Authentication of data transmission devices
First Claim
1. A method for authentication of a communications connection between a server and a remote terminal using an intermediate mobile device, and for transmitting data over an authenticated communications connection between the server and the remote terminal using the intermediate mobile device, the method comprising:
- upon the intermediate mobile device entering a region where the remote terminal is located, the intermediate mobile connects to the server;
the server generates first and second key codes, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate mobile device,the server transmits the first and second key codes to the intermediate mobile device,communication is then opened between the remote terminal and the intermediate mobile device,the remote terminal then uses the shared secret to generate a duplicate of the first key code,the remote terminal transmits the duplicate of the first key code to the intermediate mobile device,the intermediate mobile device compares the first key code and the duplicate of the first key code to verify the authenticity of the remote terminal,the intermediate mobile device transmits the second key code to the remote terminal,the remote terminal uses the shared secret to generate a duplicate of the second key code,the remote terminal compares the second key code and the duplicate of the second key code to verify the authenticity of the intermediate mobile device;
after the authenticity of the remote terminal and the authenticity of the intermediate mobile device have been verified, the intermediate mobile device receives data from the remote terminal and stores the data, and subsequently transmits the data to the server when in communication with the server such that the data is transmitted from the remote terminal to the server over the authenticated communications connection between the server and the remote terminal using the intermediate mobile device.
1 Assignment
0 Petitions
Accused Products
Abstract
An intermediate data transmission device arranges for mutual authentication between itself and a remote terminal to allow data to be exchanged between the remote terminal and a server through the device. The server sends first and second key codes to the intermediate device, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device. In response to a challenge from the intermediate device the remote terminal uses the shared secret to generate a duplicate of the first key code and transmits the duplicate to the intermediate device. The intermediate device compares the first key code and the duplicate of the first key code received respectively from the server and the remote terminal to verify the authenticity of the remote terminal. The intermediate device then transmits the second key code to the remote terminal, to be compared by the remote terminal with a duplicate of the second key code to verify the authenticity of the intermediate device. This process allows the intermediate device to be used without itself having the shared secret. The codes generated by the server may be encoded with a network identity of the intermediate device using the shared secret, such that the remote terminal can only respond to the same intermediate device that transmitted the codes. This prevents a “man-in-the middle” attack by another intermediate device, as without the shared secret no intermediate device can modify the codes to include a different network identity.
-
Citations
26 Claims
-
1. A method for authentication of a communications connection between a server and a remote terminal using an intermediate mobile device, and for transmitting data over an authenticated communications connection between the server and the remote terminal using the intermediate mobile device, the method comprising:
-
upon the intermediate mobile device entering a region where the remote terminal is located, the intermediate mobile connects to the server; the server generates first and second key codes, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate mobile device, the server transmits the first and second key codes to the intermediate mobile device, communication is then opened between the remote terminal and the intermediate mobile device, the remote terminal then uses the shared secret to generate a duplicate of the first key code, the remote terminal transmits the duplicate of the first key code to the intermediate mobile device, the intermediate mobile device compares the first key code and the duplicate of the first key code to verify the authenticity of the remote terminal, the intermediate mobile device transmits the second key code to the remote terminal, the remote terminal uses the shared secret to generate a duplicate of the second key code, the remote terminal compares the second key code and the duplicate of the second key code to verify the authenticity of the intermediate mobile device; after the authenticity of the remote terminal and the authenticity of the intermediate mobile device have been verified, the intermediate mobile device receives data from the remote terminal and stores the data, and subsequently transmits the data to the server when in communication with the server such that the data is transmitted from the remote terminal to the server over the authenticated communications connection between the server and the remote terminal using the intermediate mobile device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A mobile data communications device configured to operate as an intermediate relay between a server and one or more remote data communications terminals, having
one or more communications interfaces for communication with the server and the or each remote data communications terminal, a processing system, including at least one hardware processor, at least configured to: -
upon the mobile data communications device entering a region where one or more remote data communications terminals is located, connect the mobile data communications device to the server; receive challenge and response data from the server relating to the or each remote data communications terminal and comprising, for each remote data communications terminal a first challenge, a first response key and a second response key, then open communication with the remote data communications terminal, transmit the first challenge to the respective remote data communications terminal; receive a version of the first response key from the remote data communications terminal, the version of the first response key having been generated by the remote data communications terminal after the mobile data communications device has opened communication with the remote data communications terminal, compare the version of the first response key received from the remote data communications terminal with the first response key received from the server to verify authenticity of the remote data communications terminal, and transmit the second key to the remote data communications terminal for verification of authenticity of the mobile data communications device, and after the authenticity of the remote data communications terminal and the authenticity of the mobile data communications device have been verified, receiving data from the remote data communications terminal, storing the received data, and subsequently transmitting the data to the server when in communications with the server such that the data is transmitted from the remote data communications terminal to the server over an authenticated communications connection between the remote data communications terminal and the server using the mobile data communications device. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory machine-readable storage medium storing computer program code to, when loaded into a mobile communications device and executed thereon, configure the mobile communications device to operate as an intermediate relay between a server and one or more remote data communications terminals such that the intermediate relay is at least configured to:
-
upon the mobile communications device entering a region where one or more remote data communications terminals is located, connect the mobile communications device to server; communicate with the server and the or each remote data communications terminal; receive challenge and response data from the server relating to the or each remote data communications terminal and comprising, for each remote data communications terminal a first challenge, a first response key and a second response key; then open communication between a remote data communications terminal and the mobile communications device, transmit the first challenge to the respective remote data communications terminal; receive a version of the first response key from the remote data communications terminal, the version of the first response key having been generated by the remote data communications after the mobile communications device has opened communication with the remote data communications terminal; compare the version of the first response key received from the remote data communications terminal with the first response key received from the server to verify authenticity of the remote data communications terminal; and transmit the second key to the remote data communications terminal for verification of authenticity of the mobile communications device; after the authenticity of the remote data communications terminal and the authenticity of the mobile communications device have been verified, receive data from the remote data communications terminal, and store the data, and transmit the data to the server when in communication with the server such that the data is transmitted from the remote data communications terminal to the server over an authenticated communications connection between the remote data communications terminal and the server using the mobile communications device. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification