Local security key generation

US 9,270,453 B2
Filed: 06/30/2011
Issued: 02/23/2016
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

obtaining, by a calling device, a first calling security parameter by registering with a network;

obtaining, by the calling device, a second calling security parameter in response to causing an application authentication architecture of the network to verify that the calling device is authorized to access a network service corresponding to a communication application stored by the calling device;

communicating the first calling security parameter and the second calling security parameter to a called device;

receiving a first called security parameter and a second called security parameter from the called device in response to communicating the first calling security parameter and the second calling security parameter;

generating a security key based on the first calling security parameter, the second calling security parameter, the first called security parameter, and the second called security parameter; and

using the security key to encrypt or decrypt communication between the calling device and the called device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A calling device may obtain a first calling security parameter by registering with a network and obtain a second calling security parameter in response to causing an application authentication architecture of the network to verify that that the calling device is authorized to access a network service corresponding to a communication application stored by the calling device. The calling device may communicate the first and second calling security parameters to a called device and receive first and second called security parameters from the called device in response to communicating the first and second calling security parameters. The calling device may generate a security key based on the first calling security parameter, the second calling security parameter, first called security parameter, and the second called security parameter, and use the security key to encrypt or decrypt communication between the calling device and the called device.

42 Citations

View as Search Results

22 Claims

1. A method, comprising:
- obtaining, by a calling device, a first calling security parameter by registering with a network;
  
  obtaining, by the calling device, a second calling security parameter in response to causing an application authentication architecture of the network to verify that the calling device is authorized to access a network service corresponding to a communication application stored by the calling device;
  
  communicating the first calling security parameter and the second calling security parameter to a called device;
  
  receiving a first called security parameter and a second called security parameter from the called device in response to communicating the first calling security parameter and the second calling security parameter;
  
  generating a security key based on the first calling security parameter, the second calling security parameter, the first called security parameter, and the second called security parameter; and
  
  using the security key to encrypt or decrypt communication between the calling device and the called device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - establishing a communication session with the called device; and
      
      using the security key to encrypt information communicated to the called device and decrypt information received from the called device during the communication session.
  - 3. The method of claim 1, further comprising:
    - obtaining a third calling security parameter comprising a data structure used to demonstrate to the application authentication architecture that the calling device is authorized to use the communication application to establish a communication session within the network; and
      
      communicating the third calling security parameter to the called device with the first calling security parameter and the second calling security parameter.
  - 4. The method of claim 3, further comprising:
    - receiving a third called security parameter, from the called device, with the first called security parameter and the second called security parameter, where the third called security parameter comprises a data structure used to demonstrate to the application authentication architecture that the called device is authorized to use a communication application that corresponds to the communication application of the calling device.
  - 5. The method of claim 1, where the first calling security parameter comprises a data structure identifying a network session associated with the calling device upon registering with the network.
  - 6. The method of claim 1, where:
    - the first called security parameter comprises a data structure identifying a network session associated with the called device upon registering with the network, andthe second called security parameter comprises a security parameter type and security parameter format consistent with the second calling security parameter.
  - 7. The method of claim 1, where communicating the first calling security parameter and the second calling security parameter comprises sending a session communication invitation, comprising the first and second calling security parameters, to the called device.
  - 8. The method of claim 1, where generating the security key comprises executing a key generation function, where:
    - an input of the key generation function comprises the first calling security parameter, the second calling security parameter, the first called security parameter, and the second called security parameter, andan output of the key generation function is the security key.
  - 9. The method of claim 8, where the key generation function comprises a key derivation function (KDF) that is identical to a KDF used by the called device to generate security keys.
  - 10. The method of claim 1, where:
    - the network comprises an Internet Protocol (IP) multimedia subsystem (IMS) network,the application authentication architecture comprises a generic bootstrap architecture (GBA) of the IMS network, andthe second calling security parameter comprises a bootstrap transaction identifier (B-TID).

