PROVISION OF SECURE COMMUNICATIONS CONNECTION USING THIRD PARTY AUTHENTICATION

US 20090287922A1
Filed: 05/31/2007
Published: 11/19/2009
Est. Priority Date: 06/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb);

the method comprising;

receiving a request from the first device at the authentication server;

the authentication server and the first device both generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) sent from the authentication server to the first device;

the authentication server and the second device both generating a second device key (K_B) using the second device shared secret data in response to a second device random number (RANDb) sent from the authentication server to the second device;

the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to communications, and in particular though not exclusively to forming a secure connection between two untrusted devices. The present invention provides a method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb). The method comprises receiving a request from the first device at the authentication server; the authentication server and the first device both generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) sent from the authentication server to the first device; the authentication server and the second device both generating a second device key (K_B) using the second device shared secret data in response to a second device random number (RANDb) sent from the authentication server to the second device; and the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A).

294 Citations

17 Claims

1. A method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb);
- the method comprising;
  
  receiving a request from the first device at the authentication server;
  
  the authentication server and the first device both generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) sent from the authentication server to the first device;
  
  the authentication server and the second device both generating a second device key (K_B) using the second device shared secret data in response to a second device random number (RANDb) sent from the authentication server to the second device;
  
  the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1, wherein the first device shared secret data (SSDa) and the second device shared secret data (SSDb) are each stored on respective removable modules inserted into the respective first and second devices;
    - or into one or two proxy devices each connected with a respective first or second device.
  - 3. A method according to claim 1, wherein the first device is a wireless client device and the second device is a wireless server wirelessly connected to the wireless client device.
  - 4. A method according to claim 3, wherein the second device and the authentication server establish a secure communications channel using a transport layer security protocol (SSL) prior to forwarding of the request.
  - 5. A method according to claim 1, wherein forwarding of the first and/or second device keys (K_A, K_B) and mutual authentication is achieved using the EAP-SIM protocol between the authentication server and the first device and/or the authentication server and the second device.
  - 6. A method according to claim 1, wherein the common key (K_AB) is encrypted using the first device key (K_A) and sent from the authentication server to the first device, and the common key (K_AB) is encrypted using the second device key (K_B) and sent from the authentication server to the second device.
  - 7. A method according to claim 1, wherein the common key (K_AB) is derived from the first device key (K_A) and sent from the authentication server to the second device encrypted using the second device key (K_B), and wherein the common key (K_AB) is generated by the first device in response to receiving a validation parameter (HMAC-PMK(N_A) dependent on the first device key (K_A) from the second device.
  - 8. A method according to claim 6, wherein the common key (K_AB) is concatenated by the authentication server with a first or second device concatenation number (SRES_A or SRES_B) known by the respective first or second device, prior to encryption with the first or second device key.
  - 9. A method according to claim 1, wherein the first and second devices send respective random nonce values (N_A, N_B) to the authentication server and which are used to generate the respective first and second device keys (KA, KB) and/or the first and second device processed random numbers (SSDa[RANDa], SSDb[RANDb]).
  - 10. A method according to claim 9, wherein the authentication server generates a first device nonce processed number (AT_MAC_RAND_A) dependent on the first device once (N_A), the first device shared secret data (SSDa), and the first device random number (RANDa), and wherein the first device random number (RANDa) is concatenated with the first device nonce processed number AT_MAC_RAND_A) and encrypted with the second device key (K_B) prior to forwarding to the second device which is arranged to decrypt the concatenated first device random number and first device nonce processed number prior to forwarding to the first device.

11. A method of operating an authentication server for securely connecting a first device (A) to a second device (B), the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb);
- the method comprising;
  
  receiving a request from the first device;
  
  generating a first device random number (RANDa) and a first device key (K_A) using the first device random number (RANDa) and the first device shared secret data (SSDa), and forwarding the first device random number to the first device;
  
  generating a second device random number (RANDb) and a second device key (K_B) using the second device random number (RANDb) and the second device shared secret data (SSDb), and forwarding the second device random number (RANDb) to the second device;
  
  the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B,K_A).
- View Dependent Claims (12)
- - 12. A method according to claim 11, wherein communications with the first device are via a connection with the second device;
    - and further comprising establishing a secure communications channel using a transport layer security protocol (SSL) with the second device prior to forwarding of the request.

13. A method of operating a second device (B) for securely connecting a first device(A) to the second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb);
- the method comprising;
  
  generating a second device key (K_B) using the second device shared secret data 5 in response to receiving a second device random number (RANDb) from the authentication server, wherein the second device shared secret data (SSDb) is stored on a removable module associated with the second device;
  
  receiving a common key (K_AB) from the authentication server encrypted using the second device key (K_B or K_WS);
  
  communicating with the first device using the common shared key (K_AB).
- View Dependent Claims (14, 15)
- - 14. A method according to claim 13, further comprising authenticating the first device in response to receiving the common key (K_AB).
  - 15. A method according to claim 13, further comprising receiving a. request from the first device and forwarding the request to the authentication server, and relaying subsequent communications between the authentication server and the first device.

16. A method of operating a first device (A) for securely connecting to a second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb);
- the method comprising;
  
  sending a request to the authentication server;
  
  generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) received from the authentication server;
  
  authenticating the second device in response to receiving a common shared secret key (K_AB) from the authentication server encrypted using the first device shared secret key (K_A);
  
  communicating with the second device using a secure connection between the first device and the second device which uses the common key (K_AB).
- View Dependent Claims (17)
- - 17. A method according to claim 16, wherein the request is sent via the second device to the authentication server prior to authentication of the second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
Hodgson, Paul W., Herwono, Ian

Granted Patent

US 8,738,898 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 2463/061   applying further key deriva...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0853   using an additional device,...

H04L 9/0822   using key encryption key

H04L 9/321   involving a third party or ...

H04L 9/3271   using challenge-response

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

PROVISION OF SECURE COMMUNICATIONS CONNECTION USING THIRD PARTY AUTHENTICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

294 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

PROVISION OF SECURE COMMUNICATIONS CONNECTION USING THIRD PARTY AUTHENTICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

294 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links