Systems and methods for authenticating communications in a network medium

US 8,156,337 B2
Filed: 04/03/2006
Issued: 04/10/2012
Est. Priority Date: 02/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method for securing communication over a network medium between at least two devices including a first device and a second device, comprising:

receiving over a location limited communication channel, by the second device, public authentication information transmitted by said first device, wherein the location limited communication channel has physical limitations which allow the second device to identify the first device communicating across the channel based on the limited locations accessible to the location-limited channel, thereby causing said location limited communication channel to be difficult to actively attack without detection, and wherein said public authentication information comprises a commitment to secret information;

receiving a communication from said first device over said network medium, the communication comprising the secret information;

authenticating said communication at said second device by determining that the commitment corresponds to the received secret information, thereby authenticating that said first device actually possesses said secret information; and

in response to authenticating the communication at the second device, sending a communication over the network medium to the first device, the communication comprising a commitment to new secret information that will be used to authenticate a subsequent message from the second device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Pre-authentication information of devices is used to securely authenticate arbitrary peer-to-peer ad-hoc interactions. In one embodiment, public key cryptography is used in the main wireless link with location-limited channels being initially used to pre-authenticate devices. Use of public keys in the pre-authentication data allows for the broadening of types of media suitable for use as location-limited channels to include, for example, audio and infrared. Also, it allows a range of key exchange protocols which can be authenticated in this manner to include most public-key-based protocols. As a result, a large range of devices, protocols can be used in various applications. Further, an eavesdropper is forced to mount an active attack on the location-limited channel itself in order to access an ad-hoc exchange. However, this results in the discovery of the eavesdropper.

85 Citations

View as Search Results

20 Claims

1. A method for securing communication over a network medium between at least two devices including a first device and a second device, comprising:
- receiving over a location limited communication channel, by the second device, public authentication information transmitted by said first device, wherein the location limited communication channel has physical limitations which allow the second device to identify the first device communicating across the channel based on the limited locations accessible to the location-limited channel, thereby causing said location limited communication channel to be difficult to actively attack without detection, and wherein said public authentication information comprises a commitment to secret information;
  
  receiving a communication from said first device over said network medium, the communication comprising the secret information;
  
  authenticating said communication at said second device by determining that the commitment corresponds to the received secret information, thereby authenticating that said first device actually possesses said secret information; and
  
  in response to authenticating the communication at the second device, sending a communication over the network medium to the first device, the communication comprising a commitment to new secret information that will be used to authenticate a subsequent message from the second device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
- - 2. The method of claim 1, wherein said public authentication information is a one-way function of an authenticator.
  - 3. The method of claim 1, wherein said public authentication information is a public key or a one-way function of said public key.
  - 4. The method of claim 1, wherein said public authentication information is a one-way function of said secret information known to said first device.
  - 5. The method of claim 1, wherein authenticating said communication uses a key exchange protocol over said network medium.
  - 6. The method of claim 1, wherein said location limited communication channel is an infra-red channel.
  - 7. The method of claim 1, wherein said location limited communication channel is an audio channel.
  - 20. The method claim 1, the method further comprising:
    - receiving over said location limited communication channel, by the first device, a second public authentication information transmitted by said second device, wherein said second public authentication information commits said second device to possession of a second secret information;
      
      receiving a second communication from said second device over said network medium; and
      
      authenticating said second communication at said first device wherein said first device requires said second device to authenticate to said first device that said second device actually possesses said second secret information.

8. A method for securing a communication over a network medium between a group of devices, each of said group of devices associated with its own public authentication information, the method comprising designating a group manager from said group of devices wherein said group of devices includes said group manager and a plurality of other devices, said plurality of other devices comprising a first device and a second device;
- performing a key exchange protocol by said group manager, said key exchange protocol being dependent on an established trust relationship between said group of devices; and
  
  securing said communication over said network medium;
  
  wherein the improvement comprises;
  
  sending, by said group manager over a location limited communication channel, public authentication information associated with said group manager to said first device and said second device, wherein said public authentication information comprises a commitment to group manager secret information, wherein the location limited communication channel has physical limitations which allow the group manager to identify the first and second devices communicating across the channel based on the limited locations accessible to the location-limited channel, thereby causing said location limited communication channel to be difficult to actively attack without detection;
  
  receiving, by said group manager over said location limited communication channel, public authentication information associated with said first device, and public authentication information associated with said second device;
  
  wherein said public authentication information associated with said first device comprises a commitment to first device secret information and wherein said public authentication information associated with said second device comprises a commitment to second device secret information, whereby sending and receiving over said location limited communication channel establishes said established trust relationship;
  
  receiving, by the group manager over the network medium, a communication from the first device and a communication from the second device, wherein the communication from the first device comprises the first device secret information, and wherein the communication from the second device comprises the second device secret information;
  
  attempting to authenticate, by said group manager each of said plurality of other devices;
  
  the attempting to authenticate by said group manager comprising determining that the commitment received from the first device corresponds to the first device secret information, and determining that the commitment received from the second device corresponds to the second device secret information, thereby authenticating that said first device actually possesses said first device secret information and that said second device actually possesses said second device secret information;
  
  in response to authenticating the communication at the group manager, sending a communication over the network medium to the first device and the second device, the communication comprising a commitment to new secret information that will be used to authenticate a subsequent message from the group manager;
  
  receiving, by the first device and the second device over the network medium, a communication from the group manager, wherein the communication from the group manager comprises the group manager secret information; and
  
  attempting to authenticate, by each of said plurality of other devices, said group manager;
  
