Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Security kernel or utility
Reexamination Certificate
1998-07-31
2001-06-19
Peeso, Thomas R. (Department: 2767)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Security kernel or utility
C713S171000, C713S152000, C713S152000, C380S255000, C380S258000, C380S278000, C380S283000
Reexamination Certificate
active
06249867
ABSTRACT:
RELATED APPLICATIONS
The following applications, filed concurrently with the subject application, are related to the subject application and are hereby incorporated by reference in their entirety: application Ser. No. 09/127,767 entitled METHOD FOR TWO PARTY AUTHENTICATION AND KEY AGREEMENT by the inventor of the subject application; application Ser. No. 09/127,768 entitled METHOD FOR UPDATING SECRET SHARED DATA IN A WIRELESS COMMUNICATION SYSTEM by the inventor of the subject application; Ser. No. 09/127,045 entitled METHOD FOR SECURING OVER-THE-AIR COMMUNICATION IN A WIRELESS SYSTEM by the inventor of the subject application; Ser. No. 09/127,769 entitled METHOD FOR ESTABLISHING A KEY USING OVER-THE-AIR COMMUNICATION AND PASSWORD PROTOCOL AND PASSWORD PROTOCOL by the inventor of the subject application and Adam Berenzweig.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a method for transferring sensitive information using initially unsecured communication.
2. Description of Related Art
Certain initially unsecured communication, such as over-the-air communication, often provide great communication flexibility and efficiency as compared to initially secure forms of communication such as dedicated communication channels. Unfortunately, because communication such as over-the-air communication channels are initially unsecured, an attacker can detrimentally disrupt communication between two parties.
In a wireless communication system, the handsets, often called mobiles, purchased by mobile users are typically taken to a network service provider, and long keys and parameters are entered into the handset to activate service. The network of the service provider also maintains and associates with the mobile, a copy of the long keys and parameters for the mobile. As is well-known, based on these long keys and parameters, information can be securely transferred between the network and the mobile over-the-air.
Alternatively, the user receives the long keys over a secure communication channel (e.g., landline or mail), and must manually enter these codes into the mobile.
Because the transfer of the long keys and parameters is performed over a secure communication channel or at the network service provider as opposed to over-the-air, the transfer is secure against over-the-air attacks. However, this method of securely transferring information places certain burdens and restrictions on the mobile user. Preferably, the mobile user should be able to buy their handsets and then get service from any service provider without physically taking the handsets to the provider's location or manually entering long codes. The capability to activate and provision the mobile remotely is part of the North American wireless standards, and is referred to as “over-the-air service provisioning” (OTASP).
Currently, the North American Cellular standard IS41-C species an OTASP protocol using the well-known Diffe-Hellman (DH) key agreement for establishing a secret key between two parties (i.e., for transferring sensitive information) over an initially unsecure communication channel.
FIG. 1
illustrates the application of the DH key agreement to establishing a secret key between a mobile and a network used in IS41-C. Namely,
FIG. 1
shows, in a simplified form for clarity, the communication between a network
10
and a mobile
20
according to the DH key agreement. As used herein, the term network refers to the authentication centers, home register locations, visiting location registers, mobile switching centers, and base stations operated by a network service provider.
The network
10
generates a random number R
N
, and calculates (g{circumflex over ( )}R
N
mod p). As shown in
FIG. 1
, the network
10
sends a 512-bit prime number p, a generator g of the group generated by p, and (g{circumflex over ( )}R
N
mod p) to the mobile
20
. Next, the mobile
20
generates a random number R
M
, calculates (g{circumflex over ( )}R
M
mod p), and sends (g{circumflex over ( )}R
M
mod p) to the network
10
.
The mobile
20
raises the received (g{circumflex over ( )}R
N
mod p) from the network
10
to the power R
M
to obtain (g{circumflex over ( )}R
M
R
N
mod p). The network
10
raises the received (g{circumflex over ( )}R
M
mod p) from the mobile
20
to the power R
N
to also obtain (g{circumflex over ( )}R
M
R
N
mod p). Both the mobile
20
and the network
10
obtain the same result, and establish the 64 least significant bits as the long-lived key called the A-key. The A-key serves as a root key for deriving other keys used in securing the communication between the mobile
20
and the network
10
.
One of the problems with the DH key exchange is that it is unauthenticated and susceptible to a man-in-the-middle attack. For instance, in the above mobile-network two party example, an attacker can impersonate the network
10
and then in turn impersonate the mobile
20
to the network
10
. This way the attacker can select and know the A-key as it relays messages between the mobile
20
and the network
10
to satisfy the authorization requirements. The DH key exchange is also susceptible to off-line dictionary attacks.
Another protocol for transferring sensitive information using initially unsecured communication information initially is the Carroll-Frankel-Tsiounis (CFT) key distribution protocol (See Carroll et. al., Efficient key distribution for slow computing devices: Achieving fast over the air activation for wireless systems, IEEE Symposium on Security and Privacy, May 1998). The CFT key distribution protocol relies on the assumption that one party possesses the public key of certificate authority (CA). For purposes of discussion, this protocol will be described in detail in the context of over-the-air communication between the network
10
and the mobile
20
.
A CA is a trustworthy body with its own special key. More specifically, the CA has a public key PK
CA
and a secret decrypting key dk
CA
. A network service provider, for example, goes to the CA and requests that the CA sign their public key PK
net
. Namely, the CA hashes the public key PK
net
along with other information, and generates a certificate for the network equal to ENC
dkCA
(h(PK
net
+other information)), which is the decryption of the hash of PK
net
and the other information using an encryption/decryption algorithm ENC and dk
CA
as the decryption key. A party with knowledge of PK
CA
, then, can encrypt the certificate to obtain the hash of PK
net
and the other information. The other information represents any other information the network wants to convey with its public key.
The CFT key distribution protocol will now be described with respect to FIG.
2
.
FIG. 2
shows, in a simplified form for clarity, the communication between the network
10
and the mobile
20
according to the CFT key distribution protocol. As shown, the network
10
sends its public key PK
net
, other information, and the certificate to the mobile
20
. Using the public key PK
CA
of the CA, the mobile
20
obtains the hash of the public key PK
net
plus the other information from the certificate. The mobile
20
also hashes the public key PK
net
plus the other information received in the clear from the network
10
.
The mobile
20
then verifies the authenticity of the public key PK
net
if the result of the hash matches that obtained from the certificate. Having verified the authenticity of the public key PK
net
, the mobile
20
, using a random number generator disposed therein, generates a first random number as a session key SK and generates a second random number AP for verification purposes. The mobile
20
encrypts the session key SK and the random number AP according to an encryption/decryption algorithm ENC using the public key PK
net
. The expression ENC
PKnet
(SK, AP) represents this encryption, and sends the encrypted result to the network
10
.
The network
10
decodes the output of the mobile
20
using the decrypting key dk
net
, associated with the publi
Lucent Technologies - Inc.
Peeso Thomas R.
LandOfFree
Method for transferring sensitive information using... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for transferring sensitive information using..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for transferring sensitive information using... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2483058