Method and apparatus for binding subscriber authentication and device authentication in communication systems

US 9,385,862 B2
Filed: 06/15/2011
Issued: 07/05/2016
Est. Priority Date: 06/16/2010
Status: Active Grant

First Claim

Patent Images

1. A method operational in a device, comprising:

performing subscriber authentication with a network entity based on a subscriber authentication key;

performing device authentication of the device with the network entity to obtain device authentication data, wherein the device authentication data is obtained based on a challenge received by the device and on a device identity or credential, the device authentication data incorporating at least a portion of the challenge and wherein the device authentication data includes an encrypted parameter derived from a device temporary key, a network nonce and a device nonce;

generating a security key based on the subscriber authentication key and at least a portion of the device authentication data to bind the subscriber authentication and the device authentication; and

using the security key to secure communications between the device and a serving network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication method is provided between a device (e.g., a client device or access terminal) and a network entity. A removable storage device may be coupled to the device and stores a subscriber-specific key that may be used for subscriber authentication. A secure storage device may be coupled to the device and stores a device-specific key used for device authentication. Subscriber authentication may be performed between the device and a network entity. Device authentication may also be performed of the device with the network entity. A security key may then be generated that binds the subscriber authentication and the device authentication. The security key may be used to secure communications between the device and a serving network.

70 Citations

View as Search Results

49 Claims

1. A method operational in a device, comprising:
- performing subscriber authentication with a network entity based on a subscriber authentication key;
  
  performing device authentication of the device with the network entity to obtain device authentication data, wherein the device authentication data is obtained based on a challenge received by the device and on a device identity or credential, the device authentication data incorporating at least a portion of the challenge and wherein the device authentication data includes an encrypted parameter derived from a device temporary key, a network nonce and a device nonce;
  
  generating a security key based on the subscriber authentication key and at least a portion of the device authentication data to bind the subscriber authentication and the device authentication; and
  
  using the security key to secure communications between the device and a serving network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein subscriber authentication is performed by a first authentication server that is part of the network entity, and device authentication is performed by a second authentication server that is part of the network entity.
  - 3. The method of claim 1, wherein device authentication is performed by:
    - receiving data from the network entity that is encrypted with a public key of the device;
      
      using a corresponding private key to decrypt the encrypted data; and
      
      subsequently proving to the network entity that the device has knowledge of the data.
  - 4. The method of claim 1, further comprising:
    - sending an attach request from the device to the network entity, the attach request including an indication that the device is capable of device authentication.
  - 5. The method of claim 1, wherein device authentication is secured by at least one key generated during the subscriber authentication.
  - 6. The method of claim 1, wherein subscriber authentication and device authentication are concurrently performed in message exchanges in which subscriber authentication and device authentication are combined.
  - 7. The method of claim 1, wherein subscriber authentication is performed in an earlier and separate security exchange from the device authentication.
  - 8. The method of claim 1, wherein the security key is generated as a function of at least a first key obtained from subscriber authentication and a second key obtained from device authentication.
  - 9. The method of claim 1, wherein the device is a relay node that appears as an access terminal to the network entity and appears as a network device to one or more access terminals.
  - 10. The method of claim 1, wherein the security key is separately generated by the device and the network entity.
  - 11. The method of claim 1, further comprising:
    - provisioning a subscriber-specific key as part of a service agreement, where the subscriber-specific key is used for the subscriber authentication; and
      
      provisioning a device-specific key in the device during manufacturing, where the device-specific key is used for the device authentication.
  - 12. The method of claim 1, wherein the device authentication is performed subsequent to, or concurrently with, the subscriber authentication.
  - 13. The method of claim 1, wherein the challenge includes an identifier and the method further includes:
    - receiving a command from the network entity that includes the identifier; and
      
      generating additional security keys based on the security key and the identifier.
  - 14. The method of claim 1, wherein the device authentication is performed subsequent to the subscriber authentication.
  - 15. The method of claim 1, wherein the subscriber authentication is performed based on a subscriber authentication key obtained using a subscriber identity or key stored with the device.

