EP1847060A2 - Method and system for deriving an encryption key using joint randomness not shared by others - Google Patents
Method and system for deriving an encryption key using joint randomness not shared by othersInfo
- Publication number
- EP1847060A2 EP1847060A2 EP06718847A EP06718847A EP1847060A2 EP 1847060 A2 EP1847060 A2 EP 1847060A2 EP 06718847 A EP06718847 A EP 06718847A EP 06718847 A EP06718847 A EP 06718847A EP 1847060 A2 EP1847060 A2 EP 1847060A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- key
- wtru
- node
- secret
- bits
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0875—Generation of secret information including derivation or calculation of cryptographic keys or passwords based on channel impulse response [CIR]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/34—Encoding or coding, e.g. Huffman coding or error correction
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/061—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Definitions
- the present invention is related to wireless communication security.
- the present invention is related to a method and system for deriving an encryption key using joint randomness not shared by others
- IEEE 802. Hi is used to ensure that a wireless local area network
- IEEE 802. Hi provides two schemes that allow a pair of communicating nodes to derive keys that can be used to encrypt exchanged packets.
- the first scheme is based on an IEEE 802. Ix authentication technique that requires a remote authentication server, (e.g. a RADIUS server).
- a remote authentication server e.g. a RADIUS server.
- an access point acts as a router between a wireless transmit/receive unit (WTRU) desiring association with the AP and an authentication server.
- the authentication server provides a public key to the WTRU via the AP.
- the WTRU can verify this public key by checking it with a digital certificate provided by the authentication server.
- the WTRU then derives a random secret, (i.e., master secret), and sends the master secret to the authentication server by encrypting it with the public key provided.
- master secret i.e., master secret
- the authentication server and the WTRU then derive a pairwise master key (PMK) from the MK.
- the authentication server provides this PMK to the AP.
- the AP and the WTRU then derive a pairwise transient key (PTK) using the PMK.
- PTK pairwise transient key
- a portion of this PTK is a temporal key (TK) that is the actual key used in the CCMP technique for encrypting packets. Because this scheme uses remote authentication servers and digital certificates, (which are currently expensive), such a scheme is typically implemented in an enterprise WLAN.
- the second scheme that is more suitable for home or small business networks utilizes a pre-shared key (PSK).
- PSK pre-shared key
- a 256 bit user- configurable secret key is stored on the communicating nodes.
- the WTRU uses the PSK as a PMK, (without deriving the master secret and the MK), and derives a PTK and uses a portion of the PTK as a TK just like in the IEEE 802.1x system.
- the final TK is only as secure as the master secret exchanged in the case of IEEE 802. Ix networks, or as the PSK in the case of home or small business networks.
- an attacker can decrypt the master secret by stealing the authentication server's private key.
- the PSK can either be deduced using a brute-force attack, (being that PSKs at home are not changed regularly or are generated from a "weak" pass-phrase), or by stealing the key. Knowing the master secret or the PSK allows the attacker to arrive at the identical value for the PMK, in the same manner as the two legitimate communicating nodes, and to thereafter derive an identical PTK value.
- knowledge of authentication credentials is sufficient for knowledge of derived encryption keys.
- the MK and the PMK are typically left untouched and only a new PTK is derived using the PMK, (which is supposed to be a secret), and information exchanged in the clear. As the PMK does not change, the PTK is not fresh and is therefore not a new key.
- the present invention is related to a method and system for deriving an encryption key using JRNSO.
- Communicating entities generate JRNSO bits from a CIR estimate and the JRNSO bits are used in generation of an encryption key.
- the authentication type may be IEEE 802. Ix or a pre-shared key system.
- an MK, a PMK and/or a PTK may be generated using the JRNSO bits.
- the encryption key may be generated by using a Diffie-Hellman key derivation algorithm.
- Figure 1 is a block diagram of a system including two communicating entities for deriving a secret key in accordance with the present invention.
- Figure 2 illustrates a problem of discrepancy of CIR estimates due to different starting points at a first node and a second node.
- Figure 3 is a flow diagram of a process for deriving a secret key in accordance with the present invention.
- Figure 4 is a flow diagram of a process for deriving an encryption key using JRNSO bits in accordance with one embodiment of the present invention.
- Figure 5 is a flow diagram of a process for deriving an encryption key using JRNSO bits in accordance with another embodiment of the present invention.
- Figure 6 is a flow diagram of a process for deriving an encryption key using JRNSO bits in accordance with yet another embodiment of the present invention.
