45 results about "Authenticated Key Exchange" patented technology

Disclosed relates to an access control system and method based on hierarchical keys. The system comprises an access control server (ACS), a home gateway, and a plurality of sensor devices disposed on a home network. The ACS sets up user's access limits of authority and authorization verifier, and saves the related data of user's password and the user's access limits of authority. The gateway records the authority limits' level and the authority limits' key which are constructed based on a hierarchical key structure. When a user logs in the ACS to request access, an one-time communication key between the user and the home gateway is established by exchanging the ticket and the token that are issued by the ACS. This allows the user to access the information of the sensor devices.

Apparatus, methods, and computer program products are disclosed that enable a first computer and a second computer to mutually authenticate each other over a network. A first computer sends first authentication evidence to a second computer. The first authentication evidence is used to prove to the second computer that the first computer has access to a first plurality of authentication secrets without exposing the first plurality of authentication secrets. In addition, the second computer sends second authentication evidence to the first computer. The second authentication evidence is used to prove to the first computer that the second computer has access to a second plurality of authentication secrets without exposing the second plurality of authentication secrets. The first plurality of authentication secrets is related to the second plurality of authentication secrets. Thus, the first computer is authenticated to the second computer and the second computer is authenticated to the first computer.

An automated security provisioning protocol is provided for wide area network communication devices in an open device environment, such as cellular communication devices in a machine-to-machine (M2M) environment. For example, a method for performing a security provisioning protocol between a first communication device and a second communication device over at least one wide area communication network comprises the following steps from the perspective of the first communication device. The first communication device automatically uses access information not previously provisioned in the wide area communication network to gain access to the wide area communication network for an initial purpose of communicating with the second communication device. The first communication device, upon gaining access to the wide area communication network, automatically performs an authenticated key exchange operation with the second communication device over the wide area communication network and establishes a secure communication key as a result of the authenticated key exchange operation for subsequent use by the first communication device for secure communications. The wide area communication network is operated by a first entity and the second communication device is operated by a second entity.

Briefly, in accordance with one embodiment of the invention, a pairwise master key may be utilized to generate nonces for authenticated key exchange during a rekeying event in a wireless local area network.

System and method for providing secure communications is provided. Initially, an exchange protocol, such as a password-authenticated key exchange protocol, is used to create a shared secret. From the shared secret, two keys are created: a utilized key and a stored key. The utilized key is used to encrypt messages between nodes. When it is time to replace the utilized key to maintain security, the stored key is utilized to encrypt messages for generating/distributing a new shared secret. The new shared secret is then used to generate a new utilized key and a new stored key. This process may be repeated any number of times to maintain security.

Principles of the invention provide one or more secure key management protocols for use in a communication environment such as a conferencing system. For example, a method for managing a conference between two or more parties in a communication system comprises the following steps. An identity based authenticated key exchange operation is performed between a conference management element of the communication system and each of the two or more parties seeking to participate in the conference, wherein messages exchanged between the conference management element and the two or more parties are encrypted based on respective identities of recipients of the messages, and further wherein the conference management element receives from each party during the key authentication operation a random key component that is computed based on a random number selected by the party. The conference management element sends to each party a set comprising the random key components computed by the parties. The conference management element receives from each party a random group key component, wherein the random group key component is computed by each party via a computation based on the random number used by the party during the key authentication operation and the random key components computed by a subset of others of the two or more parties seeking to participate in the conference. The conference management element sends to each party a set comprising the random group key components computed by the parties such that each party can compute the same group key for use in communicating with each other party through the conference management element.

A secure protocol is provided which uses a Diffie-Hellman type shared secret, but modified such that the two parties may authenticate each other using a shared password. In accordance with the invention, a party generates the Diffie-Hellman value g^x and combines it with a function of at least the password using a group operation, wherein any portion of a result associated with the function that is outside the group is randomized. The resulting value is transmitted to the other party. The group operation is defined for the particular group being used. Every group has a group operation and a corresponding inverse group operation. Upon receipt of the value, the other party performs the inverse group operation on the received value and the function of at least the password, and removes the randomization of any portion of the result associated with the function that is outside the group, to extract g^x such that the other party may then generate the shared secret g^xy using its knowledge of y.

