WO2014084711A1 - A system and method for duty-shared authenticated group key transport - Google Patents

A system and method for duty-shared authenticated group key transport Download PDF

Info

Publication number
WO2014084711A1
WO2014084711A1 PCT/MY2013/000197 MY2013000197W WO2014084711A1 WO 2014084711 A1 WO2014084711 A1 WO 2014084711A1 MY 2013000197 W MY2013000197 W MY 2013000197W WO 2014084711 A1 WO2014084711 A1 WO 2014084711A1
Authority
WO
WIPO (PCT)
Prior art keywords
group
key
session
secure
initiator
Prior art date
Application number
PCT/MY2013/000197
Other languages
French (fr)
Inventor
Geong Sen POH
Khong Neng Choong
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2014084711A1 publication Critical patent/WO2014084711A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to a system and method for secure communication over wireless network.
  • the invention relates to systems and methods that utilize duty-shared authenticated group key transport to enable symmetric-based authenticated group communication over wireless network.
  • Wi-Fi Wireless Fidelity
  • Wi-Fi network in an organization is normally secured under WPA2-EAP (Wi-Fi Protected Access II Extensible Authentication Protocol). While such security measure secures information transmitted within the organization wireless network from outsiders, it does not prevent any unscrupulous employee from accessing any messages broadcasted within the network. What if a certain message should only be broadcasted to a selected group of employee, such as in a meeting, or a lecture that is targeted to a selected group of students?
  • a trusted certificate authority will also be required, under a public key infrastructure, to sign certificates that contain authenticated public keys for encryption purposes.
  • US 878 Patent also proposed alternatively to use an out-of-band channel to establish shared secret between a trusted authority with the participants. Once the shared secret is established, each participant may authenticate to the trusted authority for the trusted authority to allow these participants to join the group.
  • the present invention utilizes symmetric schemes to provide a symmetric-based authenticated group key transport system whereby the initiator can be any of the participants.
  • US 420 Patent relates generally to secure communications which utilizes solely on public key encryption scheme.
  • the group in communication must be predetermined and all of them share a group public key.
  • Secure group communication is performed using credentials of the group that includes a secured message and a group security header.
  • a group security header that contains a wrapped symmetric key, a single message could be sent to multiple groups simultaneously.
  • US 420 Patent exemplifies a method using public key encryption schemes whereby trusted authority and participants jointly generate a group session key as compared to the system of the present invention which utilizes symmetric schemes to provide a symmetric-based authenticated group key transport system. Only group members can decrypt encrypted session key in the US 420 Patent while in the present invention participants are authenticated using MAC (Message Authentication Code).
  • MAC Message Authentication Code
  • US 333 Patent a mechanism to establish authentication keys and secure wireless communication by using symmetric building blocks only was proposed in the United States Patent No. 7,957,333 B2, hereby denoted as US 333 Patent. It establishes authentication keys and secures wireless communication by using symmetric building blocks whereby participants communicate one-to-one to a trusted authority while in the present invention, the initiator generates a group session key and the participant uses the authentication token to request to join the session of the initiator, where the trusted authority is not directly involved in the group session.
  • US 333 Patent requires participants to jointly create an authentication key based on a mobile key and a network key, and each participant hold different key and communicate with the trusted authority for group communication whereby on the present invention group session key is used for group communication.
  • the present invention relates to a system and method for secure communication over wireless network.
  • the invention relates to systems and methods that utilize duty-shared authenticated group key transport to enable symmetric-based authenticated group communication over wireless network.
  • One aspect of the present invention provides a system (100) for secure communication to enable symmetric-based authenticated group communication over wireless network by utilizing duty-shared authenticated group key transport.
  • the system comprising at least one Initiator (102) configured to execute at least one Secure Group Manager module (108) in announcing group sessions, authenticating and distributing authenticated session tokens; at least one Participant (104) configured to execute at least one Secure Member Handler module (112) in authenticating, receiving a group session key and joining said group; and at least one Trusted Authority (106) configured to execute at least one Secure Group Administrator module (1 0) in mediating and providing authenticated session tokens.