- Figure 7 is a flow diagram of a process for deriving an encryption key using JRNSO bits in accordance with still another embodiment of the present invention.
- Figure 8 is a flow diagram of a process for deriving an encryption key using a Diffie-Hellman key derivation algorithm in accordance with the present invention.
- WTRU includes but is not limited to a user equipment, a STA, a fixed or mobile subscriber unit, a pager, or any other type of device capable of operating in a wireless environment.
- AP includes but is not limited to a Node-B, a base station, a site controller or any other type of interfacing device in a wireless environment.
- the features of the present invention may be incorporated into an integrated circuit (IC) or be configured in a circuit comprising a multitude of interconnecting components.
- the present invention may be implemented as digital signal processor (DSP), software, middleware, hardware, applications or future system architecture.
- DSP digital signal processor
- the elements may be sub-components of a larger communication system or ASIC and some or all of the processing elements may be shared for other elements.
- a wireless channel provides just such a resource in the form of a channel impulse response (CIR).
- CIR channel impulse response
- two communicating parties e.g., Alice and Bob
- WCDMA Wideband code division multiple access
- TDD time division duplex
- any party not physically co-located with Alice and Bob is likely to observe a CIR that has very little correlation with that of Alice and Bob. This difference can be exploited for generation of perfectly secret keys.
- the channel is the source of JRNSO and the CIR estimations are the samples taken from the channel.
- Alice and Bob agree to use a prime number p and a base g.
- Alice chooses a secret integer a, then sends Bob g a mod p.
- Bob chooses a secret integer ⁇ , then sends Alice g ⁇ mod p.
- Alice computes (g b mod p) a mod p.
- Bob computes (g a mod p) h mod p.
- (g b modp) a modp and (g a modp) b modp are the same.
- the Diffie- Hellman shared key can either act as the encryption key or be used to encrypt and send the actual encryption key. Smaller numbers used can make the key derivation process less resource intensive, thus allowing it to be used on mobile devices.
- Figure 1 is a block diagram of a system 100 including two communicating entities, (a first node 110 and a second node 150), for deriving JRNSO bits and a secret key in accordance with the present invention.
- One of the entities may be a WTRU and the other may be an AP.
- a point-to-point communication system having only two communicating entities 110, 150 is described in Figure 1.
- the present invention may be applied to a point-to-multipoint communication system involving more than two entities.
- first node and the second node are essentially the same entities including the same elements, but for simplicity, Figure 1 depicts only relevant elements for the first node and the second node, as the first node is assumed to take a lead in generation of the JRNSO bits and a secret key, which will be explained in detail hereinafter.
- one of the communicating entities takes a lead. It is assumed that the first node 110 takes the lead.
- the first node 110 includes a channel estimator 112, a post-processor 114 (optional), an error correction encoder 118, a synchronization code generator 120 (optional), a secret key generator 116 and a multiplexer 122.
- the channel estimator 112 of the first node generates a CIR estimate 113 based on received signals 111 from the second node 150.
- the channel estimator 152 in the second node 150 also generates a CIR estimate 153 based on transmissions sent by the first node 110.
- the outputs of the channel estimators 112, 152 are digitized representations of the CIR estimates. Any prior art methods may be used for generating the CIR estimate.
- the entities 110, 150 may send special signaling or a pilot sequence to the other node for aiding the generation of the CIR estimates.
- the CIR estimates may be generated and stored in any way including, but not limited to, in a time domain, in a frequency domain or may be represented using an abstract vector space, or the like.
- the method for generating the CIR estimate and representation scheme should be the same in both the first node 110 and the second node 150. [0035] Depending on the implementation, only partial information of the
- CIR estimate may be reciprocal, and therefore, suitable for generation of a common secret key.
- the entities 110, 150 may choose to utilize only amplitude/power profile information of the CIR estimate and may ignore the phase information.
- the post-processor 114 may optionally process the CIR estimate using prior art methods.
- the post-processor 114 (such as a low-pass filter or an interpolating filter), removes noise and redundancies.
- the post-processor 114 is also necessary in the case where the entities are equipped with multiple antennas for multiple-input multiple-output (MIMO) and therefore differences in the number of antennas and antenna patterns may cause the CIR estimates to differ. In this case the entities 110, 150 may have to exchange information about their antenna configuration.
- MIMO multiple-input multiple-output
- the CIR estimates generated by the first node 110 and the second node 150 are expected to be very similar.