A server (120) uses a password (π) to construct a multiplicative group (Z_N*) with a (hidden) smooth order subgroup (<x′>), where the group order (P_π) depends on the password. The client (110) uses its knowledge of the password to generate a root extraction problem instance (z) in the group and to generate data (y) allowing the server to construct a discrete logarithm problem instance (y′) in the subgroup. The server uses its knowledge of the group order to solve the root extraction problem, and solves the discrete logarithm problem efficiently by leveraging the smoothness of the subgroup. A shared key (sk) can be computed as a function of the solutions to the discrete logarithm and root extraction problem instances. In some embodiments, in an oblivious transfer protocol, the server queries the client (at 230) for data whose position in a database (210) is defined by the password. The client provides (240) such data without knowing the data position associated with the server's query. The client obtains the data position independently from the password. The data positions and/or the respective data are used for authentication and shared secret key generation. Other embodiments are also provided.

A system (and method) to update content of a secure area of a secure digital (SD) card is disclosed. The system performs a first authenticated key exchange to access the secure area of the secure digital memory. The system reads content from the secure area in response to successful performance of the first authenticated key exchange. The system modifies the content in a memory of a computer system. The system performs a second authenticated key exchange to access the secure area of the secure digital card in preparation to write to the secure area of the secure digital memory. The system then writes modified content to the secure area of the secure digital memory in response to successful performance of the second authenticated key exchange.

The invention discloses a heterogeneous network end-to-end authentication secret key exchange method based on a space-sky information network. The method includes a mobile terminal registering step, a secret key establishment request step, an end-to-end authentication secret key exchange step and a password update step, which are conducted in sequence. A common session key can be established for two mobile terminals in two different trust domains while the identities of the mobile terminals are verified, so end-to-end secure communication is achieved. On the basis of symmetric encryption and the design of a Hash function, public key password operation that is time consuming is not used, so the method completely meets application demands of limited resources of the mobile terminals in a space-sky information network. The calculating cost of a server is low, and congestion will not occur due to frequent requests of the mobile terminals. Moreover, a dual-factor authentication mode of both an intelligent card and a password is adopted, so higher security is exhibited. Identity information of the mobile terminals is hidden in public information, so the mobile terminals are anonymous in identity.

The present invention relates to securing information in open systems and more particularly to a method and a system for providing authentication, confidentiality and integrity protection of arbitrary communication services. A client that wishes to communicate with a particular service downloads a signed program code from that service containing code necessary for doing authenticated key exchange with that service. The client is assumed to support only two basic cryptographic functions: signing of arbitrary data by using a public key algorithm together with a one way hash function, and verifying a public key signature of arbitrary data. By allowing the security protocol needed for key exchange and data communication protection to be downloaded the number of predefined security functions that a client or server needs to support is limited. This also makes it much easier to update the communication protection since only the server program needs to be updated.

The invention discloses an authentication key exchange method based on a message recovery signature, and mainly solves the problems of relatively large communication traffic and relatively weak security in an original scheme. The method comprises the following implementation steps: each user generates a digital signature public and private key pair; the first user generates a secret key packagingpublic and private key pair of the first user and signs and sends the secret key packaging public and private key pair; the second user verifies the signature sent by the first user; the second user encapsulates the key and generates a hash value of the session process; the second user signs the ciphertext and the Hash value of the session process and sends the ciphertext and the Hash value to thefirst user; the first user verifies the signature sent by the second user; the first user de-packages and verifies the hash value of the session process; and both parties calculate session keys. Theauthentication key exchange protocol is constructed through the digital signature with the message reply mode and the key packaging mechanism, the communication traffic is saved, the security of the protocol is improved, and the method can be used for the Internet of Vehicles and ground-air communication.

The invention discloses a method for transforming an unauthenticated key exchange protocol into an authenticated key exchange protocol. DSig=(Gen, Sig,Ver) is set as a standard digital signature algorithm by a digital signature method, wherein Gen is a key generation algorithm; Sig is a signature algorithm; Ver is a signature verification algorithm; and Gen generates a pair of signature/verification key pair for a user Ui. Simultaneously, the invention is an authenticated key exchange protocol and is used for fulfilling the aim of sharing one common conversion key among unacquainted members in a published network through interaction. The method for transforming the unauthenticated key exchange protocol into the authenticated key exchange protocol makes up security flaws of the conventional method and has higher security, and simultaneously compared with the conventional method, the method has the advantages of improvement on the calculation amount and communication traffic, and better application prospect.

System and method for securely deploying a virtual machine in a data center is disclosed. In one embodiment, public keys are established between the requesting virtual machine and the deployed virtual machine, so that authentication and communication between the machines can occur using the public keys. In another embodiment, a secret private key is established between the requesting virtual machine and the deployed virtual machine using a password authenticated key exchange protocol. Authentication and communication between the machines is then established using the secret private key.