16. A device, comprising:
- a communication interface; and
  
  a processing circuit coupled to the communication interface, the processing circuit adapted to;
  
  perform subscriber authentication with a network entity based on a subscriber authentication key;
  
  perform device authentication of the device with the network entity to obtain device authentication data, wherein the device authentication data is obtained based on a challenge received by the device and on a device identity or credential, the device authentication data incorporating at least a portion of the challenge and wherein the device authentication data includes an encrypted parameter derived from a device temporary key, a network nonce and a device nonce;
  
  generate a security key based on the subscriber authentication key and at least a portion of the device authentication data to bind the subscriber authentication and the device authentication; and
  
  use the security key to secure communications between the device and a serving network.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The device of claim 16, wherein device authentication is based on a challenge-response exchange between the device and the network entity.
  - 18. The device of claim 16, wherein device authentication is performed by:
    - receiving data from the network entity that is encrypted with a public key of the device;
      
      using a corresponding private key to decrypt the encrypted data; and
      
      subsequently proving to the network entity that the device has knowledge of the data.
  - 19. The device of claim 16, further comprising:
    - sending an attach request from the device to the network entity, the attach request including an indication that the device is capable of device authentication.
  - 20. The device of claim 16, wherein device authentication is secured by at least one key generated during the subscriber authentication.
  - 21. The device of claim 16, wherein subscriber authentication and device authentication are concurrently performed in combined message exchanges in which subscriber authentication and device authentication are combined.
  - 22. The device of claim 16, wherein subscriber authentication is performed in an earlier and separate security exchange from the device authentication.
  - 23. The device of claim 16, wherein the security key is generated as a function of at least a first key obtained from subscriber authentication and a second key obtained from device authentication.
  - 24. The device of claim 16, wherein the device is a relay node that appears as an access terminal to the network entity and appears as a network device to one or more access terminals.
  - 25. The device of claim 16, further comprising:
    - a removable storage device coupled to the processing circuit and storing a subscriber-specific key used for the subscriber authentication; and
      
      a secure storage device coupled to the processing circuit and storing a device-specific key used for the device authentication.

26. A device, comprising:
- means for performing subscriber authentication with a network entity based on a subscriber authentication key;
  
  means for performing device authentication of the device with the network entity to obtain device authentication data, wherein the device authentication data is obtained based on a challenge received by the device and on a device identity or credential, the device authentication data incorporating at least a portion of the challenge and wherein the device authentication data includes an encrypted parameter derived from a device temporary key, a network nonce and a device nonce;
  
  means for generating a security key based on the subscriber authentication key and at least a portion of the device authentication data to bind the subscriber authentication and the device authentication; and
  
  means for using the security key to secure communications between the device and a serving network.
- View Dependent Claims (27)
- - 27. The device of claim 26, further comprising:
    - means for storing a subscriber-specific key used for the subscriber authentication; and
      
      means for storing a device-specific key used for the device authentication.

28. A non-transitory processor-readable medium comprising instructions operational on a device, which when executed by a processor causes the processor to:
- perform subscriber authentication with a network entity based on a subscriber authentication key;
  
  perform device authentication of the device with the network entity to obtain device authentication data, wherein the device authentication data is obtained based on a challenge received by the device and on a device identity or credential, the device authentication data incorporating at least a portion of the challenge and wherein the device authentication data includes an encrypted parameter derived from a device temporary key, a network nonce and a device nonce;
  
  generate a security key based on the subscriber authentication key and at least a portion of the device authentication data to bind the subscriber authentication and the device authentication; and
  
  use the security key to secure communications between the device and a serving network.

29. A method operational in a network entity, comprising:
- performing subscriber authentication with a device based on a subscriber authentication key;
  
  performing device authentication of the device to obtain device authentication data, wherein the device authentication data is obtained based on a challenge sent to the device and on a device identity or credential, the device authentication data incorporating at least a portion of the challenge and wherein the device authentication data includes an encrypted parameter derived from a device temporary key, a network nonce and a device nonce;
  
  generating a security key based on the subscriber authentication key and at least a portion of the device authentication data to bind the subscriber authentication and the device authentication; and
  
  using the security key to secure communications between the network entity and the device.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 30. The method of claim 29, wherein device authentication includes:
    - receiving a certificate from the device;
      
      verifying the certificate associated with the device has not been revoked.
  - 31. The method of claim 29, further comprising:
    - receiving an attach request from the device, the attach request including an indication that the device is capable of device authentication.
  - 32. The method of claim 29, wherein device authentication is secured by at least one key generated during the subscriber authentication.
  - 33. The method of claim 29, wherein subscriber authentication and device authentication are concurrently performed in combined message exchanges in which subscriber authentication and device authentication are combined.
  - 34. The method of claim 29, wherein subscriber authentication is performed in an earlier and separate security exchange from the device authentication.
  - 35. The method of claim 29, wherein the security key is generated as a function of at least a first key obtained from subscriber authentication and a second key obtained from device authentication.
  - 36. The method of claim 29, wherein the security key is separately generated by the device and the network entity.
  - 37. The method of claim 29, further comprising:
    - obtaining a subscriber-specific key as part of a service agreement, the subscriber-specific key used for the subscriber authentication; and
      
