System and method for secure authentication
First Claim
1. A method for device authentication comprising:
- receiving, by processing hardware of a first device, a message from a second device to authenticate the first device;
retrieving, by the processing hardware, a secret value from secure storage hardware operatively coupled to the processing hardware;
deriving, by the processing hardware, a validator from the secret value using a path through a key tree, wherein the path identifies a plurality of entropy distribution operations and is based on dividing the message into a plurality of parts, wherein the key tree avoids leakage of the secret value at least in part by computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on a different part of the plurality of parts of the message and a prior key; and
exchanging the validator between the first device and the second device as part of a challenge-response protocol in order to authenticate the first device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree, wherein the path is based on the message, wherein deriving the validator using the path through the key tree comprises computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on at least a portion of the message and a prior key. The first device then sends the validator to the second device.
-
Citations
14 Claims
-
1. A method for device authentication comprising:
-
receiving, by processing hardware of a first device, a message from a second device to authenticate the first device; retrieving, by the processing hardware, a secret value from secure storage hardware operatively coupled to the processing hardware; deriving, by the processing hardware, a validator from the secret value using a path through a key tree, wherein the path identifies a plurality of entropy distribution operations and is based on dividing the message into a plurality of parts, wherein the key tree avoids leakage of the secret value at least in part by computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on a different part of the plurality of parts of the message and a prior key; and exchanging the validator between the first device and the second device as part of a challenge-response protocol in order to authenticate the first device. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system, comprising:
a first device comprising secure storage hardware and processing hardware operatively coupled to the secure storage hardware, wherein the secure storage hardware is to store a secret value and the processing hardware is to; receive a message from a second device to authenticate the first device; retrieve the secret value from the secure storage hardware; derive a validator from the secret value using a path through a key tree, wherein the path identifies a plurality of entropy distribution operations and is based on dividing the message into a plurality of parts, wherein the key tree avoids leakage of the secret value at least in part by, computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on a different part of the plurality of parts of the message and a prior key; and exchange the validator between the first device and the second device as part of a challenge-response protocol in order to authenticate the first device. - View Dependent Claims (8, 9, 10, 11)
-
12. A system comprising:
a first device comprising processing hardware, wherein the processing hardware is to; send a message to a second device as part of a challenge-response protocol in order to authenticate the first device; receive a response from the second device as part of the challenge-response protocol, the response comprising a first validator; derive a second validator from a secret value using a path through a key tree, wherein the path identifies a plurality of entropy distribution operations and is based on dividing the message into a plurality of parts, wherein the key tree avoids leakage of the secret value at least in part by, computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on a different part of the plurality of parts of the message and a prior key; compare the first validator to the second validator; determine whether the first validator matches the second validator; and verify that the second device is authentic responsive to determining that the first validator matches the second validator. - View Dependent Claims (13, 14)
Specification