CRYPTOGRAPHIC COMMUNICATION WITH MOBILE DEVICES

US 20120170751A1
Filed: 12/28/2011
Published: 07/05/2012
Est. Priority Date: 12/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a communication key which is a shared key for communication between a first apparatus and a second apparatus, the first apparatus being a mobile apparatus, wherein a shared key can be generated as being associated with any one of a set of keys available at the mobile apparatus, (wherein the shared key and its associated key may or may not be equal to each other), the set of keys including a current key and one or more previous keys, all said keys being secret keys, the method comprising the mobile apparatus performing operations of:

(1) receiving, from the second apparatus, key data indicating a key version of a shared key available at the second apparatus, wherein the shared key available at the second apparatus is not transmitted between the mobile apparatus and the second apparatus wherein all said keys are secret keys;

(2) examining the key version, wherein;

(2A) if the mobile apparatus determines that the key version corresponds to the current key, then the communication key used by the mobile apparatus is the shared key associated with the current key;

(2B) if the mobile apparatus determines that the key version corresponds to a previous key available at the mobile apparatus, then the mobile apparatus uses the shared key associated with the previous key to establish the communication key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile device (110), e.g. a token, holds a current key and one or more previous (expired) keys in memory (130). If the token needs to communicate with another device (144), e.g. with a reader, and the reader does not have the current key but has a previous key, the token encrypts the current key with the previous key and sends the ciphertext to the reader, which decrypts the current key. The token use different cryptographic material for communication with respective different facilities. Rather than requesting the reader to identify the facility, the token assumes that the facility is the same as in the most recent successful authentication. If the authentication fails, only then the token requests the reader to identify the facility. Authentication time and electric power are saved if the facility is the same. Other embodiments are also provided.

85 Citations

View as Search Results

37 Claims

1. A method for establishing a communication key which is a shared key for communication between a first apparatus and a second apparatus, the first apparatus being a mobile apparatus, wherein a shared key can be generated as being associated with any one of a set of keys available at the mobile apparatus, (wherein the shared key and its associated key may or may not be equal to each other), the set of keys including a current key and one or more previous keys, all said keys being secret keys, the method comprising the mobile apparatus performing operations of:
- (1) receiving, from the second apparatus, key data indicating a key version of a shared key available at the second apparatus, wherein the shared key available at the second apparatus is not transmitted between the mobile apparatus and the second apparatus wherein all said keys are secret keys;
  
  (2) examining the key version, wherein;
  
  (2A) if the mobile apparatus determines that the key version corresponds to the current key, then the communication key used by the mobile apparatus is the shared key associated with the current key;
  
  (2B) if the mobile apparatus determines that the key version corresponds to a previous key available at the mobile apparatus, then the mobile apparatus uses the shared key associated with the previous key to establish the communication key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein, in (2B), the communication key is the shared key associated with the current key, and the mobile apparatus using the shared key associated with the previous key comprises:
    - the mobile apparatus using the shared key associated with the previous key to encrypt the communication key; and
      
      the mobile apparatus transmitting the encrypted communication key to the second apparatus.
  - 3. The method of claim 1 wherein:
    - in (2A), the shared key associated with the current key is a diversification of the current key for the second apparatus; and
      
      in (2B), the shared key associated with a previous key is a diversification of the previous key for the second apparatus.
  - 4. The method of claim 1 wherein, in operation (2), if the mobile apparatus determines that the key version corresponds to a previous key not available at the mobile apparatus, then:
    - the mobile apparatus engages in cryptographic communication using asymmetric cryptography with the second apparatus to generate an ephemeral key which is a secret key shared with the second apparatus;
      
      the communication key used by the mobile apparatus is the shared key associated with the current key, and the mobile apparatus uses the ephemeral key to encrypt the communication key; and
      
      the mobile apparatus transmits the encrypted communication key to the second apparatus.
  - 5. The method of claim 1 wherein:
    - the second apparatus is one of a plurality of second apparatuses, and each second apparatus is part of a facility which is one of a plurality of facilities, wherein each facility comprises one or more of the second apparatuses;
      
