Authentication of data transmission devices

US 11,206,260 B2
Filed: 01/05/2017
Issued: 12/21/2021
Est. Priority Date: 01/19/2016
Status: Active Grant

First Claim

Patent Images

1. A method for authentication of a communications connection between a server and a remote terminal using an intermediate mobile device, and for transmitting data over an authenticated communications connection between the server and the remote terminal using the intermediate mobile device, the method comprising:

upon the intermediate mobile device entering a region where the remote terminal is located, the intermediate mobile connects to the server;

the server generates first and second key codes, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate mobile device,the server transmits the first and second key codes to the intermediate mobile device,communication is then opened between the remote terminal and the intermediate mobile device,the remote terminal then uses the shared secret to generate a duplicate of the first key code,the remote terminal transmits the duplicate of the first key code to the intermediate mobile device,the intermediate mobile device compares the first key code and the duplicate of the first key code to verify the authenticity of the remote terminal,the intermediate mobile device transmits the second key code to the remote terminal,the remote terminal uses the shared secret to generate a duplicate of the second key code,the remote terminal compares the second key code and the duplicate of the second key code to verify the authenticity of the intermediate mobile device;

after the authenticity of the remote terminal and the authenticity of the intermediate mobile device have been verified, the intermediate mobile device receives data from the remote terminal and stores the data, and subsequently transmits the data to the server when in communication with the server such that the data is transmitted from the remote terminal to the server over the authenticated communications connection between the server and the remote terminal using the intermediate mobile device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intermediate data transmission device arranges for mutual authentication between itself and a remote terminal to allow data to be exchanged between the remote terminal and a server through the device. The server sends first and second key codes to the intermediate device, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device. In response to a challenge from the intermediate device the remote terminal uses the shared secret to generate a duplicate of the first key code and transmits the duplicate to the intermediate device. The intermediate device compares the first key code and the duplicate of the first key code received respectively from the server and the remote terminal to verify the authenticity of the remote terminal. The intermediate device then transmits the second key code to the remote terminal, to be compared by the remote terminal with a duplicate of the second key code to verify the authenticity of the intermediate device. This process allows the intermediate device to be used without itself having the shared secret. The codes generated by the server may be encoded with a network identity of the intermediate device using the shared secret, such that the remote terminal can only respond to the same intermediate device that transmitted the codes. This prevents a “man-in-the middle” attack by another intermediate device, as without the shared secret no intermediate device can modify the codes to include a different network identity.

Citations

26 Claims

1. A method for authentication of a communications connection between a server and a remote terminal using an intermediate mobile device, and for transmitting data over an authenticated communications connection between the server and the remote terminal using the intermediate mobile device, the method comprising:
- upon the intermediate mobile device entering a region where the remote terminal is located, the intermediate mobile connects to the server;
  
  the server generates first and second key codes, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate mobile device,the server transmits the first and second key codes to the intermediate mobile device,communication is then opened between the remote terminal and the intermediate mobile device,the remote terminal then uses the shared secret to generate a duplicate of the first key code,the remote terminal transmits the duplicate of the first key code to the intermediate mobile device,the intermediate mobile device compares the first key code and the duplicate of the first key code to verify the authenticity of the remote terminal,the intermediate mobile device transmits the second key code to the remote terminal,the remote terminal uses the shared secret to generate a duplicate of the second key code,the remote terminal compares the second key code and the duplicate of the second key code to verify the authenticity of the intermediate mobile device;
  