  • the Secure Group Administrator module (110) comprises means for generating and storing long-lived key in a database for all participants; providing participant's session ID and session secret keys for session participants; and authenticating and providing session ID to said Initiator.
  • the Secure Group Manager module (108) whereby the said Secure Group Manger module (108) further having means for storing long-lived key; assigning an Initiator and announcing a session; generating at least one group session key for session participants; and authenticating session participants.
  • a Secure Member Handler module (112) there is provided with a Secure Member Handler module (112).
  • the said Secure Member Handler module (112) further having means for storing long-lived key; coordinating session join requests; obtaining group session key; and authenticating said Initiator.
  • the said Secure Group Administrator module (110) further comprising at least one Master Key Generation Engine (110a) configured to generate long-lived master key using at least one pseudorandom generator and deriving participants' long-lived keys based on at least one hash function with said master key as input; at least one MAC Engine (110b) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and at least one Encryption Engine (110c) for encrypting messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input.
  • the said Secure Group Administrator module (110) further comprising at least one Master Key Generation Engine (110a) configured to generate long-lived master key using at least one pseudorandom generator and deriving participants' long-lived keys
  • the said Secure Group Manager module (108) further comprising at least one Group Key Generation Engine (108c) configured to generate at least one group session key using at least one pseudo-random generator; at least one MAC Engine (108a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and at least one Encryption Engine (108b) configured to encrypt messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input.
  • at least one Group Key Generation Engine 108c
  • the said Secure Group Manager module (108) further comprising at least one Group Key Generation Engine (108c) configured to generate at least one group session key using at least one pseudo-random generator; at least one MAC Engine (108a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and at least one Encryption Engine (108b) configured to encrypt messages using at least one symmetric
  • the said Secure Member Handler module (112) further comprising at least one MAC Engine (112a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and at least one Encryption Engine (112b) configured to encrypt messages using at least a symmetric encryption scheme such as an authenticated encryption method with at least one key and a message as input.
  • the invention provides a method for secure communication to enable symmetric-based authenticated group communication over wireless network by utilizing duty-shared authenticated group key transport.
  • the method comprising steps of initiating at least one new session from trusted authority by initiator (202) and trusted authority verifies initiator using nonce and MACs by executing MAC Engine of Secure Group Administrator module (204); generating secure session ID and forwarding to initiator (206); verifying trusted authority using nonce and MACs by executing MAC Engine of Secure Group Manager module (208); announcing availability of new session using session ID and authenticated token upon successful mutual authentication between initiator and trusted authority (210); requesting for authentication token from trusted authority by participant to join session by first mutually authenticating participant and trusted authority using MAC Engine in Secure Group Administrator module and Secure Member Handler module (212); verifying participant using nonce, MACs and authentication token (214); generating authentication token containing at least a MAC of the participant ID and an encrypted participant key generated using long-lived key of the Initiator, the MAC Engine and the Encryption
  • FIG. 1.0 illustrates the system of the present invention.
  • FIG. 2.0 is a flowchart illustrating the methodology of the present invention to enable symmetric-based authenticated group communication over wireless network by utilizing duty-shared authenticated group key transport.
  • the present invention provides a system and method for secure communication over wireless network.
  • the invention relates to systems and methods that utilize duty-shared authenticated group key transport to enable symmetric-based authenticated group communication over wireless network.
  • the system (100) includes an Initiator (102) configured to execute a Secure Group Manager module (108) in announcing group sessions, authenticating and distributing authenticated session tokens.
  • a Participant (104) is in communication with the Initiator (102) and the Participant (104) is configured to execute a Secure Group Handler module (112) in authenticating, receiving a group session key and joining said group.
  • a Trusted Authority (106) is in communication with the Initiator (102) and Participant (104). The Trusted Authority (106) is configured to execute a Secure Group Administrator module (110) in mediating and providing authenticated session tokens.
