Method and system for managing application security keys for user and M2M devices in a wireless communication network environment
Abstract
Pre Shared Keys (“PSK”) for application and data session security are generated using application authentication secret values stored in a SIM device/card. The SIM internally uses the secret values as inputs to a security algorithm engine, but the secret values are not accessible outside of the SIM. The application authentication secret values cannot be used to authenticate the SIM, or a device that includes the SIM, to a communication network. Rather, symmetric keys and keying material are generated for use by applications outside of the standard and conventional wireless networking uses of a SIM device. Updated PSKs are generated at different network endpoints such that the PSKs are generated individually and separately at the endpoints; the ‘preshared’ keys are not actually shared. Thus, a client endpoint and a server endpoint, or an endpoint associated with the server, independently generate the same PSK without the PSK being transmitted between the endpoints.
Claims
exact text as granted — not AI-modified1 - 20 . (canceled)
21 . A device, comprising:
a processor to:
conduct a secure data communication session with a second device using a symmetric key encryption/decryption algorithm;
wherein the processor does not use an asymmetric key to exchange a symmetric key that is to be used for the secure data session; and
an application authentication algorithm input memory portion for storing network authentication input values that correspond uniquely to the communication device and that are used in the generation of a pre-shared key, which is used in the generation of the symmetric key.
22 . The device of claim 21 wherein the application authentication algorithm input memory portion is included in an identity module.
23 . The device of claim 21 wherein one or more of the network authentication input values are stored in elementary files.
24 . The device of claim 21 wherein the communication device is a machine-to-machine device and the application authentication algorithm input memory portion is a portion of a SIM.
25 . The device of claim 21 wherein the processor causes the performing of more than one pass of a portion of a symmetric-key-generating algorithm to increase the size of the pre-shared key in generation of the pre-shared key.
26 . The device of claim 21 wherein the pre-shared key is not shared with second device with which the first device conducts the data communication session.
27 . A method, comprising:
conducting a data communication session with a communication device using a symmetric key encryption/decryption algorithm without conducting another data communication session that uses an asymmetric key to exchange a symmetric key that is to be used for the secure data session, wherein the communication device includes an application authentication algorithm input memory portion for storing network authentication inputs that correspond uniquely to the communication device and that are used in the generation of a pre-shared key, which is used in the generation of the symmetric key.
28 . The method of claim 27 wherein the application authentication algorithm input memory portion is included in an identity module.
29 . The method of claim 27 wherein the generation of the pre-shared key and the generating of the symmetric key are performed according to a Milenage symmetric-key-generating algorithm.
30 . The method of claim 27 wherein one or more of the network authentication inputs are stored in elementary files.
31 . The method of claim 27 wherein the communication device is a machine-to-machine device and the application authentication algorithm input memory portion is a portion of a SIM.
32 . The method of claim 27 wherein the generation of the pre-shared key includes performing more than one pass of a portion of a symmetric-key-generating algorithm to increase the size of the pre-shared key.
33 . The method of claim 27 wherein the pre-shared key is not shared with another communication device with which the communication device conducts the data communication session.
34 . A method, comprising:
receiving at a first network endpoint from a second network endpoint a message requesting that the first endpoint update an existing pre-shared key that is unique to the first endpoint for use for a secure communication session; transmitting a pre-shared key identifier (PSK-ID) from the first endpoint to the second network endpoint; receiving at the first endpoint a remote endpoint authentication value from the second network endpoint, wherein the remote endpoint authentication value is based on secret data that is accessible only by the second endpoint and that is associated with the pre-shared key identifier (PSK-ID) and wherein the remote endpoint authentication value includes a network authentication code (MAC); generating a result value (RES) by processing secret data that is associated in an identity module corresponding to the first endpoint if the received network authentication code (MAC) equals the expected network authentication code (XMAC), transmitting the result value RES from the first endpoint to the second endpoint; and generating at the first endpoint a new pre-shared key to replace the existing pre-shared key when the first endpoint receives a message from the second endpoint that the second endpoint has successfully generated a new pre-shared key for use for secure communication to the first endpoint.
35 . The method of claim 34 wherein the first endpoint is a SIM card of a wireless communication device.
36 . The method of claim 34 wherein the second endpoint is a pre-shared key generator.
37 . The method of claim 36 wherein the pre-shared key generator is part of a communication network that includes an application server with which the first endpoint seeks to establish the secure session.
38 . The method of claim 35 wherein the SIM card contains an application authentication algorithm input memory portion for storing application authentication inputs, including the secret data, used by an authentication algorithm processing engine that is to generate the pre-shared key that matches the new pre-shared key generated by the second endpoint, and wherein the SIM card contains an application dedicated file that is different from an application dedicated file that is used to store information used by a network operator and that points to the application authentication algorithm input memory portion to be used by the authentication algorithm processing engine to generate the PSK.
39 . The method of claim 38 wherein the pre-shared key includes outputs generated from more than one execution of a portion of a symmetric-key-generating algorithm to increase the size of the pre-shared key in generation of the pre-shared key.
40 . The method of claim 39 wherein each of the more than one execution of the portion of a symmetric-key-generating algorithm uses a different set of authentication algorithm inputs stored in the application authentication algorithm input memory portion.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.