Provision of secure communications connection using third party authentication

US 8,738,898 B2
Filed: 05/31/2007
Issued: 05/27/2014
Est. Priority Date: 06/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, wherein:

(i) the first device and the authentication server both have first device shared secret data (SSDa) shared by said authentication server and said first device but not shared with said second device;

(ii) the first device shared secret data (SSDa) is stored on a user-insertable and user-removable hardware module inserted into said first device or a proxy device which is able to communicate with said first device;

(iii) the second device and the authentication server both have second device shared secret data (SSDb) shared by said authentication server and said second device but not shared with said first device; and

(iv) the second device shared secret data (SSDb) is stored on a user-insertable and user-removable hardware module inserted into said second device or a proxy device which is able to communicate with said second device;

the method comprising;

receiving a request from the first device at the authentication server;

the authentication server and the first device both generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) sent from the authentication server to the first device;

the authentication server and the second device both generating a second device key (K_B) using the second device shared secret data in response to a second device random number (RANDb) sent from the authentication server to the second device; and

the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to communications, and in particular though not exclusively to forming a secure connection between two untrusted devices. The present invention provides a method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb). The method comprises receiving a request from the first device at the authentication server; the authentication server and the first device both generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) sent from the authentication server to the first device; the authentication server and the second device both generating a second device key (K_B) using the second device shared secret data in response to a second device random number (RANDb) sent from the authentication server to the second device; and the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A).

86 Citations

View as Search Results

17 Claims

1. A method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, wherein:
- (i) the first device and the authentication server both have first device shared secret data (SSDa) shared by said authentication server and said first device but not shared with said second device;
  
  (ii) the first device shared secret data (SSDa) is stored on a user-insertable and user-removable hardware module inserted into said first device or a proxy device which is able to communicate with said first device;
  
  (iii) the second device and the authentication server both have second device shared secret data (SSDb) shared by said authentication server and said second device but not shared with said first device; and
  
  (iv) the second device shared secret data (SSDb) is stored on a user-insertable and user-removable hardware module inserted into said second device or a proxy device which is able to communicate with said second device;
  
  the method comprising;
  
  receiving a request from the first device at the authentication server;
  
  the authentication server and the first device both generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) sent from the authentication server to the first device;
  
  the authentication server and the second device both generating a second device key (K_B) using the second device shared secret data in response to a second device random number (RANDb) sent from the authentication server to the second device; and
  
  the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1, wherein the first device is a wireless client device and the second device is a wireless server wirelessly connected to the wireless client device.
  - 3. A method according to claim 1, wherein forwarding of the first and/or second device keys (K_A, K_B) and mutual authentication is achieved using the EAP-SIM protocol between the authentication server and the first device or the authentication server and the second device.
  - 4. A method according to claim 1, wherein the common key (K_AB) is encrypted using the first device key (K_A) and sent from the authentication server to the first device, and the common key (K_AB) is encrypted using the second device key (K_B) and sent from the authentication server to the second device.
  - 5. A method according to claim 1, wherein the common key (K_AB) is derived from the first device key (K_A) and sent from the authentication server to the second device encrypted using the second device key (K_B), and wherein the common key (K_AB) is generated by the first device in response to receiving a validation parameter (HMAC-PMK(N_A) dependent on the first device key (K_A) from the second device.
  - 6. A method according to claim 1, wherein the first and second devices send respective random nonce values (N_A, N_B) to the authentication server and which are used to generate the respective first and second device keys (KA, KB) and/or the first and second device processed random numbers (SSDa[RANDa], SSDb[RANDb]).
  - 7. A method according to claim 1, wherein forwarding of the first and/or second device keys (K_A, K_B) and mutual authentication is achieved using the EAP-SIM protocol between the authentication server and the first device and the authentication server and the second device.
  - 8. A method according to claim 2, wherein the second device and the authentication server establish a secure communications channel using a transport layer security protocol prior to forwarding of the request.
  - 9. A method according to claim 4, wherein the common key (K_AB) is concatenated by the authentication server with a first or second device concatenation number (SRES_A or SRES_B) known by the respective first or second device, prior to encryption with the first or second device key.
  - 10. A method according to claim 6, wherein the authentication server generates a first device nonce processed number (AT_MAC_RAND_A) dependent on the first device nonce (N_A), the first device shared secret data (SSDa), and the first device random number (RANDa), and wherein the first device random number (RANDa) is concatenated with the first device nonce processed number AT_MAC_RAND_A) and encrypted with the second device key (K_B) prior to forwarding to the second device which is arranged to decrypt the concatenated first device random number and first device nonce processed number prior to forwarding to the first device.