  • the said Secure Group Administrator module (110) whereby the said module- (110) further comprises a Master Key Generation Engine (110a) configured to generate long-lived master key using at least one pseudo-random generator and deriving participants' long-lived keys based on at least one hash function with said master key as input, a MAC Engine (110b) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and an Encryption Engine (110c) for encrypting messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input.
  • the said Secure Group Administrator module (110) together with its components generates and stores long-lived key in a database for all participants while providing participant's session ID and session secret keys for session participants and authenticates and provides session ID to the Initiator.
  • the Secure Group Manager module (108) comprising a Group Key Generation Engine (108c) configured to generate at least one group session key using at least one pseudorandom generator, a MAC Engine (108a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input and an Encryption Engine (108b) configured to encrypt messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input.
  • the said Secure Group Manager module (108) together with its components stores long-lived key, assigns an Initiator and announcing a session, generates a group session key for session participants and authenticates session participants.
  • the Secure Member Handler module (112) generally includes a MAC Engine (112a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input and an Encryption Engine (112b) configured to encrypt messages using at least a symmetric encryption scheme such as an authenticated encryption method with at least one key and a message as input.
  • the said Secure Member Handler module (112) together with its components stores long-lived key, coordinate session join requests; obtain group session key and authenticates Initiator.
  • the invention includes the steps of initiating a new session from trusted authority by the initiator (202) and thereafter the trusted authority verifies the initiator using nonce and MACs by executing MAC Engine of the Secure Group Administrator module (204). Upon successful verification of the initiator, the trusted authority generates secure session ID and forwards it to the initiator (206). Initiator proceeds to verify trusted authority using nonce and MACs by executing MAC Engine of Secure Group Manager module (208). Upon successful mutual authentication between the initiator and trusted authority, the Initiator announces the availability of a new session using session ID and authenticated token upon successful mutual authentication between the Initiator and the trusted authority (210).
  • the participant request for an authentication token from trusted authority to join the session by first mutually authenticating participant and trusted authority using MAC Engine in Secure Group Administrator module and Secure Member Handler module (212). Thereafter, trusted authority verifies the participant using nonce, MACs and authentication token (214).
  • the trusted authority Upon successful verification of the participant, the trusted authority generates an authentication token containing at least a MAC of the participant ID and an encrypted participant key generated using long-lived key of the Initiator, the MAC Engine and the Encryption Engine of Secure Group Administrator module (216, 218)
  • the said authentication token is forwarded to the participant and participants verifies trusted authority using MACs, nonce and authentication token with session ID (220).
  • Participants request to join the session of the initiator by providing the authentication token to said initiator (222) and initiator verifies said authentication token through MAC using MAC Engine in Secure Group Manager module (224).
  • the initiator decides whether to accept the participant into the session (226).
  • the step of accepting the participant into the session proceeds further while the process ends if the initiator does not allow or does not grant access to the initiator to join the session. Should the initiator decide to accept the participant into the session; the initiator would generate a session group key using Group Key Generation Engine in Secure Group Manager module. Thereafter, the initiator would decrypt the participant encrypting key and encrypt the session group key using said participant encrypting key (228). Subsequently, the encrypted session group key is forwarded to the participant.
  • the present invention provides for key distribution duty between an online, static computationally powerful machine (known as the trusted authority) and a dynamic, common laptop or PC as initiation host.
  • the initiation host does not require any specific configuration and can be any of the participants.
  • the Secure Group Manager module generates the group key while the Secure Group Administrator module monitors the session which provides for separation of duty (initiator-assisted).
  • the present invention also provides for encryption of the nonce and group session key which utilizes authenticated encryption with freshness of dynamic credential assignment (session IDs).