      wherein said set of keys is one of a plurality of sets of keys which are secret keys, each set being associated with a respective one of the facilities and is for use with the associated facility, each of the sets comprising a current key for the facility and one or more previous keys for the facility, each set being available at the mobile apparatus;
      
      wherein the method further comprises the mobile apparatus determining the facility containing the second apparatus, wherein in operation (2) the mobile apparatus uses the current and/or previous keys for the facility determined by the mobile apparatus.
  - 6. A mobile apparatus for performing the method of claim 1.
  - 7. A mobile apparatus for performing the method of claim 2.
  - 8. A mobile apparatus for performing the method of claim 3.
  - 9. A mobile apparatus for performing the method of claim 4.
  - 10. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in a mobile apparatus, is operable to cause the mobile apparatus to perform the method of claim 1.
  - 11. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in a mobile apparatus, is operable to cause the mobile apparatus to perform the method of claim 2.
  - 12. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in a mobile apparatus, is operable to cause the mobile apparatus to perform the method of claim 3.
  - 13. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in a mobile apparatus, is operable to cause the mobile apparatus to perform the method of claim 4.

14. A method for establishing a communication key which is a shared key for communication between a first apparatus and a second apparatus, the first apparatus being a mobile apparatus, wherein a shared key can be generated as being associated with any one of a plurality of keys available at the mobile apparatus, (wherein the shared key and its associated key may or may not be equal to each other), the plurality of keys including a current key and one or more previous keys, all said keys being secret keys, the method comprising the second apparatus performing operations of:
- (1) sending, to the mobile apparatus, key data indicating a key version of a shared key available at the second apparatus, wherein the shared key available at the second apparatus is not transmitted between the mobile apparatus and the second apparatus, wherein all said keys are secret keys;
  
  (2) receiving, from the mobile apparatus, encrypted data defining the communication key;
  
  (3) using the shared key available at the second apparatus to decrypt the encrypted data and recover the communication key.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14 wherein:
    - the second apparatus is one of a plurality of apparatuses, and each apparatus of the plurality is part of a facility which is one of a plurality of facilities, wherein each facility comprises one or more of the apparatuses of said plurality of apparatuses;
      
      wherein the method further comprises the second apparatus sending to the mobile apparatus an identifier of the facility containing the second apparatus.
  - 16. An apparatus for performing the method of claim 14.
  - 17. An apparatus for performing the method of claim 15.
  - 18. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in an apparatus, is operable to cause the apparatus to perform the method of claim 14.
  - 19. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in an apparatus, is operable to cause the apparatus to perform the method of claim 15.

20. A method for establishing a communication key which is a shared key for communication between a first apparatus and a second apparatus, the first apparatus being a mobile apparatus, wherein a shared key can be generated as being associated with any one of a plurality of keys available at the mobile apparatus, (wherein the shared key and its associated key may or may not be equal to each other), the plurality of keys including a current key and one or more previous keys, all said keys being secret keys, the method comprising the second apparatus performing operations of:
- (1) engaging in communication with the mobile apparatus to obtain an indication of whether or not there is a shared key available at both the mobile apparatus and the second apparatus;
  
  (2) if a shared secret key is not available at both the second apparatus and the mobile apparatus, then;
  
  (2A) the second apparatus engaging in cryptographic communication using asymmetric cryptography with the mobile apparatus to generate an ephemeral key which is a secret key shared with the mobile apparatus;
  
  (2B) the second apparatus receiving, from the mobile apparatus, encrypted data defining the communication key;
  
  (2C) the second apparatus using the ephemeral key available at the second apparatus to decrypt the encrypted data and recover the communication key.
- View Dependent Claims (21, 22)
- - 21. An apparatus for performing the method of claim 20.
  - 22. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in an apparatus, is operable to cause the apparatus to perform the method of claim 20.

