US2020295933A1PendingUtilityA1

Method and system for managing application security keys for user and M2M devices in a wireless communication network environment

55
Assignee: M2MD TECH INCPriority: Mar 17, 2016Filed: Nov 12, 2018Published: Sep 17, 2020
Est. expiryMar 17, 2036(~9.7 yrs left)· nominal 20-yr term from priority
H04W 12/0433H04W 12/041H04W 12/069H04W 12/40H04W 4/70H04L 63/08H04L 63/166H04L 63/061H04L 9/3242H04W 88/02H04L 9/0891H04W 12/0401H04W 12/0609H04W 12/04033H04W 12/004
55
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Pre Shared Keys (“PSK”) for application and data session security are generated using application authentication secret values stored in a SIM device/card. The SIM internally uses the secret values as inputs to a security algorithm engine, but the secret values are not accessible outside of the SIM. The application authentication secret values cannot be used to authenticate the SIM, or a device that includes the SIM, to a communication network. Rather, symmetric keys and keying material are generated for use by applications outside of the standard and conventional wireless networking uses of a SIM device. Updated PSKs are generated at different network endpoints such that the PSKs are generated individually and separately at the endpoints; the ‘preshared’ keys are not actually shared. Thus, a client endpoint and a server endpoint, or an endpoint associated with the server, independently generate the same PSK without the PSK being transmitted between the endpoints.

Claims

exact text as granted — not AI-modified
1 - 20 . (canceled) 
     
     
         21 . A device, comprising:
 a processor to:
 conduct a secure data communication session with a second device using a symmetric key encryption/decryption algorithm; 
 wherein the processor does not use an asymmetric key to exchange a symmetric key that is to be used for the secure data session; and 
   an application authentication algorithm input memory portion for storing network authentication input values that correspond uniquely to the communication device and that are used in the generation of a pre-shared key, which is used in the generation of the symmetric key.   
     
     
         22 . The device of  claim 21  wherein the application authentication algorithm input memory portion is included in an identity module. 
     
     
         23 . The device of  claim 21  wherein one or more of the network authentication input values are stored in elementary files. 
     
     
         24 . The device of  claim 21  wherein the communication device is a machine-to-machine device and the application authentication algorithm input memory portion is a portion of a SIM. 
     
     
         25 . The device of  claim 21  wherein the processor causes the performing of more than one pass of a portion of a symmetric-key-generating algorithm to increase the size of the pre-shared key in generation of the pre-shared key. 
     
     
         26 . The device of  claim 21  wherein the pre-shared key is not shared with second device with which the first device conducts the data communication session. 
     
     
         27 . A method, comprising:
 conducting a data communication session with a communication device using a symmetric key encryption/decryption algorithm without conducting another data communication session that uses an asymmetric key to exchange a symmetric key that is to be used for the secure data session, wherein the communication device includes an application authentication algorithm input memory portion for storing network authentication inputs that correspond uniquely to the communication device and that are used in the generation of a pre-shared key, which is used in the generation of the symmetric key.   
     
     
         28 . The method of  claim 27  wherein the application authentication algorithm input memory portion is included in an identity module. 
     
     
         29 . The method of  claim 27  wherein the generation of the pre-shared key and the generating of the symmetric key are performed according to a Milenage symmetric-key-generating algorithm. 
     
     
         30 . The method of  claim 27  wherein one or more of the network authentication inputs are stored in elementary files. 
     
     
         31 . The method of  claim 27  wherein the communication device is a machine-to-machine device and the application authentication algorithm input memory portion is a portion of a SIM. 
     
     
         32 . The method of  claim 27  wherein the generation of the pre-shared key includes performing more than one pass of a portion of a symmetric-key-generating algorithm to increase the size of the pre-shared key. 
     
     
         33 . The method of  claim 27  wherein the pre-shared key is not shared with another communication device with which the communication device conducts the data communication session. 
     
     
         34 . A method, comprising:
 receiving at a first network endpoint from a second network endpoint a message requesting that the first endpoint update an existing pre-shared key that is unique to the first endpoint for use for a secure communication session;   transmitting a pre-shared key identifier (PSK-ID) from the first endpoint to the second network endpoint;   receiving at the first endpoint a remote endpoint authentication value from the second network endpoint, wherein the remote endpoint authentication value is based on secret data that is accessible only by the second endpoint and that is associated with the pre-shared key identifier (PSK-ID) and wherein the remote endpoint authentication value includes a network authentication code (MAC);   generating a result value (RES) by processing secret data that is associated in an identity module corresponding to the first endpoint if the received network authentication code (MAC) equals the expected network authentication code (XMAC),   transmitting the result value RES from the first endpoint to the second endpoint; and   generating at the first endpoint a new pre-shared key to replace the existing pre-shared key when the first endpoint receives a message from the second endpoint that the second endpoint has successfully generated a new pre-shared key for use for secure communication to the first endpoint.   
     
     
         35 . The method of  claim 34  wherein the first endpoint is a SIM card of a wireless communication device. 
     
     
         36 . The method of  claim 34  wherein the second endpoint is a pre-shared key generator. 
     
     
         37 . The method of  claim 36  wherein the pre-shared key generator is part of a communication network that includes an application server with which the first endpoint seeks to establish the secure session. 
     
     
         38 . The method of  claim 35  wherein the SIM card contains an application authentication algorithm input memory portion for storing application authentication inputs, including the secret data, used by an authentication algorithm processing engine that is to generate the pre-shared key that matches the new pre-shared key generated by the second endpoint, and wherein the SIM card contains an application dedicated file that is different from an application dedicated file that is used to store information used by a network operator and that points to the application authentication algorithm input memory portion to be used by the authentication algorithm processing engine to generate the PSK. 
     
     
         39 . The method of  claim 38  wherein the pre-shared key includes outputs generated from more than one execution of a portion of a symmetric-key-generating algorithm to increase the size of the pre-shared key in generation of the pre-shared key. 
     
     
         40 . The method of  claim 39  wherein each of the more than one execution of the portion of a symmetric-key-generating algorithm uses a different set of authentication algorithm inputs stored in the application authentication algorithm input memory portion.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.