Abstract

A system and method for secure communication over wireless network is provided by utilizing duty-shared authenticated group key transport to enable symmetric- based authenticated group communication over wireless network. The system (100) includes an Initiator (102) configured to execute a Secure Group Manager module (108) in announcing group sessions, authenticating and distributing authenticated session tokens. A Participant (104) is in communication with the Initiator (102) and the Participant (104) is configured to execute a Secure Group Handler module (112) in authenticating, receiving a group session key and joining said group. A Trusted Authority (106) is in communication with the Initiator (102) and Participant (104). The Trusted Authority (106) is configured to execute a Secure Group Administrator module (110) in mediating and providing authenticated session tokens. The Initiator host does not require any specific configuration and can be any of the participants. The Secure Group Manager module generates the group key while the Secure Group Administrator module monitors the session which provides for separation of duty (initiator-assisted). Encryption of the nonce and group session key is provided by utilizing authenticated encryption with freshness of dynamic credential assignment (session IDs).

Description

A SYSTEM AND METHOD FOR DUTY-SHARED AUTHENTICATED GROUP KEY
TRANSPORT
FIELD OF INVENTION
The present invention relates to a system and method for secure communication over wireless network. In particular, the invention relates to systems and methods that utilize duty-shared authenticated group key transport to enable symmetric-based authenticated group communication over wireless network.
BACKGROUND ART
Organizational Wi-Fi (Wireless Fidelity) settings allow all personnel in the organization to connect to the Wi-Fi network. In contrast to open Wi-Fi network without any security settings such as Wi-Fi in a hotspot area, Wi-Fi network in an organization is normally secured under WPA2-EAP (Wi-Fi Protected Access II Extensible Authentication Protocol). While such security measure secures information transmitted within the organization wireless network from outsiders, it does not prevent any unscrupulous employee from accessing any messages broadcasted within the network. What if a certain message should only be broadcasted to a selected group of employee, such as in a meeting, or a lecture that is targeted to a selected group of students?
Such scenarios require security mechanisms that provide secure group communication, and it would also be beneficial for these mechanisms to be flexible. This means anyone in the group can initiate the discussion and to decide who may join the group during announcement of the group session.
Existing mechanisms to provide solutions for the above scenarios includes group key establishment schemes. However, many existing group key distribution mechanisms use either fixed centralized trusted party or totally decentralized settings and they do not support sharing of key establishment duty between the participants. Many of them also require initial group members to be known a priori and may require asymmetric-based setup, which is more computationally expensive as compared to a symmetric-based setup. One example of asymmetric-based and also symmetric-based group key distribution is the United States Patent No. 6,215, 878 B1 , hereby denoted as US 878 Patent, which describes a method to distribute a secret key to intended group members by using public key encryption schemes. In such a mechanism a trusted authority (the group manager) and participants jointly generate a group session key. A trusted certificate authority will also be required, under a public key infrastructure, to sign certificates that contain authenticated public keys for encryption purposes. US 878 Patent also proposed alternatively to use an out-of-band channel to establish shared secret between a trusted authority with the participants. Once the shared secret is established, each participant may authenticate to the trusted authority for the trusted authority to allow these participants to join the group. In contrast, the present invention utilizes symmetric schemes to provide a symmetric-based authenticated group key transport system whereby the initiator can be any of the participants.
Another mechanism was proposed in the United States Patent No. 6,266,420 B1 , hereby denoted as US 420 Patent. It relates generally to secure communications which utilizes solely on public key encryption scheme. The group in communication must be predetermined and all of them share a group public key. Secure group communication is performed using credentials of the group that includes a secured message and a group security header. Using a group security header that contains a wrapped symmetric key, a single message could be sent to multiple groups simultaneously. In summary, US 420 Patent exemplifies a method using public key encryption schemes whereby trusted authority and participants jointly generate a group session key as compared to the system of the present invention which utilizes symmetric schemes to provide a symmetric-based authenticated group key transport system. Only group members can decrypt encrypted session key in the US 420 Patent while in the present invention participants are authenticated using MAC (Message Authentication Code).
Also, a mechanism to establish authentication keys and secure wireless communication by using symmetric building blocks only was proposed in the United States Patent No. 7,957,333 B2, hereby denoted as US 333 Patent. It establishes authentication keys and secures wireless communication by using symmetric building blocks whereby participants communicate one-to-one to a trusted authority while in the present invention, the initiator generates a group session key and the participant uses the authentication token to request to join the session of the initiator, where the trusted authority is not directly involved in the group session. In brief, US 333 Patent requires participants to jointly create an authentication key based on a mobile key and a network key, and each participant hold different key and communicate with the trusted authority for group communication whereby on the present invention group session key is used for group communication.
The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one exemplary technology area where some embodiments described herein may be practiced.
SUMMARY OF INVENTION
The present invention relates to a system and method for secure communication over wireless network. In particular, the invention relates to systems and methods that utilize duty-shared authenticated group key transport to enable symmetric-based authenticated group communication over wireless network.