      obtaining a device-specific key for the device, the device-specific key used for the device authentication.
  - 38. The method of claim 29, wherein the device authentication is performed subsequent to, or concurrently with, the subscriber authentication.
  - 39. The method of claim 29, wherein the challenge includes an identifier and the method further includes:
    - transmitting a command to the device that includes the identifier; and
      
      receiving additional security keys generated by the device based on the security key and the identifier.
  - 40. The method of claim 29, wherein the subscriber authentication is performed based on a subscriber authentication key obtained using a subscriber identity or key stored with the device.

41. A network entity, comprising:
- a communication interface; and
  
  a processing circuit coupled to the communication interface, the processing circuit adapted to;
  
  perform subscriber authentication with a device based on a subscriber authentication key;
  
  perform device authentication of the device to obtain device authentication data, wherein the device authentication data is obtained based on a challenge sent to the device and on a device identity or credential, the device authentication data incorporating at least a portion of the challenge and wherein the device authentication data includes an encrypted parameter derived from a device temporary key, a network nonce and a device nonce;
  
  generate a security key based on the subscriber authentication key and at least a portion of the device authentication data to bind the subscriber authentication and the device authentication; and
  
  use the security key to secure communications between the network entity and the device.
- View Dependent Claims (42, 43, 44, 45, 46, 47)
- - 42. The network entity of claim 41, wherein the processing circuit is further adapted to:
    - receive an attach request from the device, the attach request including an indication that the device is capable of device authentication.
  - 43. The network entity of claim 41, wherein device authentication is secured by at least one key generated during the subscriber authentication.
  - 44. The network entity of claim 41, wherein subscriber authentication and device authentication are concurrently performed in combined message exchanges in which subscriber authentication and device authentication are combined.
  - 45. The network entity of claim 41, wherein subscriber authentication is performed in an earlier and separate security exchange from the device authentication.
  - 46. The network entity of claim 41, wherein the security key is generated as a function of at least a first key obtained from subscriber authentication and a second key obtained from device authentication.
  - 47. The network entity of claim 41, further comprising:
    - obtaining a subscriber-specific key as part of a service agreement, the subscriber-specific key used for the subscriber authentication; and
      
      obtaining a device-specific key for the device, the device-specific key used for the device authentication.

48. A network entity, comprisingmeans for performing subscriber authentication with a device based on a subscriber authentication key;
- means for performing device authentication of the device to obtain device authentication data, wherein the device authentication data is obtained based on a challenge sent to the device and on a device identity or credential, the device authentication data incorporating at least a portion of the challenge and wherein the device authentication data includes an encrypted parameter derived from a device temporary key, a network nonce and a device nonce;
  
  means for a security key based on the subscriber authentication key and at least a portion of the device authentication data to bind the subscriber authentication and the device authentication; and
  
  means for using the security key to secure communications between the network entity and the device.

49. A non-transitory processor-readable medium comprising instructions operational on a network entity, which when executed by a processor causes the processor to:
- perform subscriber authentication with a device based on a subscriber authentication key;
  
  perform device authentication of the device to obtain device authentication data, wherein the device authentication data is obtained based on a challenge sent to the device and on a device identity or credential, the device authentication data incorporating at least a portion of the challenge and wherein the device authentication data includes an encrypted parameter derived from a device temporary key, a network nonce and a device nonce;
  
  generate a security key based on the subscriber authentication key and at least a portion of the device authentication data to bind the subscriber authentication and the device authentication; and
  
  use the security key to secure communications between the network entity and the device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
Escott, Adrian Edward, Palanigounder, Anand
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
NGUYEN, NGOC THACH D

Application Number

US13/161,336
Publication Number

US 20110314287A1
Time in Patent Office

1,847 Days
Field of Search

713/171
US Class Current

1/1
CPC Class Codes

H04L 2463/061   applying further key deriva...

H04L 2463/082   applying multi-factor authe...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0844   with user authentication or...

H04L 9/32   including means for verifyi...

H04L 9/3271   using challenge-response

H04L 9/3273   for mutual authentication n...

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

H04W 88/02   Terminal devices

Method and apparatus for binding subscriber authentication and device authentication in communication systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

49 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for binding subscriber authentication and device authentication in communication systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

49 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others