the mobile station for performing at least one of;
  
  issuing an error message and interrupting said exchanging by the second system, if a delay of said transmission received by the second system exceeds a threshold value, andgenerate a communication key to communicate with the second system based at least in part on the authentication information and the key generation information to establish a communication of the mobile station with the second system using said communication key generated by the mobile station and a second communication key generated by the second system using at least in part the key generation information and said authentication information requested and received by said second system from the communication system, wherein the communication system comprises at least one base station and the second system comprises at least one server node.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The mobile station of claim 20, wherein the memory and the computer program code are further configured to, with the processor, cause the mobile station at least to:
    - encrypt an identification code with the communication key generated by the mobile station; and
      
      transmit the encrypted identification code.
  - 22. The mobile station of claim 20, wherein the memory and the computer program code are further configured to, with the processor, cause the mobile station at least to:
    - generate the communication key based at least in part on time information.
  - 23. The mobile station of claim 20, wherein the memory and the computer program code are further configured to, with the processor, cause the mobile station at least to:
    - generate a sequence based on seed information in the key generation information; and
      
      generate the communication key based at least in part on an item generated by the sequence generator.
  - 24. The mobile station of claim 20, wherein the mobile station is part of a wireless communication system.

25. An apparatus, comprising:
- a processor; and
  
  a memory including computer program code,the memory and the computer program code configured to, with the processor, cause the apparatus at least torequest authentication information related to a mobile station, the authentication information being received from an authentication node of a wireless communication system,perform exchanging between the mobile station and a second system comprising said apparatus, through a route external to the wireless communication system, key generation information comprising a shared secret with the mobile station, wherein the shared secret is not known to the wireless communication system and comprises at least one of;
  
  a personal identification number, a password, or a random seed value for a sequence, said exchanging the key generation information comprises providing a time value of a transmission initiated by the mobile station for performing at least one of;
  
  issuing an error message and interrupting said exchanging by the second system, if a delay of said transmission received by the second system exceeds a threshold value; and
  
  generate a communication key for communication of the second system with the mobile station based at least in part on the authentication information and the key generation information, wherein the wireless communication system comprises at least one base station and the second system comprises at least one server node.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The apparatus of claim 25, wherein the memory and the computer program code are further configured to, with the processor, cause the apparatus at least to:
    - decrypt an identification code with a generated communication key; and
      
      verify correctness of a decrypted identification code.
  - 27. The apparatus of claim 25, wherein the memory and the computer program code are further configured to, with the processor, cause the apparatus at least to:
    - generate a communication key based at least in part on time information.
  - 28. The apparatus of claim 25, wherein the memory and the computer program code are further configured to, with the processor, cause the apparatus at least to:
    - generate a sequence based on seed information in the key generation information; and
      
      generate a communication key based at least in part on an item generated by the apparatus.
  - 29. The apparatus of claim 25, wherein the apparatus comprises a functionality of a network application function node for a wireless communication system.
  - 30. The apparatus of claim 25, wherein exchanging, through a route external to the wireless communication system, key generation information comprising a shared secret further comprises exchanging by the mobile station at least the shared secret using one of an infrared connection or a Bluetooth connection to the second system via a network and wherein the mobile station is configured to communicate directly with the communication system.
  - 31. The apparatus of claim 25, wherein exchanging, through a route external to the wireless communication system, key generation information comprising a shared secret with the mobile station further comprises having a user input the shared secret via a keypad of the mobile station.

32. A system, comprising:
- a mobile station;
  
  a controller in the mobile station configured to produce authentication information by performing an authentication procedure with a first authentication node associated with a first communication system through a path external to a second communication system;
  
  a controller in the mobile station configured to perform exchanging key generation information with a controller in a second authentication node associated with the second communication system through a route external to the first communication system, said exchanging the key generation information comprises providing a time value of a transmission initiated by the mobile station for performing at least one of;
  
  issuing an error message and interrupting said exchanging by the second communication system, if a delay of said transmission received by the second communication system exceeds a threshold value;
  
  a requester in the second authentication node configured to request authentication information related to the mobile station from the first authentication node;
  
  wherein the key generation information comprises a shared secret with the mobile station, wherein the shared secret is not known by the first communication system and comprises at least one of;
  
  a personal identification number, a password, or a random seed value for a sequence; and
  
  a key generator in the second authentication node configured to generate a communication key based at least in part on the authentication information and the key generation information to establish a communication of the second communication system with the mobile station using said communication key generated in the second authentication node and a communication key generated by the mobile station using at least in part the key generation information and said authentication information, wherein the first communication system comprises at least one base station and the second communication system comprises at least one server node.
- View Dependent Claims (33, 34, 35)
- - 33. The system of claim 32, wherein:
    - the first communication system is a wireless communication network.
  - 34. The system of claim 32, further comprising:
    - the second communication system is a local area network.
  - 35. The system of claim 32, further comprising:
    - a key generator in the mobile station configured to generate a communication key based at least in part on the authentication information and the key generation information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Holtmanns, Silke, Laitinen, Pekka, Ginzboorg, Philip, Miettinen, Kari, Rajaniemi, Jaakko
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
NGUYEN, TRONG H

Application Number

US11/227,235
Publication Number

US 20060271785A1
Time in Patent Office

2,979 Days
Field of Search

713/150, 713/161, 713/168, 713170-171, 713/178, 726 2- 6, 726 26- 30, 380/247, 380/255, 380259-262, 380/270, 380/273, 380 36- 37, 380/278, 380/279, 380/283, 380/44, 709/229, 709/249, 455/411, 455/426
US Class Current

380/44
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/083   using passwords cryptograph...

H04L 9/0844   with user authentication or...

H04L 9/0861   Generation of secret inform...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 84/10   Small scale networks; Flat ...

Method for producing key material for use in communication with network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Method for producing key material for use in communication with network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links