One aspect of the present invention provides a system (100) for secure communication to enable symmetric-based authenticated group communication over wireless network by utilizing duty-shared authenticated group key transport. The system comprising at least one Initiator (102) configured to execute at least one Secure Group Manager module (108) in announcing group sessions, authenticating and distributing authenticated session tokens; at least one Participant (104) configured to execute at least one Secure Member Handler module (112) in authenticating, receiving a group session key and joining said group; and at least one Trusted Authority (106) configured to execute at least one Secure Group Administrator module (1 0) in mediating and providing authenticated session tokens.
Another aspect the invention provides for the Secure Group Administrator module (110). The said Secure Group Administrator module (110) comprises means for generating and storing long-lived key in a database for all participants; providing participant's session ID and session secret keys for session participants; and authenticating and providing session ID to said Initiator. In yet another aspect of the invention is the Secure Group Manager module (108) whereby the said Secure Group Manger module (108) further having means for storing long-lived key; assigning an Initiator and announcing a session; generating at least one group session key for session participants; and authenticating session participants. In still another aspect of the invention there is provided with a Secure Member Handler module (112). The said Secure Member Handler module (112) further having means for storing long-lived key; coordinating session join requests; obtaining group session key; and authenticating said Initiator. In a further aspect of the invention there is provided that the said Secure Group Administrator module (110) further comprising at least one Master Key Generation Engine (110a) configured to generate long-lived master key using at least one pseudorandom generator and deriving participants' long-lived keys based on at least one hash function with said master key as input; at least one MAC Engine (110b) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and at least one Encryption Engine (110c) for encrypting messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input.
In another aspect of the invention there is provided that the said Secure Group Manager module (108) further comprising at least one Group Key Generation Engine (108c) configured to generate at least one group session key using at least one pseudo-random generator; at least one MAC Engine (108a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and at least one Encryption Engine (108b) configured to encrypt messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input. In another aspect of the invention there is provided that the said Secure Member Handler module (112) further comprising at least one MAC Engine (112a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and at least one Encryption Engine (112b) configured to encrypt messages using at least a symmetric encryption scheme such as an authenticated encryption method with at least one key and a message as input.
In another aspect the invention provides a method for secure communication to enable symmetric-based authenticated group communication over wireless network by utilizing duty-shared authenticated group key transport. The method comprising steps of initiating at least one new session from trusted authority by initiator (202) and trusted authority verifies initiator using nonce and MACs by executing MAC Engine of Secure Group Administrator module (204); generating secure session ID and forwarding to initiator (206); verifying trusted authority using nonce and MACs by executing MAC Engine of Secure Group Manager module (208); announcing availability of new session using session ID and authenticated token upon successful mutual authentication between initiator and trusted authority (210); requesting for authentication token from trusted authority by participant to join session by first mutually authenticating participant and trusted authority using MAC Engine in Secure Group Administrator module and Secure Member Handler module (212); verifying participant using nonce, MACs and authentication token (214); generating authentication token containing at least a MAC of the participant ID and an encrypted participant key generated using long-lived key of the Initiator, the MAC Engine and the Encryption Engine of Secure Group Administrator module upon successful verification of participant and forwarding to participant (216, 218); verifying trusted authority using MACs, nonce and authentication token with session ID (220); requesting to join session of the initiator by giving authentication token to said initiator (222) and initiator verifies said authentication token through MAC using MAC Engine in Secure Group Manager module (224); deciding to accept participant by said initiator (226); and generating session group key using Group Key Generation Engine in Secure Group Manager module by said initiator, decrypts participant encrypting key and using participant encrypting key to encrypt session group key and sending encrypted session group key to participant (228).
The present invention consists of features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings, it being understood that various changes in the details may be made without departing from the scope of the invention or sacrificing any of the advantages of the present invention.
To further clarify various aspects of some embodiments of the present invention, a more particular description of the invention will be rendered by references to specific embodiments thereof, which are illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail through the accompanying drawings in which: FIG. 1.0 illustrates the system of the present invention.
FIG. 2.0 is a flowchart illustrating the methodology of the present invention to enable symmetric-based authenticated group communication over wireless network by utilizing duty-shared authenticated group key transport.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention provides a system and method for secure communication over wireless network. In particular, the invention relates to systems and methods that utilize duty-shared authenticated group key transport to enable symmetric-based authenticated group communication over wireless network.
Hereinafter, this specification will describe the present invention according to the preferred embodiments. It is to be understood that limiting the description to the preferred embodiments of the invention is merely to facilitate discussion of the present invention and it is envisioned without departing from the scope of the appended claims.