11. A first device, comprising:
- a memory to;
  
  store a communication application to enable the first device to establish a first communication session with a second device using a selected network service, andstore a first key generation function to enable the first device to generate a security key; and
  
  a processor, connected to the memory, to;
  
  register the first device with a network, where registering with the network comprises receiving a first network session identifier from the network,communicate with an application authentication architecture of the network to demonstrate that the first device is authorized to use the selected network service, where communicating with the application authentication architecture comprises receiving a first transaction identifier from the application authentication architecture,communicate the first network session identifier and the first transaction identifier to the second device,receive a second network session identifier and a second transaction identifier from the second device, andexecute the first key generation function to generate a security key based on the first network session identifier, the first transaction identifier, the second network session identifier, and the second transaction identifier.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The first device of claim 11, where the first device obtains access to at least one network service, other than the selected network service, upon registering with the network.
  - 13. The first device of claim 11, where the processor is to:
    - establish a communication session, with the second device, using the selected network service, anduse the security key to encrypt information sent to the second device via the selected network service and decrypt information received from the second device via the network service.
  - 14. The first device of claim 11, where the processor is to:
    - obtain a first data structure used to demonstrate to the application authentication architecture of the network that the first device is authorized to use the communication application to establish a communication session within the network, andcommunicate the first data structure, to the second device, the first network session identifier and the first transaction identifier.
  - 15. The first device of claim 14, where the first transaction identifier comprises a data structure that associates the first device with a first authentication process, performed by the application authentication architecture, to verify that the first device is authorized to use the communication application.
  - 16. The first device of claim 14, where the processor is to:
    - receive a second data structure, from the second device, with the second network session identifier and the second transaction identifier, where the second data structure comprises information used to demonstrate to the application authentication architecture that the second device is authorized to use a communication application that corresponds to the communication application stored by the first device.
  - 17. The first device of claim 11, where the second transaction identifier comprises a data structure that associates the second device with a second authentication process, performed by the application authentication architecture, to verify that the second device is authorized to use a communication application that corresponds to the communication application stored by the first device.
  - 18. The first device of claim 11, where, to communicate the first network session identifier and the first transaction identifier to the second device, the processor is to:
    - generate a communication session invitation directed to the second device,include the first network session identifier and the first transaction identifier in the communication session invitation, andsend the communication session invitation to the second device.
  - 19. The first device of claim 11, where:
    - the network comprises an Internet Protocol (IP) multimedia subsystem (IMS) network, andthe application authentication architecture comprises a generic bootstrap architecture (GBA) of the IMS network.

20. A non-transitory computer-readable medium storing a program for causing a first device to perform a method, the method comprising:
- obtaining a first security parameter by communicating with a generic bootstrapping architecture (GBA) to demonstrate that the first device is authorized to use a selected network communication service for establishing a communication session within a network, where the first security parameter is generated by the GBA to associate the first device with a first GBA authentication process;
  
  obtaining a second security parameter from a second device in response to communicating the first security parameter to the second device, where the second security parameter is obtained by the second device by communicating with the GBA to demonstrate that the second device is authorized to use the selected network communication service, where the second security parameter is generated by the GBA to associate the second device with a second GBA authentication process;
  
  generating a security key based on the first security parameter and the second security parameter; and
  
  using the security key to establish an encrypted communication session, using the selected network communication service, with the second device.
- View Dependent Claims (21, 22)
- - 21. The computer-readable medium of claim 20, where the method further comprises:
    - obtaining a third security parameter by registering with the network, where;
      
      registering with the network enables the first device to communicate with the GBA, andthe third security parameter is generated by a network registration architecture of the network to identify a network session associated with the first device; and
      
      generating the security key based on the first security parameter, the second security parameter, and the third security parameter.
  - 22. The computer-readable medium of claim 20, where:
    - the network comprises an Internet Protocol (IP) multimedia subsystem (IMS) network, andthe network communication service corresponds to a voice over IP (VoIP) communication service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
King, William C, Lau, Priscilla, Lee, Kwai Yeung
Primary Examiner(s)
Abbaszadeh, Jaweed A
Assistant Examiner(s)
Johnson, Terrell

Application Number

US13/174,644
Publication Number

US 20130007434A1
Time in Patent Office

1,699 Days
Field of Search

713/2, 380/44
US Class Current

1/1
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 9/0866   involving user or device id...

Local security key generation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Local security key generation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links