  after the authenticity of the remote terminal and the authenticity of the intermediate mobile device have been verified, the intermediate mobile device receives data from the remote terminal and stores the data, and subsequently transmits the data to the server when in communication with the server such that the data is transmitted from the remote terminal to the server over the authenticated communications connection between the server and the remote terminal using the intermediate mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1, in which the first and second key codes are generated from the shared secret, and are changed after each use.
  - 3. A method according to claim 2, in which the server generates a plurality of one-use key code pairs and transmits them to the intermediate mobile device, and the intermediate mobile device uses each key-code pair in turn for a series of authentication interactions with the remote terminal.
  - 4. A method according to claim 1, in which the first and second key codes are combined with encoded address data of the intermediate mobile device, and the remote terminal uses the shared secret to decode the address data, to verify the identity of the intermediate mobile device.
  - 5. A method according to claim 1, wherein the intermediate mobile device is responsive to a flag signal generated by the remote terminal to route the data received from the remote terminal either to a data store in the intermediate mobile device for later transmission to the server, in response to a first setting of the flag signal, or to open a connection to the server for relaying the data to the server in response to a second setting of the flag signal.
  - 6. The method according to claim 1, wherein the intermediate mobile device is a portable smart phone.
  - 7. The method according to claim 1, wherein the intermediate mobile device is a portable smart phone, and the remote terminal includes a sensor configured to record measurements to external stimuli and memory configured to store data corresponding to the measurements for subsequent download.
  - 8. The method according to claim 1, wherein:
    - the server transmitting the first and second key codes to the intermediate mobile device takes place when the intermediate mobile device is in communication with the server and not with the remote terminal; and
      
      after the server transmitting the first and second key codes to the intermediate mobile device takes place, the intermediate mobile device ceases communication with the server and initiates communication with the remote terminal.
  - 9. The method according to claim 1, wherein the comparison of the first key code and the duplicate of the first key code to verify the authenticity of the remote terminal is performed before the comparison of the second key code and the duplicate of the second key code to verify the authenticity of the intermediate mobile device.
  - 10. The method according to claim 1, wherein:
    - the remote terminal comprises a sensor and the data that is transmitted from the remote terminal to the server comes from the sensor; and
      
      the data that is transmitted from the remote terminal to the server and that comes from the sensor is vehicular route data or domestic utility data.

11. A mobile data communications device configured to operate as an intermediate relay between a server and one or more remote data communications terminals, havingone or more communications interfaces for communication with the server and the or each remote data communications terminal,a processing system, including at least one hardware processor, at least configured to:
- upon the mobile data communications device entering a region where one or more remote data communications terminals is located, connect the mobile data communications device to the server;
  
  receive challenge and response data from the server relating to the or each remote data communications terminal and comprising, for each remote data communications terminal a first challenge, a first response key and a second response key,then open communication with the remote data communications terminal,transmit the first challenge to the respective remote data communications terminal;
  
  receive a version of the first response key from the remote data communications terminal, the version of the first response key having been generated by the remote data communications terminal after the mobile data communications device has opened communication with the remote data communications terminal,compare the version of the first response key received from the remote data communications terminal with the first response key received from the server to verify authenticity of the remote data communications terminal,and transmit the second key to the remote data communications terminal for verification of authenticity of the mobile data communications device, andafter the authenticity of the remote data communications terminal and the authenticity of the mobile data communications device have been verified, receiving data from the remote data communications terminal,storing the received data,and subsequently transmitting the data to the server when in communications with the server such that the data is transmitted from the remote data communications terminal to the server over an authenticated communications connection between the remote data communications terminal and the server using the mobile data communications device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. A mobile data communications device according to claim 11, arranged to transmit a signal reporting its location to the server.
  - 13. A mobile data communication device according to claim 11, wherein the processing system is further configured to detect the or each remote data communications terminal and transmitting the respective challenge and response data in response to such detection.
  - 14. A mobile data communications device according to claim 11, having a memory for storing a sequence of first and second key codes for the or each remote data communications terminal, the processing system being arranged to retrieve each key code in sequence for a plurality of successive connections to the remote data communications terminal.
  - 15. A mobile data communications device according to claim 11, in which the processing system generates the challenge request by using the key code to encode an identity code associated with the device.
  - 16. A mobile data communications device according to claim 11, wherein the communications interface comprises a data store for the data received from the remote data communications terminal, and a detection device responsive to a flag signal carried in data received from the remote data communications terminal to route the received data to the data store in response to a first setting of the flag signal or to the server in response to a second setting of the flag signal.
  - 17. The mobile data communications device according to claim 11, wherein the mobile data communications device is a portable smart phone.
  - 18. The mobile data communications device according to claim 11, wherein,receiving the data from the server by the mobile data communications device takes place when the mobile data communications device is in communication with the server and not with the remote data communications terminal;
    - andthe mobile data communications device is configured to, after receiving the data from the server takes place, cease communication with the server and initiates communication with the remote data communications terminal.
  - 19. The mobile data communications device according to claim 11, wherein verification of authenticity of the remote data communications terminal is performed before verification of authenticity of the mobile data communications device.
  - 20. The mobile data communications device according to claim 11, wherein:
    - the remote data communications terminal comprises a sensor and the data that is transmitted from the remote data communications terminal to the server comes from the sensor;
      
