Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1998-07-31
2001-02-20
Peeso, Thomas R. (Department: 2767)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S168000, C713S182000, C713S184000, C380S255000, C380S283000, C380S028000, C380S044000
Reexamination Certificate
active
06192474
ABSTRACT:
RELATED APPLICATIONS
The following applications, filed concurrently with the subject application, are related to the subject application and are hereby incorporated by reference in their entirety: application no. unknown entitled METHOD FOR TWO PARTY AUTHENTICATION AND KEY AGREEMENT by one of the inventors of the subject application; application no. unknown entitled METHOD FOR UPDATING SECRET SHARED DATA IN A WIRELESS COMMUNICATION SYSTEM by one of the inventors of the subject application; application no. unknown entitled METHOD FOR TRANSFERRING SENSITIVE INFORMATION USING INTIALLY UNSECURED COMMUNICATION by one of the inventors of the subject application; and application no. unknown entitled METHOD FOR SECURING OVER-THE-AIR COMMUNICATION IN A WIRELESS SYSTEM by one of the inventors of the subject application.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a password protocol and a method for establishing a key using over-the-air communication and, in one embodiment, the password protocol.
2. Description of Related Art
In a wireless communication system, the handsets, often called mobiles, purchased by mobile users are typically taken to a network service provider, and long keys and parameters are entered into the handset to activate service. The network of the service provider also maintains and associates with the mobile, a copy of the long keys and parameters for the mobile. As is well-known, based on these long keys and parameters, information can be securely transferred between the network and the mobile over the air.
Alternatively, the user receives long keys from the service provider over a secure communication channel, like a telephone/land line, and must manually enter these codes into the mobile.
Because the transfer of the long keys and parameters is performed via a telephone/land line or at the network service provider as opposed to over the air, the transfer is secure against over the air attacks. However, this method of securely transferring information places certain burdens and restrictions on the mobile user. Preferably, the mobile user should be able to buy their handsets and then get service from any service provider without physically taking the handsets to the provider's location or having to manually, and error free, enter long keys into the mobile. The capability to activate and provision the mobile remotely is part of the North American wireless standards, and is referred to as “over the air service provisioning” (OTASP).
Currently, the North American Cellular standard IS41-C specifies an OTASP protocol using the well-known Diffe-Hellman (DH) key agreement for establishing a secret key between two parties.
FIG. 1
illustrates the application of the DH key agreement to establishing a secret key between a mobile
20
and a network
10
used in IS41-C. Namely,
FIG. 1
shows, in a simplified form for clarity, the communication between a network
10
and a mobile
20
according to the DH key agreement. As used herein, the term network refers to the authentication centers, home location registers, visiting location registers, mobile switching centers, and base stations operated by a network service provider.
The network
10
generates a random number RN, and calculates (g{circumflex over ( )}R
N
mod p). As shown in
FIG. 1
, the network
10
sends a 512-bit prime number p, the generator g of the group generated by the prime number p, and (g{circumflex over ( )}R
N
mod p) to the mobile
20
. Next, the mobile
20
generates a random number R
M
, calculates (g{circumflex over ( )}R
M
mod p), and sends (g{circumflex over ( )}R
M
mod p) to the network
10
.
The mobile
20
raises the received (g{circumflex over ( )}R
N
mod p) from the network
10
to the power R
M
to obtain (g{circumflex over ( )}R
M
R
N
mod p). The network
10
raises the received (g{circumflex over ( )}R
M
mod p) from the mobile
20
to the power R
N
to also obtain (g{circumflex over ( )}R
M
R
N
mod p). Both the mobile
20
and the network
10
obtain the same result, and establish the 64 least significant bits as the long-lived key called the A-key. The A-key serves as a root key for deriving other keys used in securing the communication between the mobile
20
and the network
10
.
One of the problems with the DH key exchange is that it is unauthenticated and susceptible to a man-in-the-middle attack. For instance, in the above mobile-network two party example, an attacker can impersonate the network
10
and then in turn impersonate the mobile
20
to the network
10
. This way the attacker can select and know the A-key as it relays messages between the mobile
20
and the network
10
to satisfy the authorization requirements. The DH key exchange is also susceptible to off-line dictionary attacks.
Another well-known protocol for protecting the over-the-air transfer of information, such as the A-key, is the Diffe-Hellman Encrypted Key Exchange (DH-EKE). DH-EKE is a password based protocol for exchanging information, and assumes that both the mobile user and the network service provider have established a password prior to the over-the-air transfer. Unlike the DH key exchange system discussed with respect to
FIG. 1
, the DH-EKE protects against man-in-the-middle attacks and off-line dictionary attacks.
The DH-EKE will be described with respect to
FIG. 2
, which illustrates the communication between the mobile
20
and the network
10
according to the DH-EKE protocol. As shown, the mobile
20
sends a 512-bit prime number p and the generator g to the network
10
along with (g{circumflex over ( )}R
M
mod p) encrypted according to an encryption/decryption algorithm ENC using the password P, known to the mobile user and the network
10
, as the encryption key. This calculation is represented as ENC
P
(g{circumflex over ( )}R
M
mod p). The network
10
decrypts (g{circumflex over ( )}R
M
mod p) using the password P, and calculates (g{circumflex over ( )}R
M
mod p){circumflex over ( )}R
N
, which equals (g{circumflex over ( )}R
M
R
N
mod p). The network
10
selects (g{circumflex over ( )}R
M
R
N
mod p), a hash of this value, or some portion thereof as a session key SK.
The network
10
then sends (g{circumflex over ( )}R
N
mod p) encrypted according to ENC using the password P and a random number R
N
′ encrypted according to ENC using the session key SK to the mobile
20
. The mobile
20
decrypts (g{circumflex over ( )}R
N
mod p) using the password P, and calculates (g{circumflex over ( )}R
N
mod p){circumflex over ( )}R
M
, which equals (g{circumflex over ( )}R
M
R
N
mod p). Then, the mobile
20
selects (g{circumflex over ( )}R
M
R
N
mod p), the hash thereof, or a portion thereof as did the network
10
as the session key SK. Using the session key SK, the mobile
20
then decrypts R
N
′.
Next, the mobile
20
generates a random number R
M
′, encrypts the random numbers R
M
′ and R
N
′ according to ENC using the session key SK, and sends the encrypted random numbers R
N
′ and R
M
′ to the network
10
. The network
10
decrypts the random numbers R
N
′ and R
M
′ using the session key SK, and determines whether the decrypted version of R
N
′ equals the version of R
N
′ originally sent to the mobile
20
. The session key SK is verified by the network
10
when the decrypted version of R
N
′ equals the version of R
N
′ originally sent to the mobile
20
.
The network
10
then sends the random number R
M
′ encrypted according to ENC using the session key SK to the mobile
20
. The mobile
20
decrypts the random number R
M
′ using the session key SK, and determines whether the calculated version of R
M
′ equals the version of R
M
′ originally sent to the network
10
. The session key SK is verified by the mobile
20
when the decrypted version of R
M
′ equals the version of R
M
′ originally sent to the network
10
.
Once the network
10
and the mobile
20
have verified the session key SK, the session key SK is use
Berenzweig Adam L.
Patel Sarvar
Lucent Technologies - Inc.
Peeso Thomas R.
LandOfFree
Method for establishing a key using over-the-air... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for establishing a key using over-the-air..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for establishing a key using over-the-air... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2595834