  the attempting to authenticate by each of said plurality of other devices comprising said first device and the second device determining that the commitment received from the group manager corresponds to the group manager secret information, thereby authenticating that said group manager actually possesses said group manager secret information.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, further comprising distributing, by said group manager, group key information over said network medium to said plurality of other devices.
  - 10. The method of claim 8, further comprising:
    - receiving a new device into said group of devices;
      
      sending, by said group manager over said location limited communication channel, said public authentication information associated with said group manager to said new device;
      
      receiving, by said group manager over said location limited communication channel, public authentication information associated with said new device;
      
      wherein said public authentication information associated with said new device commits said new device to possession of new device secret information; and
      
      attempting to authenticate, by said group manager, said new device, the attempt comprising requesting said new device to authenticate that said new device actually possesses said new device secret information whereby said new device is included in said established trust relationship.
  - 11. The method of claim 9, wherein the group of devices includes a third device, and wherein the method further comprises:
    - detecting when said third device leaves said group of devices; and
      
      using said network medium to distribute a new group key information from said group manager to said plurality of other devices remaining in said group of devices.

12. A method of authenticating a communication over a network medium among a group of devices including a first device and a second device, the method comprising performing a key exchange protocol between said group of devices, said key exchange protocol being dependent on an established trust relationship between said group of devices, and securing said communication over said network medium, wherein the improvement comprises:
- sending, by each of said group of devices over a location limited communication channel, public authentication information associated with said each of said group of devices to every other of said group of devices, wherein said public authentication information associated with said each of said group of devices comprises a commitment to secret information corresponding thereto, wherein the location limited communication channel has physical limitations which allow each of the group of devices to identify every other of the group of devices communicating across the channel based on the limited locations accessible to the location-limited channel, thereby causing said location limited communication channel to be difficult to actively attack without detection;
  
  receiving, by said each of said group of devices over said location limited communication channel, said public authentication information associated with said each of said group of devices from every other of said group of devices, whereby sending and receiving over said location limited communication channel establishes said established trust relationship;
  
  receiving, by each of the group of devices over the location limited communication channel, a communication from every other of the group of devices, wherein the communication received from every other of the group of devices comprises the secret information corresponding thereto;
  
  attempting to authenticate, by said each of said group of devices determining that commitment received from every other of the group of devices corresponds to the received secret information corresponding thereto, thereby authenticating that every other of said group of devices possesses respective secret information thereof; and
  
  in response to authenticating the communication at a respective device of the group of devices, sending a communication over the network medium to every other of the group of devices, the communication comprising a commitment to new secret information that will be used to authenticate a subsequent message from the respective device.
- View Dependent Claims (13)
- - 13. The method claim 12, wherein said group key exchange protocol is a Diffie-Hellman key exchange protocol.

14. A system for securing a communication over a network medium, the system comprising:
- a first device and a second device, whereinthe second device receives, over a location limited communication channel public authentication information transmitted by said first device, wherein the location limited communication channel has physical limitations which allow the second device to identify the first device communicating across the channel based on the limited locations accessible to the location-limited channel, thereby causing said location limited communication channel to be difficult to actively attack without detection, and wherein said public authentication information comprises a commitment to secret information,the second device receives a communication from said first device over said network medium, the communication comprising the secret information;
  
  the second device authenticates the communication by determining that the commitment corresponds to the received secret information, thereby authenticating that said first device actually possesses said secret information; and
  
  in response to authenticating the communication at the second device, the second device sends a communication over the network medium to the first device, the communication comprising a commitment to new secret information that will be used to authenticate a subsequent message from the second device.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, further comprising:
    - a memory that stores an authentication application used by a processor to authenticate the communication.
  - 16. The system of claim 14, wherein the first device includes a infra-red receiver/transmitter.
  - 17. The system of claim 14, wherein the first device includes an audio receiver/transmitter.
  - 18. The system of claim 14, wherein the second device authenticates the communication using a public-key-based key exchange protocol.

19. A method for securing communication over a network medium between at least two devices including a first device and a second device, comprising:
- transmitting, from said first device, public authentication information over a location limited communication channel, wherein the location limited communication channel has physical limitations which allow the second device to identify the first device communicating across the channel based on the limited locations accessible to the location-limited channel, thereby causing said location limited communication channel to be difficult to actively attack without detection, and wherein said public authentication information comprises a commitment to secret information;
  
  transmitting a communication from said first device to said second device over said network medium, the communication comprising the secret information;
  
  demonstrating to said second device that said first device actually possesses said secret information by demonstrating that the commitment corresponds to the secret information; and
  
  receiving at the first device a communication over the network medium from the second device, the communication comprising a commitment to new secret information that will be used to authenticate a subsequent message from the second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Balfanz, Dirk, Lopes, Cristina, Smetters, Diana, Stewart, Paul, Wong, Hao-Chi
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Teslovich, Tamara

Application Number

US11/395,274
Publication Number

US 20060174116A1
Time in Patent Office

2,199 Days
Field of Search

713/168, 713/169, 713/170, 713/175
US Class Current

713/169
CPC Class Codes

G06F 21/43   wireless channels

G06F 21/445   by mutual authentication, e...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0492   by using a location-limited...

H04L 63/065   for group communications cr...

H04L 63/18   using different networks or...

H04L 67/34   involving the movement of s...

H04L 69/16   Implementation or adaptatio...

H04L 69/162   involving adaptations of so...

H04L 69/168   specially adapted for link ...

H04L 69/329   in the application layer [O...

H04L 9/0844   with user authentication or...

H04W 12/06   Authentication

H04W 12/062   Pre-authentication

H04W 12/50   Secure pairing of devices

H04W 84/18   Self-organising networks, e...

Systems and methods for authenticating communications in a network medium

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for authenticating communications in a network medium

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links