- the channel reciprocity assumes simultaneous estimation of the channel at both entities. Differences in the simultaneity result in some difference in channel estimates.
- the digitized CIR estimates may need to be synchronized with respect to the starting point. For example, if the CIR estimates are digitized in time domain, the start of the meaningful portion of the CIR estimate may occur at a different place with respect to the reference zero- time in the two entities 110, 150. This problem is illustrated in Figure 2.
- the channel estimation timing may be tied to a specific system time, such as a radio frame or slot boundary.
- a synchronization signal maybe embedded in the signals, (such as pilot signals), which the entities 110, 150 transmit to support channel estimation. Synchronization may be obtained from such pilot signal without requiring embedding of a special signal.
- channel estimation may be performed with reference to an absolute time reference, such as a global positioning system (GPS).
- GPS global positioning system
- a roundtrip delay may be measured and synchronization may be achieved based on this roundtrip delay.
- the starting point of the CIR estimate may be recorded at the first node 110 and transmitted to the second node 150.
- a special synchronization code (e.g., comma-free codes), may be used. Since the synchronization problem is typically limited to just a few samples, only a limited performance is needed from such a code.
- a special synchronization signal related to a common timing source, (e.g., GPS), may be generated by the terminals and the CIR measurement may be made with respect to such a signal.
- the synchronization problem may be dealt with by processing the CIR in a domain where it is not an issue. For example, provided that phase information is ignored, the synchronization problem is not present in the frequency domain.
- the secrecy rate loss may be large or minimal.
- the phase information may be highly unreliable, thus ignoring it would cause minimal secrecy rate loss.
- the post-processed CIR estimate 115 is fed to the secret key generator 116, the synchronization code generator 118 and the error correction encoder 120.
- the secret key generator 116 generates a secret key 117 from the CIR estimate 115, which is JRNSO bits.
- the synchronization code generator 120 generates the synchronization signal/code 121 for simultaneity and synchronizing a "starting point.”
- the error correction encoder 118 performs error correction coding on the CIR estimate 115 and generates parity bits 119.
- the error correction coding may be a block coding or a convolutional coding.
- the present invention uses systematic error correction coding such that an original message, (i.e., the encoder input which is the CIR estimate 115) is also output from the error correction encoder 118.
- an original message i.e., the encoder input which is the CIR estimate 115
- the error correction encoder 118 only the parity bits 119 are sent to the second node 150 after being multiplexed with the synchronization signal/code 121 by the multiplexer 122.
- the multiplexed bit stream 123 is sent to the second node 150.
- the second node 150 includes a channel estimator 152, a synchronization bit demodulator 154, a parity bit demodulator 156, a post processor 158 (optional), a synchronization unit 160, an error correction decoder 162 and a secret key generator 164.
- the channel estimator 152 generates CIR estimate from received signals 151 transmitted by the first node 110.
- the CIR estimate 153 is optionally processed by the post-processor 156 as stated above.
- the synchronization bit demodulator 154 demodulates the received signals 151 to recover the synchronization signal/code 155.
- the parity bit demodulator 156 demodulates the received signals 151 to recover the parity bits 157.
- the synchronization signal/code 155 is fed to the synchronization unit 160 and the parity bits 157 are fed to the error correction decoder 162.
- the post-processed CIR 159 is processed by the synchronization unit 160.
- the synchronization unit 160 corrects the discrepancy between the CIR estimates due to the lack of simultaneity and/or the misalignment of the starting point in accordance with the synchronization signal/code 155.
- the error correction decoder 162 performs error correction decoding while treating the CIR estimate 159 processed by the synchronization unit 160 as a message part of the codeword, which possibly contains errors and uses the received parity bits 157 to correct the errors. If the block code is well chosen, the output 163 of the error correction decoder 162 is identical to the CIR estimate generated by the first node 110 with very high probability. Thus, the first node 110 and the second node 150 succeed in obtaining the same data sequence while publicly revealing only some portion of it, (i.e., the parity bits), and may derive the same JRNSO bits.
- the error correction decoder 162 may be used to support synchronization of the starting point of the digitized CIR estimate.
- the second node 150 generates a set of CIR estimates and decodes each of the possible CIR estimates with the parity bits 157.