      the data that is transmitted from the remote data communications terminal to the server and that comes from the sensor is vehicular route data or domestic utility data.

21. A non-transitory machine-readable storage medium storing computer program code to, when loaded into a mobile communications device and executed thereon, configure the mobile communications device to operate as an intermediate relay between a server and one or more remote data communications terminals such that the intermediate relay is at least configured to:
- upon the mobile communications device entering a region where one or more remote data communications terminals is located, connect the mobile communications device to server;
  
  communicate with the server and the or each remote data communications terminal;
  
  receive challenge and response data from the server relating to the or each remote data communications terminal and comprising, for each remote data communications terminal a first challenge, a first response key and a second response key;
  
  then open communication between a remote data communications terminal and the mobile communications device,transmit the first challenge to the respective remote data communications terminal;
  
  receive a version of the first response key from the remote data communications terminal, the version of the first response key having been generated by the remote data communications after the mobile communications device has opened communication with the remote data communications terminal;
  
  compare the version of the first response key received from the remote data communications terminal with the first response key received from the server to verify authenticity of the remote data communications terminal; and
  
  transmit the second key to the remote data communications terminal for verification of authenticity of the mobile communications device;
  
  after the authenticity of the remote data communications terminal and the authenticity of the mobile communications device have been verified, receive data from the remote data communications terminal, and store the data,and transmit the data to the server when in communication with the server such that the data is transmitted from the remote data communications terminal to the server over an authenticated communications connection between the remote data communications terminal and the server using the mobile communications device.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The non-transitory machine-readable storage medium according to claim 21, wherein the mobile communications device operating as the intermediate relay is a portable smart phone.
  - 23. The non-transitory machine-readable storage medium according to claim 21, wherein the mobile communications device to operating as an intermediate relay is a portable smart phone, and the remote data communications terminal includes a sensor configured to record measurements to external stimuli and memory configured to store data corresponding to the measurements for subsequent download.
  - 24. The non-transitory machine-readable storage medium according to claim 21,receiving the data from the server by the mobile communications device takes place when the mobile communications device is in communication with the server and not with the remote data communications terminal;
    - andthe mobile communications device is configured to, after receiving the data from the server takes place, cease communication with the server and initiates communication with the remote data communications terminal.
  - 25. The non-transitory machine-readable storage medium according to claim 21, wherein verification of authenticity of the remote data communications terminal is performed before verification of authenticity of the mobile communications device.
  - 26. The non-transitory machine-readable storage medium according to claim 21, wherein:
    - the remote data communications terminal comprises a sensor and the data that is transmitted from the remote data communications terminal to the server comes from the sensor; and
      
      the data that is transmitted from the remote data communications terminal to the server and that comes from the sensor is vehicular route data or domestic utility data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
Beddus, Simon, Deans, Paul
Primary Examiner(s)
Lesniewski, Victor

Application Number

US16/067,203
Publication Number

US 20190014114A1
Time in Patent Office

1,811 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0838   using one-time-passwords

H04L 63/0884   by delegation of authentica...

H04L 9/0819   Key transport or distributi...

H04L 9/3228   One-time or temporary data,...

H04L 9/3271   using challenge-response

H04L 9/3273   for mutual authentication n...

H04W 12/06   Authentication

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 88/04   adapted for relaying to or ...

Authentication of data transmission devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication of data transmission devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links