Secure association

US 9,699,156 B2
Filed: 09/14/2011
Issued: 07/04/2017
Est. Priority Date: 09/14/2010
Status: Active Grant

First Claim

Patent Images

1. A method for forming secure associations between IP-enabled devices, the method comprising:

establishing, at a first network server, a first secure association between a first one of said devices and the first network server,receiving, at the first network server, from a subscriber known to a network using an authentication storage device, a declaration of ownership to the network of a second one of said devices,the first network server assigning a network realm identity to the second device,receiving, at the first network server, authentication information in response to authentication of the subscriber giving the declaration;

transferring the same authentication information from the first network server to the second device,the second network server establishing a second secure association between the second device and the second network server using the transferred authentication information,the first network server establishing a secure connection to the second network server using a third secure association, the first, second and third secure associations forming a chain of secure associations between the first device and the first network server, between the second device and the second network server, and between the first network server and the second network server, said secure connection having corresponding secure association information, the first and second network servers acting as proxies for the first and second devices, negotiating a fourth, different secure association on their behalf using the established chain of secure associations, the negotiated fourth secure association allowing the first device and the second device to communicate directly with each other in a secure manner as a result of the chain of secure associations, despite the first device having no prior communications with the second device and without the first and second devices exchanging keys or certificates, andthe first network server transferring said corresponding secure association information to both first and second devices using the first and second associations respectively, thereby providing the necessary association between the first and second IP-enabled devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To enable formation of secure associations between IP-enabled devices when they have not previously connected, a method is proposed where a declaration of ownership of a target device is made by the subscriber of a originating device and that subscriber giving that declaration is authenticated by means of a SIM card, say. The originating device establishes secure connection to a first server. The target device establishes a secure connection to a second server. Provided the first and second servers can establish a conventional IP-type SA (e.g. using IPSec or TLS), there is a chain of secure associations between the two devices. This chain is then used to build a new secure association between originating device and target Device. The first and second servers thus act as proxies for two devices respectively and negotiate the secure association on their behalf. They then transfer the new secure association information securely to the devices using the existing chain of secure associations.

16 Citations

View as Search Results

9 Claims

1. A method for forming secure associations between IP-enabled devices, the method comprising:
- establishing, at a first network server, a first secure association between a first one of said devices and the first network server,receiving, at the first network server, from a subscriber known to a network using an authentication storage device, a declaration of ownership to the network of a second one of said devices,the first network server assigning a network realm identity to the second device,receiving, at the first network server, authentication information in response to authentication of the subscriber giving the declaration;
  
  transferring the same authentication information from the first network server to the second device,the second network server establishing a second secure association between the second device and the second network server using the transferred authentication information,the first network server establishing a secure connection to the second network server using a third secure association, the first, second and third secure associations forming a chain of secure associations between the first device and the first network server, between the second device and the second network server, and between the first network server and the second network server, said secure connection having corresponding secure association information, the first and second network servers acting as proxies for the first and second devices, negotiating a fourth, different secure association on their behalf using the established chain of secure associations, the negotiated fourth secure association allowing the first device and the second device to communicate directly with each other in a secure manner as a result of the chain of secure associations, despite the first device having no prior communications with the second device and without the first and second devices exchanging keys or certificates, andthe first network server transferring said corresponding secure association information to both first and second devices using the first and second associations respectively, thereby providing the necessary association between the first and second IP-enabled devices.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein declaration of ownership is received from the subscriber authentication storage device.
  - 3. The method of claim 1, wherein receiving authentication information includes:
    - sending an authentication challenge to the subscriber authentication storage device; and
      
      receiving authentication information in response to the authentication challenge.
  - 4. The method of claim 1, wherein the step of assigning a network realm identity includes authenticating the second device using a manufacturer-provisioned identity.
  - 5. The method of claim 1, wherein the authentication storage device is a (U)SIM.

6. A system for forming secure associations between IP-enabled devices, the system comprising:
- a first network server and a second network server, the first network server and the second network server being operable to establish a first secure IP-type association therebetween, said secure association having corresponding secure association information, wherein the first network server establishes a first association with a first one of said devices, receives, from a subscriber known to the network using an authentication storage device, a declaration of ownership of a second one of said devices, assigns a network realm identity to the second device, receives authentication information in response to authentication of the subscriber giving the declaration, and transfers the same authentication information to the second device; and
  
  the second network server establishing a second secure association with the second device in accordance with the transferred authentication information,wherein the first network server transfers said corresponding secure association information to the first device using the first association and the second network server transfers said corresponding secure association information to the second device using the second association, the first network server establishing a secure connection to the second network server using a third secure association, the first, second and third secure associations forming a chain of secure associations between the first device and the first network server, between the second device and the second network server, and between the first network server and the second network server, the first and second network servers acting as proxies for the first and second devices, negotiating a fourth, different secure association on their behalf using the established chain of secure associations, the negotiated fourth secure association allowing the first device and the second device to communicate directly with each other in a secure manner as a result of the chain of secure associations, despite the first device having no prior communications with the second device and without the first and second devices exchanging keys or certificates.
- View Dependent Claims (7, 8, 9)
- - 7. The system of claim 6, wherein declaration of ownership is received from a subscriber authentication storage device.
  - 8. The system of claim 6, wherein receiving authentication information includes:
    - sending an authentication challenge to the subscriber authentication storage means; and
      
      receiving authentication information in response to the authentication challenge.
  - 9. The system of claim 6, wherein the authentication storage device is a (U)SIM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vodafone IP Licensing Limited (Vodafone Group PLC)
Original Assignee
Vodafone IP Licensing Limited (Vodafone Group PLC)
Inventors
Bone, Nicholas
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Torres-Diaz, Lizbeth

Application Number

US13/823,583
Publication Number

US 20140150063A1
Time in Patent Office

2,120 Days
Field of Search

380279, 713168-169, 726 3, 726 12
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

Secure association

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Secure association

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links