Discovery of security associations
First Claim
1. A method for forming a discoverable security association between a first computing device and a second computing device, comprising:
- obtaining, by the first computing device, an application program comprising a pseudo-random number generator from a fourth computing device, the application program being provisioned with a seed, the seed being associated with an identifier associated with the first computing device; and
using, by the first computing device, the pseudo-random number generator to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device;
wherein the secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device is configured to use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device;
wherein the second computing device does not have knowledge of the seed or the secret; and
wherein the third computing device comprises an intercepting server and the fourth computing device comprises a server operated by a provider.
4 Assignments
0 Petitions
Accused Products
Abstract
Techniques are disclosed for discovering security associations formed in communication environments. For example, a method for forming a discoverable security association between a first computing device (e.g., a first client) and a second computing device (e.g., a second client) comprises the following steps. The first computing device is provided with a seed that is used by the first computing device to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device. The secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device (e.g., an intercepting server) can use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device. By way of example, the key may be a result of an identity based authenticated key exchange.
-
Citations
22 Claims
-
1. A method for forming a discoverable security association between a first computing device and a second computing device, comprising:
-
obtaining, by the first computing device, an application program comprising a pseudo-random number generator from a fourth computing device, the application program being provisioned with a seed, the seed being associated with an identifier associated with the first computing device; and using, by the first computing device, the pseudo-random number generator to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device; wherein the secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device is configured to use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device; wherein the second computing device does not have knowledge of the seed or the secret; and wherein the third computing device comprises an intercepting server and the fourth computing device comprises a server operated by a provider. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 22)
-
-
13. A method for discovering a security association formed between a first computing device and a second computing device, comprising:
-
obtaining, by a third computing device, a secret from a fourth computing device, wherein the secret is the same secret generated by the first computing device, wherein the first computing device generated the secret utilizing an application program provided thereto by the fourth computing device, the application program comprising a pseudo-random number generator provisioned with a seed associated with an identifier associated with the first computing device, wherein the first computing device used the seed to generate the secret and used the secret to compute a key for use in securing communications with the second computing device, and wherein the second computing device does not have knowledge of the seed or the secret; requesting, by the third computing device from a fifth computing device, one or more of respective private keys associated with the first computing device and the second computing device; re-computing, by the third computing device, the key based on the secret in order to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device; wherein the third computing device comprises an intercepting server, the fourth computing device comprises a server operated by a provider and the fifth computing device comprises a key management server. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. Apparatus for forming a discoverable security association between a first computing device and a second computing device, comprising:
-
a memory; and a processor device coupled to the memory and configured such that; the first computing device obtains an application program comprising a pseudo-random number generator from a fourth computing device, the application program being provisioned with a seed, the seed being associated with an identifier associated with the first computing device; and the first computing device uses the pseudo-random number generator to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device; wherein the secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device is configured to use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device;
wherein the second computing device does not have knowledge of the seed or the secret; andwherein the third computing device comprises an intercepting server and the fourth computing device comprises a server operated by a provider.
-
-
21. Apparatus for discovering a security association formed between a first computing device and a second computing device, comprising:
-
a memory; and a processor device coupled to the memory and configured such that; a third computing device obtains a secret from a fourth computing device, wherein the secret is the same secret generated by the first computing device, wherein the first computing device generated the secret utilizing an application program provided thereto by the fourth computing device, the application program comprising a pseudo-random number generator provisioned with a seed associated with an identifier associated with the first computing device, wherein the first computing device used the seed to generate the secret and used the secret to compute a key for use in securing communications with the second computing device; the third computing device requests from a fifth computing device one or more of respective private keys associated with the first computing device and the second computing device; and the third computing device re-computes the key based on the secret in order to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device, and wherein the second computing device does not have knowledge of the seed or the secret; wherein the third computing device comprises an intercepting server, the fourth computing device comprises a server operated by a provider and the fifth computing device comprises a key management server.
-
Specification