Referring to FIG. 1.0, the system (100) according to the present invention is illustrated. The system (100) includes an Initiator (102) configured to execute a Secure Group Manager module (108) in announcing group sessions, authenticating and distributing authenticated session tokens. A Participant (104) is in communication with the Initiator (102) and the Participant (104) is configured to execute a Secure Group Handler module (112) in authenticating, receiving a group session key and joining said group. A Trusted Authority (106) is in communication with the Initiator (102) and Participant (104). The Trusted Authority (106) is configured to execute a Secure Group Administrator module (110) in mediating and providing authenticated session tokens.
A more detailed description of the Secure Group Administrator module (110) may be seen within.the said Secure Group Administrator module (110) whereby the said module- (110) further comprises a Master Key Generation Engine (110a) configured to generate long-lived master key using at least one pseudo-random generator and deriving participants' long-lived keys based on at least one hash function with said master key as input, a MAC Engine (110b) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and an Encryption Engine (110c) for encrypting messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input. The said Secure Group Administrator module (110) together with its components generates and stores long-lived key in a database for all participants while providing participant's session ID and session secret keys for session participants and authenticates and provides session ID to the Initiator.
The Secure Group Manager module (108) comprising a Group Key Generation Engine (108c) configured to generate at least one group session key using at least one pseudorandom generator, a MAC Engine (108a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input and an Encryption Engine (108b) configured to encrypt messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input. The said Secure Group Manager module (108) together with its components stores long-lived key, assigns an Initiator and announcing a session, generates a group session key for session participants and authenticates session participants. The Secure Member Handler module (112) generally includes a MAC Engine (112a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input and an Encryption Engine (112b) configured to encrypt messages using at least a symmetric encryption scheme such as an authenticated encryption method with at least one key and a message as input. The said Secure Member Handler module (112) together with its components stores long-lived key, coordinate session join requests; obtain group session key and authenticates Initiator.
Referring to FIG. 2.0, an embodiment of the method (200) of the invention is illustrated. Generally, the invention includes the steps of initiating a new session from trusted authority by the initiator (202) and thereafter the trusted authority verifies the initiator using nonce and MACs by executing MAC Engine of the Secure Group Administrator module (204). Upon successful verification of the initiator, the trusted authority generates secure session ID and forwards it to the initiator (206). Initiator proceeds to verify trusted authority using nonce and MACs by executing MAC Engine of Secure Group Manager module (208). Upon successful mutual authentication between the initiator and trusted authority, the Initiator announces the availability of a new session using session ID and authenticated token upon successful mutual authentication between the Initiator and the trusted authority (210). The participant request for an authentication token from trusted authority to join the session by first mutually authenticating participant and trusted authority using MAC Engine in Secure Group Administrator module and Secure Member Handler module (212). Thereafter, trusted authority verifies the participant using nonce, MACs and authentication token (214).
Upon successful verification of the participant, the trusted authority generates an authentication token containing at least a MAC of the participant ID and an encrypted participant key generated using long-lived key of the Initiator, the MAC Engine and the Encryption Engine of Secure Group Administrator module (216, 218) The said authentication token is forwarded to the participant and participants verifies trusted authority using MACs, nonce and authentication token with session ID (220). Participants request to join the session of the initiator by providing the authentication token to said initiator (222) and initiator verifies said authentication token through MAC using MAC Engine in Secure Group Manager module (224). Upon successful verification of the participant, the initiator decides whether to accept the participant into the session (226). The step of accepting the participant into the session proceeds further while the process ends if the initiator does not allow or does not grant access to the initiator to join the session. Should the initiator decide to accept the participant into the session; the initiator would generate a session group key using Group Key Generation Engine in Secure Group Manager module. Thereafter, the initiator would decrypt the participant encrypting key and encrypt the session group key using said participant encrypting key (228). Subsequently, the encrypted session group key is forwarded to the participant.
In short, the present invention provides for key distribution duty between an online, static computationally powerful machine (known as the trusted authority) and a dynamic, common laptop or PC as initiation host. As described above, the initiation host does not require any specific configuration and can be any of the participants. The Secure Group Manager module generates the group key while the Secure Group Administrator module monitors the session which provides for separation of duty (initiator-assisted). The present invention also provides for encryption of the nonce and group session key which utilizes authenticated encryption with freshness of dynamic credential assignment (session IDs).
Unless the context requires otherwise or specifically stated to the contrary, integers, steps or elements of the invention recited herein as singular integers, steps or elements clearly encompass both singular and plural forms of the recited integers, steps or elements.
Throughout this specification, unless the context requires otherwise, the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated step or element or integer or group of steps or elements or integers, but not the exclusion of any other step or element or integer or group of steps, elements or integers. Thus, in the context of this specification, the term "comprising" is used in an inclusive sense and thus should be understood as meaning "including principally, but not necessarily solely".
It will be appreciated that the foregoing description has been given by way of illustrative example of the invention and that all such modifications and variations thereto as would be apparent to persons of skill in the art are deemed to fall within the broad scope and ambit of the invention as herein set forth.