11. A method of operating an authentication server for securely connecting a first device (A) to a second device (B), wherein:
- the first device and the authentication server both have first device shared secret data (SSDa) shared by said authentication server and said first device but not shared with said second device;
  
  (ii) the first device shared secret data (SSDa) is stored on a user-insertable and user-removable hardware module inserted into said first device or a proxy device which is able to communicate with said first device;
  
  (iii) the second device and the authentication server both have second device shared secret data (SSDb) shared by said authentication server and said second device but not shared with said first device; and
  
  (iv) the second device shared secret data (SSDb) is stored on a user-insertable and user-removable hardware module inserted into said second device or a proxy device which is able to communicate with said second device;
  
  the method comprising;
  
  receiving a request from the first device;
  
  generating a first device random number (RANDa) and a first device key (K_A) using the first device random number (RANDa) and the first device shared secret data (SSDa), and forwarding the first device random number to the first device;
  
  generating a second device random number (RANDb) and a second device key (K_B) using the second device random number (RANDb) and the second device shared secret data (SSDb), and forwarding the second device random number (RANDb) to the second device; and
  
  the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A).
- View Dependent Claims (12)
- - 12. A method according to claim 11, wherein communications with the first device are via a connection with the second device;
    - and further comprising establishing a secure communications channel using a transport layer security protocol with the second device prior to forwarding of the request.

13. A method of operating a second device (B) for securely connecting a first device (A) to the second device (B) using a third party authentication server (AS) coupled to the second device, wherein:
- (i) the first device and the authentication server both have first device shared secret data (SSDa) shared by said authentication server and said first device but not shared with said second device;
  
  (ii) the first device shared secret data (SSDa) is stored on a user-insertable and user-removable hardware module inserted into said first device or a proxy device which is able to communicate with said first device;
  
  (iii) the second device and the authentication server both have second device shared secret data (SSDb) shared by said authentication server and said second device but not shared with said first device; and
  
  (iv) the second device shared secret data (SSDb) is stored on a user-insertable and user-removable hardware module inserted into said second device or a proxy device which is able to communicate with said second device;
  
  the method comprising;
  
  generating a second device key (K_B) using the second device shared secret data in response to receiving a second device random number (RANDb) from the authentication server, wherein the second device shared secret data (SSDb) is stored on a removable module associated with the second device;
  
  receiving a common key (K_AB) from the authentication server encrypted using the second device key (K_B or K_WS); and
  
  communicating with the first device using the common shared key (K_AB).
- View Dependent Claims (14, 15)
- - 14. A method according to claim 13, further comprising authenticating the first device in response to receiving the common key (K_AB).
  - 15. A method according to claim 13, further comprising receiving a request from the first device and forwarding the request to the authentication server, and relaying subsequent communications between the authentication server and the first device.

16. A method of operating a first device (A) for securely connecting to a second device (B) using a third party authentication server (AS) coupled to the second device, wherein:
- (i) the first device and the authentication server both have first device shared secret data (SSDa) shared by said authentication server and said first device but not shared with said second device;
  
  (ii) the first device shared secret data (SSDa) is stored on a user-insertable and user-removable hardware module inserted into said first device or a proxy device which is able to communicate with said first device;
  
  (iii) the second device and the authentication server both have second device shared secret data (SSDb) shared by said authentication server and said second device but not shared with said first device; and
  
  (iv) the second device shared secret data (SSDb) is stored on a user-insertable and user-removable hardware module inserted into said second device or a proxy device which is able to communicate with said second device;
  
  the method comprising;
  
  sending a request to the authentication server;
  
  generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) received from the authentication server;
  
  authenticating the second device in response to receiving a common shared secret key (K_AB) from the authentication server encrypted using the first device shared secret key (K_A); and
  
  communicating with the second device using a secure connection between the first device and the second device which uses the common key (K_AB).
- View Dependent Claims (17)
- - 17. A method according to claim 16, wherein the request is sent via the second device to the authentication server prior to authentication of the second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
Herwono, Ian, Hodgson, Paul W
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Salehi, Helai

Application Number

US12/302,568
Publication Number

US 20090287922A1
Time in Patent Office

2,553 Days
Field of Search

713/155, 380247-250
US Class Current

713/155
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 2463/061   applying further key deriva...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0853   using an additional device,...

H04L 9/0822   using key encryption key

H04L 9/321   involving a third party or ...

H04L 9/3271   using challenge-response

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

Provision of secure communications connection using third party authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Provision of secure communications connection using third party authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links