Methods and systems for secure channel initialization

US 8,495,375 B2
Filed: 12/21/2007
Issued: 07/23/2013
Est. Priority Date: 12/21/2007
Status: Active Grant

First Claim

Patent Images

1. A method for secure channel initialization for a client network device, the method comprising:

sending a secure channel initialization request from the client network device to a server network device, the secure channel initialization request including a client ephemeral public key; and

receiving, from the server network device, a secure channel initialization response at the client network device, the secure channel initialization response including an encrypted payload and a server ephemeral public key, the encrypted payload comprising a certificate of the server network device trusted by the client network device and a certificate of the client network device, the certificate of the client network device having been created by the server network device;

computing a high entropy shared secret with the server ephemeral public key;

decrypting the payload with the high entropy shared secret;

wherein said certificate of the server network device and said certificate of the client network device are used to establish a secure session.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for secure channel initialization between a client network element and a server network element are disclosed. In accordance with one embodiment of the present disclosure, the method includes: sending a secure channel initialization request from the client network element to the server network element; receiving the secure channel initialization request at the server network element; creating a server credential and a client credential at the server network element; and sending a secure channel initialization response from the server network element to the client network element, the secure channel initialization response including the server credential and the client credential, wherein said server credential and said client credential are used to establish a secure session.

26 Citations

View as Search Results

39 Claims

1. A method for secure channel initialization for a client network device, the method comprising:
- sending a secure channel initialization request from the client network device to a server network device, the secure channel initialization request including a client ephemeral public key; and
  
  receiving, from the server network device, a secure channel initialization response at the client network device, the secure channel initialization response including an encrypted payload and a server ephemeral public key, the encrypted payload comprising a certificate of the server network device trusted by the client network device and a certificate of the client network device, the certificate of the client network device having been created by the server network device;
  
  computing a high entropy shared secret with the server ephemeral public key;
  
  decrypting the payload with the high entropy shared secret;
  
  wherein said certificate of the server network device and said certificate of the client network device are used to establish a secure session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the certificate of the server network device and the certificate of the client network device comprise Secure Socket Layer/Transport Layer Security Certificates.
  - 3. The method of claim 1, wherein the certificate of the client network device comprises a user name and password.
  - 4. The method of claim 1 wherein the client network device has a shared low-entropy secret.
  - 5. The method of claim 1, wherein the secure channel initialization response includes a message authentication code ‘
    - MAC’
      
      .
  - 6. The method of claim 5, wherein the high-entropy shared secret is used to verify the MAC in the secure channel initialization response.
  - 7. The method of claim 5, wherein encryption utilizes Simple Password Exponentiation Key Exchange.
  - 8. The method of claim 5, wherein encryption utilizes Elliptical Curve Simple Password Exponentiation Key Exchange.
  - 9. A non-transitory computer readable medium storing program code executable by a processor of a computing system for causing said computing system to perform the method of claim 1.

10. A method for secure channel initialization for a server network device, the method comprising:
- receiving a secure channel initialization request at the server network device, the secure channel initialization request including a client ephemeral public key;
  
  computing a high entropy shared secret with the client ephemeral public key;
  
  creating, at the server network device, a server certificate and a client certificate trusted by the server network device; and
  
  sending a secure channel initialization response from the server network device, the secure channel initialization response including a payload encrypted with the high entropy shared secret, the payload comprising the server certificate and the client certificate, and a server ephemeral public key;
  
  wherein said server certificate and said client certificate are used to establish a secure session.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the server certificate and client certificate comprise Secure Socket Layer/Transport Layer Security Certificates.
  - 12. The method of claim 11, wherein the client certificate is created for every secure channel initialization request.
  - 13. The method of claim 10, wherein the client certificate comprises a user name and password.
  - 14. The method of claim 13, wherein the client user name and password are generated by the server network device and added as a valid user account on the server network device for every secure channel initialization request.
  - 15. The method of claim 10 wherein the server network device has a low-entropy secret.
  - 16. The method of claim 15, wherein the server ephemeral public key is created utilizing the low-entropy shared secret.
  - 17. The method of claim 10, wherein the high-entropy shared secret is utilized to create a MAC for the secure channel initialization response.

18. A client network element adapted for secure channel initialization, the client network element comprising a processor;
- a communications subsystem; and
  
  memory;
  
  the client network element being adapted to;
  
  send from said communications subsystem a secure channel initialization request to a server network element, the secure channel initialization request including a client ephemeral public key;
  
  receive, from the server network element, at the communications subsystem a secure channel initialization response, the secure channel initialization response including an encrypted payload and a server ephemeral public key, the encrypted payload comprising a certificate of the server network trusted by the client network element and a certificate of the client network element, the certificate of the client network device having been created by the server network device;
  
  compute a high entropy shared secret with the server ephemeral public key;
  
  decrypting the payload with the high entropy shared secret;
  
  wherein said certificate of the server network element and said certificate of the client network element are used to establish a secure session.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The client network element of claim 18, wherein the certificate of the server network element and the certificate of the client network element comprise Secure Socket Layer/Transport Layer Security Certificates.
  - 20. The client network element of claim 18, wherein the certificate of the client network element comprises a user name and password.
  - 21. The client network element of claim 18 further adapted to store the certificate of the client network element in a trust store in the memory of the client network element.
  - 22. The client network element of claim 18, wherein client network element has a shared low-entropy secret.

