Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1997-12-08
2001-11-13
Barron, Jr., Gilberto (Department: 2766)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S185000
Reexamination Certificate
active
06317830
ABSTRACT:
FIELD OF THE INVENTION
The present invention concerns a process for authenticating subscribers to one or more exchanges of a digital communication network, in particular an ISDN network, as well as a device for authenticating subscribers.
RELATED TECHNOLOGY
Digital telecommunication networks are known that feature a plurality of subscriber connections and digital exchanges. Since a subscriber connection is linked to a digital exchange via unsecured lines, intruders or eavesdroppers can tap into the lines at different points. An intruder, once having gained access to the exchange system, can use the exchange at the expense of the subscriber, even without being authorized to do so.
In the article “SECURE CCM,” published in TELESIS, vol. 16, No. 2, Jan. 1, 1989, pp. 42 through 50, XP000072004, Diffie et al. disclose, among other things, an authentication method, according to which the receiver of information can ascertain the authenticity of the sender's identity. However, the known method is based on the technically very complex and therefore also costly Rivest, Shamir & Adleman (RSA) algorithm. Also the article gives no indication on performing the verification of the sender's identity in a cost-effective manner in the sender's exchange.
In the article “ENCRYPTION AND ISDN—A NATURAL FIT,” published in International Switching Symposium 1987, Mar. 15-20, 1987, Phoenix, Ariz., U.S. pp. 863 through 869, XP002017713, O'Higgins et al. describe a method for encoded transmission of a plain text produced by a sender to a receiver via an ISDN network. In order to exchange plain text between the two subscribers in a secure manner, O'Higgins et al. propose that either a security module be implemented in each data terminal installed at the subscriber or that a security module be implemented only in the network terminator to which the data terminals are connected.
In the article “INTEGRATING CRYPTOGRAPHY IN ISDN,” published in Advances of Cryptology, Santa Barbara, Aug. 16-20, 1987, Conf. No. 7, Jan. 1, 1987, Pomerance C., pp. 9-18, XP000130200, K. Presttun describes an authentication procedure on the basis of public-key cryptography. This procedure uses a central authentication server, which contains the public keys of all users. Again, authentication takes place between the communicating subscribers themselves. One disadvantage of this known authentication procedure is that a central authentication server must be made available and also full connection must be established prior to the authentication procedure proper, which not only entails expenses, but is also technically complex.
Therefore, the object of the invention is to make misuse of the exchange by unauthorized intruders difficult or even impossible.
The present invention is implemented in a digital communication network, in particular an ISDN network. Such a digital communication network includes, as is known, a plurality of exchanges, at least one network termination installed at the subscriber, to which at least one data terminal, such as telephone sets, personal computers, or fax machines, can be connected. Undesired use of an exchange by an intruder is prevented by providing at least one first authentication module to each subscriber; said authentication module is capable of receiving an identification carrier; in addition, at least one second authentication module capable of receiving a second identification carrier is provided in the exchange, with both authentication modules being capable of encoding and/or decoding and exchanging information with each other, with a subscriber-specific cryptographic key for unilateral or bilateral authentication.
Connection-specific assemblies containing the second authentication module are installed at each exchange. This embodiment is, however, expensive and complex, since the exchanges must be rebuilt.
A more cost-effective method, which can be implemented in a simpler manner, consists of installing additional assemblies, based on the existing digital exchange, between the exchange and the respective network terminations. The respective second authentication module for each subscriber connection is installed in these additional assemblies.
The first authentication module of a given connection owner is advantageously arranged in the network termination corresponding to each subscriber connection. In this case a single authentication module is sufficient even if the owner has connected up to eight data terminals to the network termination via an S
0
bus. It is perfectly possible to equip each data terminal of a given network termination with its own authentication module and its own identification carrier. Another alternative may consist of connecting a security device containing the corresponding authentication module between each data terminal and its network termination. It can be easily seen, however, that both of the latter implementation options are complex and costly, since each data terminal requires both its own authentication module and a connection-specific identification carrier. The information to be exchanged between the two authentication modules to authenticate the subscriber connection contains the address of a certain subscriber connection, a command sequence, which may contain, for example, the request for the first authentication module to encode the incoming information, and a random number. If the digital communication network is an ISDN network, the exchange of information between the first authentication module and the second authentication module takes place via the D channel of the ISDN network. Each identification carrier can then store an individual cryptographic key that is specific to a given subscriber connection owner. The identification carrier may be a smart card that can be inserted by the owner of a subscriber connection in the first authentication module and by an employee of the network operator in the second authentication module. An advantageous alternative provides a software module as the identification carrier, which can be used interchangeably in the respective authentication module. In an advantageous refinement, the first authentication module can encode additional confidential connection establishment and/or service information and the second authentication module, assigned to the exchange, can decode the information thus encoded.
Since the establishment of a connection and/or service information requires a higher bit rate than authentication information, it is convenient that separate cryptographic modules be installed for the first and second authentication modules exclusively for encoding and decoding the connection establishment and/or service information.
REFERENCES:
patent: 5036461 (1991-07-01), Elliott et al.
patent: 5253295 (1993-10-01), Saada et al.
patent: 5297192 (1994-03-01), Gerszberg
patent: 5307411 (1994-04-01), Anvret et al.
patent: 5347580 (1994-09-01), Molva et al.
patent: 5357563 (1994-10-01), Hamilton et al.
patent: 5488649 (1996-01-01), Schellinger
patent: 5544245 (1996-08-01), Tsubakiyama
patent: 39 05 667 (1980-08-01), None
patent: 39 19 734 (1990-12-01), None
patent: 41 38 861 (1992-10-01), None
patent: 41 20 398 (1993-01-01), None
patent: 94 17 399 (1995-04-01), None
patent: 43 39 460 (1995-04-01), None
patent: 43 35 161 (1995-04-01), None
patent: 44 06 602 (1995-09-01), None
patent: 0 618 713 (1994-10-01), None
patent: 2 619 941 (1989-03-01), None
Diffie et al., “Secure CCM”, Telesis, vol. 16 No. 2, pp. 42-50, Jan. 1, 1989.*
Diffie W Et Al: “Secure CCM”, Telesis, vol. 16, No. 2, Jan. 1, 1989, pp. 42-50, XP000072004.
O'Higgins Et Al.: “Encryption and ISDN—A Natural Fit”, International Switching Symposium 1987, Mar. 15-20, 1987, Phoenix, Arizona USA, pp. 863-869, XP002017713.
Advances in Cryptology, Santa Barbara, Aug. 16-20, 1987, No. Conf. 7, Jan. 1, 1987. Pomerance C. pp. 9-18, XP000130200 Presttun K: “Intergrating Cryptography in ISDN”.
Gasser Et Al.: “The Digital Distributed System Architecture”, Proc. 12th Nat. Computer Security Conf., Oct. 1989, pp. 305-319, XP002017714.
Ford W E
Barron Jr. Gilberto
Deutsche Telekom AG
DiLorenzo Anthony
Kenyon & Kenyon
LandOfFree
Process and device for authenticating subscribers to digital... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Process and device for authenticating subscribers to digital..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Process and device for authenticating subscribers to digital... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2602896