Claims

A system (100) for secure communication to enable symmetric-based authenticated group communication over wireless network by utilizing duty- shared authenticated group key transport, the system comprising:
at least one Initiator (102) configured to execute at least one Secure Group Manager module (108) in announcing group sessions, authenticating and distributing authenticated session tokens;
at least one Participant (104) configured to execute at least one Secure Group Handler module (112) in authenticating, receiving a group session key and joining said group; and
at least one Trusted Authority (106) configured to execute at least one Secure Group Administrator module (110) in mediating and providing authenticated session tokens.
A system (100) according to Claim 1 , wherein the at least one Secure Group Administrator module (110) further having means for:
generating and storing long-lived key in a database for all participants; providing participant's session ID and session secret keys for session participants; and
authenticating and providing session ID to said Initiator.
A system (100) according to Claim 1, wherejn the at least one Secure -Group- Manager module (108) further having means for:
storing long-lived key;
assigning an Initiator and announcing a session;
generating at least one group session key for session participants; and authenticating session participants.
A system (100) according to Claim 1 , wherein the at least one Secure Member Handler module ( 12) further having means for:
storing long-lived key;
coordinating session join requests;
obtaining group session key; and authenticating said Initiator.
5. A system (100) according to Claim 2, wherein the at least one Secure Group Administrator module (110) further comprising:
at least one Master Key Generation Engine (110a) configured to generate long-lived master key using at least one pseudo-random generator and deriving participants' long-lived keys based on at least one hash function with said master key as input;
at least one MAC Engine (110b) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and
at least one Encryption Engine (110c) for encrypting messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input.
6. A system (100) according to Claim 3, wherein the at least one Secure Group Manager module (108) further comprising:
at least one Group Key Generation Engine (108c) configured to generate at least one group session key using at least one pseudo-random generator;
at least one MAC Engine (108a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and
at least one Encryption Engine (108b) configured to encrypt messages using at least one symmetric encryption scheme such as an authenticated encryption method with at least a key and a message as input.
7. A system (100) according to Claim 4, wherein the at least one Secure Member Handler module (112) further comprising:
at least one MAC Engine (112a) configured to generate credential authentication code using at least one long-lived key, one participant ID and a message such as a nonce as input; and at least one Encryption Engine (112b) configured to encrypt messages using at least a symmetric encryption scheme such as an authenticated encryption method with at least one key and a message as input
8. A method (200) for secure communication to enable symmetric-based authenticated group communication over wireless network by utilizing duty- shared authenticated group key transport, the method comprising steps of:
initiating at least one new session from trusted authority by initiator (202) and trusted authority verifies initiator using nonce and MACs by executing MAC Engine of Secure Group Administrator module (204);
generating secure session ID and forwarding to initiator (206); verifying trusted authority using nonce and MACs by executing MAC Engine of Secure Group Manager module (208);
announcing availability of new session using session ID and authenticated token upon successful mutual authentication between initiator and trusted authority (210);
requesting for authentication token from trusted authority by participant to join session by first mutually authenticating participant and trusted authority using MAC Engine in Secure Group Administrator module and Secure Member Handler module (212);
verifying participant using nonce, MACs and authentication token (214); generating authentication token containing at least a MAC of the participant ID and an encrypted participant key generated using long-lived key of the Initiator , the MAC Engine and the Encryption Engine of Secure Group Administrator module upon successful verification of participant and forwarding to participant (216, 218);
verifying trusted authority using MACs, nonce and authentication token with session ID (220);
requesting to join session of the initiator by giving authentication token to said initiator (222) and initiator verifies said authentication token through MAC using MAC Engine in Secure Group Manager module (224);
deciding to accept participant by said initiator (226); and
generating session group key using Group Key Generation Engine in Secure Group Manager module by said initiator, decrypts participant encrypting key and using participant encrypting key to encrypt session group key and sending encrypted session group key to participant (228).
PCT/MY2013/000197 2012-11-27 2013-11-19 A system and method for duty-shared authenticated group key transport WO2014084711A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2012005110A MY168771A (en) 2012-11-27 2012-11-27 A system and method for duty-shared authenticated group key transport
MYPI2012005110 2012-11-27

Publications (1)

Publication Number Publication Date
WO2014084711A1 true WO2014084711A1 (en) 2014-06-05

Family

ID=49918791

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2013/000197 WO2014084711A1 (en) 2012-11-27 2013-11-19 A system and method for duty-shared authenticated group key transport

Country Status (2)

Country Link
MY (1) MY168771A (en)
WO (1) WO2014084711A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109951378A (en) * 2019-03-22 2019-06-28 西安电子科技大学 File encryption transmission and sharing method in a kind of instant messaging
CN109962924A (en) * 2019-04-04 2019-07-02 北京思源互联科技有限公司 Group chat construction method, group message sending method, group message receiving method and system
US20210184860A1 (en) * 2019-03-13 2021-06-17 Digital 14 Llc System, method, and computer program product for zero round trip secure communications based on noisy secrets
WO2022066276A1 (en) * 2020-09-24 2022-03-31 Apple Inc. Operating system level management of group communication sessions