- the error correction decoder 162 counts the number of errors in each of the CIR estimates. With very high probability, all but the correct one will result in a very high number of corrections; while the correct one results in a very low number of corrections. In this way the error correction decoding process can support the starting point synchronization. [0046] Once the CIR estimates have been aligned between the first node
- FIG. 3 is a flow diagram of a process 300 for deriving JRNSO bits and a secret key for wireless communication in accordance with the present invention.
- the first node generates a CIR estimate from transmissions sent by the second node and the second node generates a CIR estimate from transmissions sent by the first node (step 302).
- the first node sends parity bits (and optionally a synchronization signal/code) to the second node (step 304).
- the parity bits are generated by error correction coding on the CIR estimate generated by the first node.
- the second node synchronizes the CIR estimate generated by the second node to the CIR estimate generated by the first node by using a synchronization signal/code sent by the first node or using some other schemes stated above (step 306).
- FIG. 3 is a flow diagram of a process 400 for deriving an encryption key using JRNSO bits in accordance with one embodiment of the present invention.
- a WTRU is associated to an AP at step 402, it is determined whether the authentication type supported by the wireless network is IEEE802.1x or PSK (step 404). IfIEEE 802.1x is supported, an authentication, authorization, and accounting (AAA) server and the WTRU authenticate each other using digital certificates (step 406). As part of the authentication signaling, the WTRU sends the AAA server a secret encrypted using a public key of the AAA server such that only the AAA server can decrypt it using a corresponding private key. This secret is used as a seed for deriving the encryption key. The AAA server then sends the secret to the AP (step 408). If the supported authentication type is PSK, the PSK is set as a default secret (step 410).
- AAA authentication, authorization, and accounting
- the AP and the WTRU generate JRNSO bits using the process described hereinbefore (step 412). It should be noted that the JRNSO bits may be generated at any step before generation of the encryption key, not just after the secret has been forwarded.
- the AP and the WTRU derive an encryption key using the secret and the JRNSO bits (step 414).
- the AP and the WTRU then exchange a portion of the encryption key to confirm the key and identity (step 416).
- Group keys may be derived and sent to the WTRU using the encryption key as the PTK as done currently in IEEE 802.11i (step 418).
- the process according to the IEEE 802. Hi standard may be followed. It should be noted that steps 402-410 are necessary for the initial derivation and the encryption key update or refresh can be performed only by deriving new JRNSO bits.
- a new secret may be exchanged and new JRNSO bits may be generated, or alternatively, new JRNSO bits with the old secret may be used. Only the second option is available for the PSK case. Historical information may be used to authenticate JRNSO bits. Both parties may cache some pre-agreed portions of earlier keys. An attacker cannot simply decrypt the master secret using the stolen private key, but must also guess the previous keys derived.
- This process explicitly separates the roles of authentication and key generation in the system.
- the AAA server deals only with authenticating the client while the AP deals with key generation. This is different from IEEE 802. Ix where the AAA server is involved both in key derivation and authentication.
- JRNSO allows a new and fresh encryption key to be derived every few hundredths of a second (depending on channel conditions) dynamically. This is different from prior art where key updates are pre-programmed and are not cryptographically fresh and where to generate a fresh key a new secret has to be exchanged.
- the PTK is just the PMK plus random information exchanged in the clear if an attacker guesses the PMK, updating keys does not serve any cryptographic purpose.
- the master secret used to derive the MK and then the PMK serves a cryptographic purpose and is consequently very long (e.g., 48 bytes).
- the secret exchanged serves to authenticate the secret key derived from the JRNSO bits and thus only need be long enough to prevent brute force attacks (e.g., about 16 bytes). This makes it feasible to generate it afresh every time a key needs to be updated with JRNSO.
- the present invention provides a simpler key derivation method with only one short secret exchanged and one set of keys derived, instead of one long key exchanged and 3 sets of keys derived, (i.e., MK, PMK and PTK). This enables power savings on a mobile device.
- FIG. 5 is a flow diagram of a process 500 for deriving an encryption key using JRNSO bits in accordance with another embodiment of the present invention.
- the process 500 is similar to process 400. Steps 502-512 are the same as steps 402-412 and, therefore, will not be explained for simplicity.
- the AP and the WTRU derive a PMK using the secret and the JRNSO bits (step 514).
- Group keys are then derived and sent to the WTRU as done currently in IEEE 802.Hi (step 516).
- FIG. 6 is a flow diagram of a process 600 for deriving an encryption key using JRNSO bits in accordance with yet another embodiment of the present invention.
- the PSK is set as a PMK (step 611).