23. A server network element adapted for secure channel initialization, the server network element comprising a processor;
- a communications subsystem; and
  
  memory;
  
  the server network element being adapted to;
  
  receive at the communications subsystem a secure channel initialization request, the secure channel initialization request including a client ephemeral public key;
  
  compute a high entropy shared secret with the client ephemeral public key;
  
  create at the processor a server certificate and a client certificate trusted by the server network element; and
  
  send from the communications subsystem a secure channel initialization response, the secure channel initialization response including a payload encrypted with the high entropy shared secret, the payload comprising the server certificate and the client certificate, and a server ephemeral public key;
  
  wherein said server credential and said client credential are used to establish a secure session.
- View Dependent Claims (24, 25, 26)
- - 24. The server network element of claim 23, wherein the server certificate and client certificate comprise Secure Socket Layer/Transport Layer Security Certificates.
  - 25. The server network element of claim 23, wherein the client certificate comprises a user name and password.
  - 26. The server network element of claim 23, wherein the server network element has a shared low-entropy secret.

27. A method for secure channel initialization between a client network element and a server network element, the method comprising the steps of:
- sending a secure channel initialization request from the client network element to the server network element, the secure channel initialization request including a client ephemeral public key;
  
  receiving the secure channel initialization request at the server network element;
  
  computing, at the server network element, a high entropy shared secret based on the client ephemeral public key;
  
  creating, at the server network element, a server certificate and a client certificate trusted by the server network element;
  
  sending a secure channel initialization response from the server network element to the client network element, the secure channel initialization response including a payload encrypted with the high entropy shared secret, the payload comprising the server certificate trusted by the client network element and the client certificate, and a server ephemeral public key;
  
  computing, at the client network element, the high entropy shared secret based on the server ephemeral public key;
  
  decrypting the payload with the high entropy shared secret at the client network element;
  
  wherein said server certificate and said client certificate are used to establish a secure session.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
- - 28. The method of claim 27, wherein the server certificate and client certificate are Secure Socket Layer/Transport Layer Security Certificates.
  - 29. The method of claim 27, wherein the client certificate is a user name and password.
  - 30. The method of claim 27 wherein the server network element and client network element share a low-entropy secret.
  - 31. The method of claim 27, wherein the high-entropy shared secret is utilized to create a MAC for the secure channel initialization response.
  - 32. The method of claim 31, wherein said server ephemeral public key being created utilizing the low-entropy shared secret.
  - 33. The method of claim 31, wherein the client network element utilizes the high-entropy shared secret to verify the MAC in the secure channel initialization response.
  - 34. The method of claim 33, wherein encryption utilizes Simple Password Exponentiation Key Exchange.
  - 35. The method of claim 33, wherein encryption utilizes Elliptical Curve Simple Password Exponentiation Key Exchange.

36. A system for secure channel initialization comprising:
- a client network element, the client network element having a processor;
  
  a communications subsystem; and
  
  memory; and
  
  a server network element, the server network element having;
  
  a processor;
  
  a communications subsystem; and
  
  memory,the system being adapted to;
  
  send a secure channel initialization request from the communications subsystem of client network element to the communications subsystem of the server network element, the secure channel initialization request including a client ephemeral public key;
  
  compute, using the processor of the server network element, a high entropy shared secret with the client ephemeral public key;
  
  create, using the processor of the server network element, a server certificate and a client certificate trusted by the server network element;
  
  send a secure channel initialization response from the server network element to the client network element, the secure channel initialization response including a payload encrypted with the high entropy shared secret, the payload including the server certificate trusted by the client network element and the client certificate, and a server ephemeral public key;
  
  compute, using the processor of the client network element, the high entropy shared secret with the server ephemeral public key;
  
  decrypt, using the processor of the client network element, the payload with the high entropy shared secret;
  
  wherein said server certificate and said client certificate are used to establish a secure session.
- View Dependent Claims (37, 38, 39)
- - 37. The system of claim 36, wherein the server certificate and client certificate are Secure Socket Layer/Transport Layer Security Certificates.
  - 38. The system of claim 36, wherein the client certificate is a user name and password.
  - 39. The system of claim 36, wherein the server network element and client network element share a low-entropy secret.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Sherkin, Alexander
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Vaughan, Michael R

Application Number

US11/962,181
Publication Number

US 20090164774A1
Time in Patent Office

2,041 Days
Field of Search

None
US Class Current

713/175
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 9/0844   with user authentication or...

H04L 9/3066   involving algebraic varieti...

Methods and systems for secure channel initialization

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for secure channel initialization

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links