Discovery of security associations

US 8,769,288 B2
Filed: 04/29/2011
Issued: 07/01/2014
Est. Priority Date: 04/22/2011
Status: Active Grant

First Claim

Patent Images

1. A method for forming a discoverable security association between a first computing device and a second computing device, comprising:

obtaining, by the first computing device, an application program comprising a pseudo-random number generator from a fourth computing device, the application program being provisioned with a seed, the seed being associated with an identifier associated with the first computing device; and

using, by the first computing device, the pseudo-random number generator to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device;

wherein the secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device is configured to use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device;

wherein the second computing device does not have knowledge of the seed or the secret; and

wherein the third computing device comprises an intercepting server and the fourth computing device comprises a server operated by a provider.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for discovering security associations formed in communication environments. For example, a method for forming a discoverable security association between a first computing device (e.g., a first client) and a second computing device (e.g., a second client) comprises the following steps. The first computing device is provided with a seed that is used by the first computing device to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device. The secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device (e.g., an intercepting server) can use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device. By way of example, the key may be a result of an identity based authenticated key exchange.

36 Citations

View as Search Results

22 Claims

1. A method for forming a discoverable security association between a first computing device and a second computing device, comprising:
- obtaining, by the first computing device, an application program comprising a pseudo-random number generator from a fourth computing device, the application program being provisioned with a seed, the seed being associated with an identifier associated with the first computing device; and
  
  using, by the first computing device, the pseudo-random number generator to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device;
  
  wherein the secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device is configured to use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device;
  
  wherein the second computing device does not have knowledge of the seed or the secret; and
  
  wherein the third computing device comprises an intercepting server and the fourth computing device comprises a server operated by a provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 22)
- - 2. The method of claim 1, wherein the application program invokes the pseudo-random generator to generate the secret based on the seed.
  - 3. The method of claim 2, wherein the pseudo-random generator uses the seed and a value to generate the secret.
  - 4. The method of claim 3, wherein the value is a deterministic and monotonically increasing value.
  - 5. The method of claim 4, wherein the value comprises one of a time stamp value or a counter value.
  - 6. The method of claim 1, wherein the first computing device and the second computing device respectively comprise clients.
  - 7. The method of claim 1, wherein the provider comprises one of an application provider, a network provider, and an enterprise.
  - 8. The method of claim 1, wherein the third computing device comprises a conference server wherein the key is a group key used by participants in a conference call.
  - 9. The method of claim 1, wherein the seed comprises a set of numbers comprising at least one random number.
  - 10. The method of claim 1, wherein the key comprises a session key.
  - 11. The method of claim 1, wherein the key is a result of a mutually authenticated key exchange.
  - 12. The method of claim 11, wherein the mutually authenticated key exchange comprises an identity based authenticated key exchange.
  - 22. The method of claim 1, wherein the seed provided to the first computing device is different than a seed provided to the second computing device such that the secret generated by the first computing device is different than a secret generated by the second computing device.

13. A method for discovering a security association formed between a first computing device and a second computing device, comprising:
- obtaining, by a third computing device, a secret from a fourth computing device, wherein the secret is the same secret generated by the first computing device, wherein the first computing device generated the secret utilizing an application program provided thereto by the fourth computing device, the application program comprising a pseudo-random number generator provisioned with a seed associated with an identifier associated with the first computing device, wherein the first computing device used the seed to generate the secret and used the secret to compute a key for use in securing communications with the second computing device, and wherein the second computing device does not have knowledge of the seed or the secret;
  
  requesting, by the third computing device from a fifth computing device, one or more of respective private keys associated with the first computing device and the second computing device;
  
  re-computing, by the third computing device, the key based on the secret in order to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device;
  
  wherein the third computing device comprises an intercepting server, the fourth computing device comprises a server operated by a provider and the fifth computing device comprises a key management server.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein the third computing device provides a value associated with an identity associated with the first computing device to the fourth computing device such that the fourth computing device returns the secret needed by the third computing device to re-compute the key in order to intercept communications between the first computing device and the second computing device.
  - 15. The method of claim 13, wherein the third computing device also uses at least one of the private keys to re-compute the key.
  - 16. The method of claim 13, wherein the first computing device and the second computing device respectively comprise clients.
  - 17. The method of claim 13, wherein the provider comprises one of an application provider, a network provider, and an enterprise.
  - 18. The method of claim 13, wherein the key is a result of an identity based authenticated key exchange.
  - 19. The method of claim 13, wherein the third computing device comprises a conference server wherein the key is a group key used by participants in a conference call.

20. Apparatus for forming a discoverable security association between a first computing device and a second computing device, comprising:
- a memory; and
  
  a processor device coupled to the memory and configured such that;
  
  the first computing device obtains an application program comprising a pseudo-random number generator from a fourth computing device, the application program being provisioned with a seed, the seed being associated with an identifier associated with the first computing device; and
  
  the first computing device uses the pseudo-random number generator to generate a secret that is used by the first computing device to compute a key for use in securing communications with the second computing device;
  
  wherein the secret is re-computable based on knowledge of the seed and the key is re-computable based on knowledge of the secret such that a third computing device is configured to use the re-computed key to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device;
  
  wherein the second computing device does not have knowledge of the seed or the secret; and
  
  wherein the third computing device comprises an intercepting server and the fourth computing device comprises a server operated by a provider.

21. Apparatus for discovering a security association formed between a first computing device and a second computing device, comprising:
- a memory; and
  
  a processor device coupled to the memory and configured such that;
  
  a third computing device obtains a secret from a fourth computing device, wherein the secret is the same secret generated by the first computing device, wherein the first computing device generated the secret utilizing an application program provided thereto by the fourth computing device, the application program comprising a pseudo-random number generator provisioned with a seed associated with an identifier associated with the first computing device, wherein the first computing device used the seed to generate the secret and used the secret to compute a key for use in securing communications with the second computing device;
  
  the third computing device requests from a fifth computing device one or more of respective private keys associated with the first computing device and the second computing device; and
  
  the third computing device re-computes the key based on the secret in order to intercept communications between the first computing device and the second computing device unbeknownst to the first computing device and the second computing device, and wherein the second computing device does not have knowledge of the seed or the secret;
  
  wherein the third computing device comprises an intercepting server, the fourth computing device comprises a server operated by a provider and the fifth computing device comprises a key management server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Sundaram, Ganapathy S., Mizikovsky, Semyon B.
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/097,184
Publication Number

US 20120272064A1
Time in Patent Office

1,159 Days
Field of Search

713/171, 380/277
US Class Current

713/171
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/306   intercepting packet switche...

H04L 9/0894   Escrow, recovery or storing...

Discovery of security associations

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Discovery of security associations

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links