- the AP and the WTRU generate JRNSO bits using the process described hereinbefore (step 612). It should be noted that the JRNSO bits may be generated at any step before generation of the encryption key, not just after the PMK is derived. It may be carried out prior to deriving the PMK (in the case of 802. Ix) to speed up the key derivation process. It may also be done during the 4-way handshake process for deriving the PTK. This will allow the system to be compatible with PSK authentication. The parity checks may also be carried out at any time prior to deriving the PTK.
- the AP and the WTRU derive a PTK using the PMK and the
- the PTK may be derived as follows:
- PTK PRF (PMK, Info in the clear, JRNSO bits).
- Group keys are then derived and exchanged as done currently in IEEE 802. Hi (step 616).
- FIG. 7 is a flow diagram of a process 700 for deriving an encryption key using JRNSO bits in accordance with yet another embodiment of the present invention.
- FIG. 8 is a flow diagram of a process 800 for deriving an encryption key using a Diffie-Hellman protocol in accordance with the present invention.
- a WTRU 802 and an AP 804 agree to use JRNSO for driving a key by exchanging a JRNSO initiation message to an AP and a JRNSO initiation confirmation (steps 812, 814).
- the WTRU 802 and the AP 804 generate JRNSO bits based on CIR estimates from transmissions between each other (steps 816, 818).
- the WTRU 802, (who takes a lead), generates parity bits by performing error correction coding on the generated CIR estimate and sends the parity bits to the AP 804 (step 820).
- the AP 804 performs error correction decoding using the received parity bits and may optionally send a confirmation (step 822).
- the steps 816-822 may be repeated several times.
- the WTRU 802 and the AP 804 have a pre-defmed look-up table
- LUT that stores secret numbers p and g (prime numbers) for mapping the JRNSO bits to the p and g values. For example, if the JRNSO measurement generates 5 bits of secret data, the WTRU 802 and the AP 804 can choose one of 16 possible unique values for the prime number / ? and another 16 values for the base g. It should be noted that other schemes may be used instead of LUT, which is obvious to those skilled in the art.
- the stored prime numbers should be large but not necessarily as large as in a conventional Diffie-Hellman protocol because of an additional layer of security with p and g secret in accordance with the present invention.
- the prime numbers should preferably also differ in orders of magnitude so that it is hard for an attacker to guess the range of modulo values.
- the WTRU 802 and the AP 804 choose secret integers a and b, respectively, and sendg ⁇ modp and g b mod/) to the other party, respectively, and drive b and a, respectively (steps 824, 826).
- the WTRU 802 and the AP 804 use this to derive a shared secret (step 828).
- the WTRU and the AP send a JRNSO key encrypted using the shared secret or use the shared secret as a JRNSO key (step 830).
- each feature or element can be used alone without the other features and elements of the preferred embodiments or in various combinations with or without other features and elements of the present invention.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US64748205P | 2005-01-27 | 2005-01-27 | |
US71617705P | 2005-09-12 | 2005-09-12 | |
US73433105P | 2005-11-07 | 2005-11-07 | |
US11/318,381 US8280046B2 (en) | 2005-09-12 | 2005-12-23 | Method and system for deriving an encryption key using joint randomness not shared by others |
PCT/US2006/001839 WO2006081122A2 (en) | 2005-01-27 | 2006-01-19 | Method and system for deriving an encryption key using joint randomness not shared by others |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1847060A2 true EP1847060A2 (en) | 2007-10-24 |
EP1847060A4 EP1847060A4 (en) | 2011-09-14 |
Family
ID=36740955
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06718847A Withdrawn EP1847060A4 (en) | 2005-01-27 | 2006-01-19 | Method and system for deriving an encryption key using joint randomness not shared by others |
Country Status (9)
Country | Link |
---|---|
EP (1) | EP1847060A4 (en) |
JP (1) | JP4734344B2 (en) |
KR (3) | KR101011470B1 (en) |
CN (1) | CN101951383B (en) |
CA (1) | CA2596067C (en) |
MX (1) | MX2007009063A (en) |
NO (1) | NO20074210L (en) |
TW (2) | TWI378701B (en) |
WO (1) | WO2006081122A2 (en) |
