Bootstrapping authentication using distinguished random challenges

US 8,611,536 B2
Filed: 09/02/2005
Issued: 12/17/2013
Est. Priority Date: 09/08/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A mobile station for communicating in a wireless communications network, comprising:

a receiver configured to receive at least one authentication data parameter forming a first challenge value from the wireless communications network;

a memory configured to store a reserved challenge value, wherein the reserved challenge value is not transferred over a wireless communication link between the mobile station and the wireless communications network and is not used for initial authentication procedures;

a first processing circuit configured to store a secret key, to generate a first key based on the at least one received authentication data parameter and the secret key, and to generate a second key based on the reserved challenge value and the secret key and independent of data received over the wireless communication link; and

a second processing circuit configured to generate a third key, to use in the communication between the mobile station and the wireless communications network, using at least the first and second keys.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communications system and method of bootstrapping mobile station authentication and establishing a secure encryption key are disclosed. In one embodiment of the communications network, a distinguished random challenge is reserved for generation of a secure encryption key, wherein the distinguished random challenge is not used for authentication of a mobile station. The distinguished random challenge is stored at a mobile station'"'"'s mobile equipment and used to generate a secure encryption key, and a bootstrapping function in the network uses a normal random challenge to authenticate the mobile station and the distinguished random challenge to generate the secure encryption key.

Citations

23 Claims

1. A mobile station for communicating in a wireless communications network, comprising:
- a receiver configured to receive at least one authentication data parameter forming a first challenge value from the wireless communications network;
  
  a memory configured to store a reserved challenge value, wherein the reserved challenge value is not transferred over a wireless communication link between the mobile station and the wireless communications network and is not used for initial authentication procedures;
  
  a first processing circuit configured to store a secret key, to generate a first key based on the at least one received authentication data parameter and the secret key, and to generate a second key based on the reserved challenge value and the secret key and independent of data received over the wireless communication link; and
  
  a second processing circuit configured to generate a third key, to use in the communication between the mobile station and the wireless communications network, using at least the first and second keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The mobile station of claim 1, wherein the second processing circuit is configured to encrypt communication transmissions using the third key.
  - 3. The mobile station of claim 1, wherein the at least one received authentication data parameter comprises a random or pseudo-random number that changes for different communication sessions between the mobile station and the wireless communications network.
  - 4. The mobile station of claim 3, wherein a mobile equipment in the mobile station is configured to reject an authentication request containing the reserved challenge value.
  - 5. The mobile station of claim 1, wherein the first processing circuit is configured to generate an authentication response using the at least one received authentication data parameter and the secret key.
  - 6. The mobile station of claim 5, wherein the mobile station is configured to send the authentication response over a wireless communication channel for authentication of the mobile station.
  - 7. The mobile station of claim 1, wherein the first processing circuit comprises a secure integrated circuit.
  - 8. The mobile station of claim 7, wherein the first processing circuit comprises a subscriber identity module (SIM).

9. A mobile element of a wireless communications network, the wireless communications network comprising a plurality of mobile elements and a plurality of network elements communicating with the mobile elements,wherein the mobile element is configured to authenticate itself to the wireless communications network by responding to a challenge value presented to the mobile element by a network element of the wireless communications network during a challenge response authentication procedure, andwherein the mobile element comprises a memory configured to store a reserved challenge value used in combination with a secret key stored in a secure integrated circuit to generate a key independent of data received over a wireless communication link between the mobile element and the network element, where the key is used in communication between the mobile element and a network element, wherein the reserved challenge value is not transferred over the wireless communication link between the mobile element and the network element and is not used for initial authentication procedures.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The mobile element of claim 9, wherein the secure integrated circuit is configured to generate sets of one or more keys in response to challenge values using at least the secret key.
  - 11. The mobile element of claim 10, wherein the secure integrated circuit is configured to generate a signed response and an encryption key in response to the challenge value.
  - 12. The mobile element of claim 11, wherein the secure integrated circuit comprises a subscriber identity module (SIM).
  - 13. The mobile element of claim 12, wherein the mobile element is configured to communicate in a GSM communications network.
  - 14. The mobile element of claim 12, wherein the mobile element is configured to communicate in a local area network.