23. A method for conducting cryptographic communication between a first apparatus and a second apparatus which is one of a plurality of apparatuses, the first apparatus being a mobile apparatus, wherein the mobile apparatus stores a plurality of sets of cryptographic data which are associated with respective facilities, each facility comprising one or more of the apparatuses of the plurality of apparatuses, different sets being associated with different facilities, each set being for use in cryptographic communication with the associated facility, wherein each set and its associated facility are associated with one or more possible error conditions at least one of which is an indication that the mobile apparatus may be communicating with a facility different from the associated facility,wherein the mobile apparatus comprises storage for storing prior history of facility access;
- wherein the method comprises the mobile apparatus performing operations of;
  
  (1) selecting a facility based on the prior history;
  
  (2) using the set associated with the facility selected based on the prior history to engage in the cryptographic communication with the second apparatus;
  
  (3) if the cryptographic communication in (2) fails due to one or more of the one or more error conditions associated with the set selected by the mobile apparatus, then;
  
  (3A) the mobile apparatus selecting another facility for the cryptographic communication; and
  
  (3B) the mobile apparatus using the set associated with the other facility to engage in the cryptographic communication with the second apparatus.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
- - 24. The method of claim 23 wherein in (1), the mobile apparatus selecting a facility based on the prior history comprises the mobile apparatus using the facility specified by the prior history as the most recent facility for which the cryptographic communication with the mobile apparatus did not produce any one of the associated one or more error conditions;
    - andin (3B) if the mobile apparatus uses the set associated with the other facility and the cryptographic communication does not produce any one of the one or more errors associated with the other facility, then the mobile apparatus updates the prior history to specify the other facility as the most recent facility for which the cryptographic communication did not produce any one of the associated one or more error conditions.
  - 25. The method of claim 23 wherein in (3A), the mobile apparatus selecting another facility comprises the mobile apparatus receiving facility identification from the second apparatus, and in (3B) the mobile apparatus uses the facility associated with the facility identification as the other facility.
  - 26. A mobile apparatus for performing the method of claim 23.
  - 27. A mobile apparatus for performing the method of claim 24.
  - 28. A mobile apparatus for performing the method of claim 25.
  - 29. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in a mobile apparatus, is operable to cause the mobile apparatus to perform the method of claim 23.
  - 30. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in a mobile apparatus, is operable to cause the mobile apparatus to perforin the method of claim 24.
  - 31. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in a mobile apparatus, is operable to cause the mobile apparatus to perform the method of claim 25.

32. A method for updating cryptographic material stored on a first apparatus and one or more second apparatuses, the first apparatus being a mobile apparatus, the cryptographic material being for use by the mobile apparatus in cryptographic communication with at least one of the one or more second apparatuses, the method comprising performing, by an updating system, operations of:
- sending a mobile-apparatus update of the cryptographic material to the mobile apparatus which is configured to remain operable to use non-updated cryptographic material even after receiving the mobile-apparatus update at least until each second apparatus receives a second-apparatus update; and
  
  sending a second-apparatus update of the cryptographic material to the one or more second apparatuses, wherein the second-apparatus update and the mobile-apparatus update correspond to each other by allowing the cryptographic communication between the mobile apparatus and the one or more second apparatuses;
  
  wherein the updating system does not enable the one or more second apparatuses to use the second-apparatus update until the updating system receives a confirmation that the mobile apparatus has received the mobile-apparatus update.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. The method of claim 32 wherein the updating system does not send the second-apparatus update to any second apparatus until the updating system receives said confirmation.
  - 34. A system for performing the method of claim 32.
  - 35. A system for performing the method of claim 33.
  - 36. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in a computer system, is operable to cause the computer system to perform the method of claim 32.
  - 37. A non-transitory computer readable medium comprising a computer program which, when executed by one or more computer processors in a computer system, is operable to cause the computer system to perform the method of claim 33.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secureall Corporation
Original Assignee
Secureall Corporation
Inventors
Wurm, Michael

Granted Patent

US 8,559,642 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/278
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

H04L 9/3234   involving additional secure...

CRYPTOGRAPHIC COMMUNICATION WITH MOBILE DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

CRYPTOGRAPHIC COMMUNICATION WITH MOBILE DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links