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6215878B1 (en) 1998-10-20 2001-04-10 Cisco Technology, Inc. Group key distribution
US6266420B1 (en) 1998-10-08 2001-07-24 Entrust Technologies Limited Method and apparatus for secure group communications
US20100153727A1 (en) * 2008-12-17 2010-06-17 Interdigital Patent Holdings, Inc. Enhanced security for direct link communications
US20100220856A1 (en) * 2009-02-27 2010-09-02 Johannes Petrus Kruys Private pairwise key management for groups
US7957333B2 (en) 2007-09-19 2011-06-07 Delphi Technologies, Inc. Receiver system and method for switching among a plurality of antenna elements to receive a signal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6266420B1 (en) 1998-10-08 2001-07-24 Entrust Technologies Limited Method and apparatus for secure group communications
US6215878B1 (en) 1998-10-20 2001-04-10 Cisco Technology, Inc. Group key distribution
US7957333B2 (en) 2007-09-19 2011-06-07 Delphi Technologies, Inc. Receiver system and method for switching among a plurality of antenna elements to receive a signal
US20100153727A1 (en) * 2008-12-17 2010-06-17 Interdigital Patent Holdings, Inc. Enhanced security for direct link communications
US20100220856A1 (en) * 2009-02-27 2010-09-02 Johannes Petrus Kruys Private pairwise key management for groups

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210184860A1 (en) * 2019-03-13 2021-06-17 Digital 14 Llc System, method, and computer program product for zero round trip secure communications based on noisy secrets
CN109951378A (en) * 2019-03-22 2019-06-28 西安电子科技大学 File encryption transmission and sharing method in a kind of instant messaging
CN109951378B (en) * 2019-03-22 2021-08-24 西安电子科技大学 File encryption transmission and sharing method in instant messaging
CN109962924A (en) * 2019-04-04 2019-07-02 北京思源互联科技有限公司 Group chat construction method, group message sending method, group message receiving method and system
CN109962924B (en) * 2019-04-04 2021-07-16 北京思源理想控股集团有限公司 Group chat construction method, group message sending method, group message receiving method and system
WO2022066276A1 (en) * 2020-09-24 2022-03-31 Apple Inc. Operating system level management of group communication sessions

Also Published As

Publication number Publication date
MY168771A (en) 2018-12-04

Similar Documents

Publication Publication Date Title
US10243742B2 (en) Method and system for accessing a device by a user
WO2017185999A1 (en) Method, apparatus and system for encryption key distribution and authentication
CN109428875B (en) Discovery method and device based on service architecture
CN108599925B (en) Improved AKA identity authentication system and method based on quantum communication network
JP7324765B2 (en) Dynamic domain key exchange for authenticated device-to-device communication
US8953791B2 (en) Key derivative function for network communications
KR100832893B1 (en) A method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely
CN105684344B (en) A kind of cipher key configuration method and apparatus
US9705856B2 (en) Secure session for a group of network nodes
JP4599852B2 (en) Data communication apparatus and method, and program
WO2018040758A1 (en) Authentication method, authentication apparatus and authentication system
KR20180095873A (en) Wireless network access method and apparatus, and storage medium
CN108964897B (en) Identity authentication system and method based on group communication
CN101997679A (en) Encrypted message negotiation method, equipment and network system
JP2018523204A (en) Wireless communication
CN101631113A (en) Security access control method of wired LAN and system thereof
CN108650028B (en) Multiple identity authentication system and method based on quantum communication network and true random number
CN110087240B (en) Wireless network security data transmission method and system based on WPA2-PSK mode
JP2012523180A (en) Protection of messages related to multicast communication sessions within a wireless communication system
CN103634265B (en) Method, equipment and the system of safety certification
CN108964896B (en) Kerberos identity authentication system and method based on group key pool
CN108964895B (en) User-to-User identity authentication system and method based on group key pool and improved Kerberos
CN108880799B (en) Multi-time identity authentication system and method based on group key pool
WO2014084711A1 (en) A system and method for duty-shared authenticated group key transport
CN104753682A (en) Generating system and method of session keys

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13818024

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13818024

Country of ref document: EP

Kind code of ref document: A1