15. A method of creating keys in a communication network that uses a challenge response authentication procedure, the method comprising:
- receiving at least one authentication challenge value, wherein the authentication challenge value is used in the challenge response authentication procedure;
  
  reserving at least one challenge value in a memory of a mobile unit, wherein the reserved challenge value is not used for initial authentication procedures and is not transferred over a wireless communication link between mobile units and network elements within the communication network; and
  
  generating session keys with the mobile unit to be used in communication between the mobile unit and network elements within the communication network, the session keys being generated using a first key and a second key, wherein the first key is generated by a secure integrated circuit based on the at least one authentication challenge value in combination with a secret key stored in the secure integrated circuit and the second key is generated by the secure integrated circuit based on the reserved challenge value in combination with the secret key and independent of data received over the wireless communication link.

16. A method of generating a key at a mobile station for securing communication between the mobile station and a network element, the method comprising:
- receiving a first challenge value as part of a challenge response authentication procedure from the network element at the mobile station;
  
  sending the first challenge value to a secure integrated circuit;
  
  generating a first key using at least the first challenge value and a secret key stored at the secure integrated circuit;
  
  sending the first key to the network element for authentication;
  
  sending a reserved challenge value to the secure integrated circuit, wherein the reserved challenge value is stored in a memory of the mobile station and is not transferred over a wireless communication link between the mobile station and the network element and is not used for initial authentication procedures;
  
  generating a second key using at least the reserved challenge value and the secret key and independent of data received over the wireless communication link;
  
  generating the key for secure communication using at least the first key and at least the second key.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, wherein a value of the first key sent to a network element comprises a signed response (SRES).
  - 18. The method of claim 16, wherein the first key comprises an encryption key.
  - 19. The method of claim 16, wherein the second key comprises an encryption key.
  - 20. The method of claim 16, further comprising generating, with the secure integrated circuit, a signed response and an encryption key for each authentication challenge value sent to a processing circuit.
  - 21. The method of claim 16, wherein the first challenge value is a random or pseudo-random number.

22. A mobile station in a communications network, the mobile station comprising:
- means for receiving an authentication challenge value as part of a challenge response authentication procedure from the communications network;
  
  means for generating a first key using the received authentication challenge value and a secret key stored in a secure integrated circuit;
  
  means for generating a second key in response to using the secret key and a distinguished authentication challenge value stored in a memory of the mobile station and independent of data received over a wireless communication link between the mobile station and the communications network, the distinguished authentication challenge value employed in generating keys to be used in communication between the mobile station and a network element, wherein the distinguished authentication challenge value is not transferred over the wireless communication link between the mobile station and the communications network and is not used for initial authentication procedures; and
  
  means for generating a third key using at least the first key and at least the second key.

23. A non-transitory machine-readable medium comprising instructions for a mobile station for communicating in a wireless communications network, which when executed by at least one processor causes the at least one processor to:
- receive at least one authentication data parameter forming a first challenge value from the wireless communications network;
  
  generate a first key based on the at least one received authentication data parameter and a secret key that is stored in a first processing circuit;
  
  generate a second key based on a reserved challenge value and the secret key and independent of data received over a wireless communications network between the mobile station and the wireless communications network, the reserved challenged value is stored in memory and is not transferred over the wireless communication link and is not used for initial authentication procedures; and
  
  generate a third key, to use in the communication between the mobile station and the wireless communications network, using at least the first and second keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Semple, James, Rose, Gregory G., Paddon, Michael, Hawkes, Philip Michael
Primary Examiner(s)
McNally, Michael S

Application Number

US11/218,885
Publication Number

US 20060120531A1
Time in Patent Office

3,028 Days
Field of Search

380 44- 45, 380247-249, 380/255, 380/270, 380/277, 380/279, 380/286, 713168-169, 455410-411, 455/433
US Class Current

380/270
CPC Class Codes

H04L 2209/80   Wireless

H04L 2463/081   applying self-generating cr...

H04L 63/06   for supporting key manageme...

H04L 63/0869   for achieving mutual authen...

H04L 9/3271   using challenge-response

H04W 12/033   of the user plane, e.g. use...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 88/02   Terminal devices

Bootstrapping authentication using distinguished random challenges

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Bootstrapping authentication using distinguished random challenges

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links