Families Citing this family (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007124054A2 (en) * | 2006-04-18 | 2007-11-01 | Interdigital Technology Corporation | Method and system for securing wireless communications |
US20080075280A1 (en) * | 2006-09-21 | 2008-03-27 | Interdigital Technology Corporation | Group-wise secret key generation |
TWI393415B (en) | 2006-10-12 | 2013-04-11 | Interdigital Tech Corp | A method and system for enhancing cryptographic capabilities of a wireless device using broadcasted random noise |
GB2447674B (en) * | 2007-03-21 | 2011-08-03 | Lancaster University | Generation of a cryptographic key from device motion |
US10091648B2 (en) | 2007-04-26 | 2018-10-02 | Qualcomm Incorporated | Method and apparatus for new key derivation upon handoff in wireless networks |
JP5376408B2 (en) * | 2007-07-20 | 2013-12-25 | 日本電気株式会社 | Cryptographic communication method and cryptographic communication system |
US9198033B2 (en) * | 2007-09-27 | 2015-11-24 | Alcatel Lucent | Method and apparatus for authenticating nodes in a wireless network |
US9490977B2 (en) | 2007-11-06 | 2016-11-08 | Interdigital Patent Holdings, Inc. | Method and apparatus for enabling physical layer secret key generation |
TW201036393A (en) | 2008-05-12 | 2010-10-01 | Interdigital Patent Holdings | Information-theoretically secure secrecy generation |
WO2010006035A2 (en) * | 2008-07-08 | 2010-01-14 | Interdigital Patent Holdings, Inc. | Support of physical layer security in wireless local area networks |
FR2976431B1 (en) * | 2011-06-07 | 2014-01-24 | Commissariat Energie Atomique | SECRET KEY GENERATION METHOD FOR WIRELESS COMMUNICATION SYSTEM |
KR101269026B1 (en) * | 2011-12-21 | 2013-05-29 | 한국전자통신연구원 | Apparatus and method for group key generation using wireless channel status |
US10635692B2 (en) | 2012-10-30 | 2020-04-28 | Ubiq Security, Inc. | Systems and methods for tracking, reporting, submitting and completing information forms and reports |
US20140269362A1 (en) * | 2013-03-15 | 2014-09-18 | Shahrnaz Azizi | Techniques to Update a Wireless Communication Channel Estimation |
US9124580B1 (en) * | 2014-02-07 | 2015-09-01 | The Boeing Company | Method and system for securely establishing cryptographic keys for aircraft-to-aircraft communications |
DE102014209046A1 (en) | 2014-05-13 | 2015-11-19 | Robert Bosch Gmbh | A method for generating a secret, cryptographic key in a mobile terminal |
DE102014208964A1 (en) | 2014-05-13 | 2015-11-19 | Robert Bosch Gmbh | Method for generating a key in a network as well as network subscribers established for this purpose |
DE102014208975A1 (en) | 2014-05-13 | 2015-11-19 | Robert Bosch Gmbh | A method for generating a key in a network and subscribers to a network and network |
DE102014208965A1 (en) | 2014-05-13 | 2015-11-19 | Robert Bosch Gmbh | Method for authenticating a network participant and network participant, network and computer program for this purpose |
DE102014208974A1 (en) | 2014-05-13 | 2015-11-19 | Robert Bosch Gmbh | Method for determining information about the distance between two devices and devices and computer programs set up for this purpose |
DE102014217330A1 (en) | 2014-08-29 | 2016-03-03 | Robert Bosch Gmbh | Method for comparing information between devices and device set up for this purpose |
DE102014217320A1 (en) | 2014-08-29 | 2016-03-03 | Robert Bosch Gmbh | Method for generating a cryptographic key in a device and device set up for this purpose |
US10579823B2 (en) | 2014-09-23 | 2020-03-03 | Ubiq Security, Inc. | Systems and methods for secure high speed data generation and access |
US9842227B2 (en) | 2014-09-23 | 2017-12-12 | FHOOSH, Inc. | Secure high speed data storage, access, recovery, and transmission |
DE102015215569A1 (en) | 2015-08-14 | 2017-02-16 | Robert Bosch Gmbh | Method for generating a secret between subscribers of a network and subscribers of the network established for this purpose |
WO2017063716A1 (en) * | 2015-10-16 | 2017-04-20 | Huawei Technologies Co., Ltd. | Secure paring method for mimo systems |
DE102015225220A1 (en) | 2015-12-15 | 2017-06-22 | Robert Bosch Gmbh | Method for generating a secret sequence of values in a device depending on measured physical properties of a transmission channel |
DE102015225222A1 (en) | 2015-12-15 | 2017-06-22 | Robert Bosch Gmbh | Method for generating a secret sequence of values in a device depending on measured physical properties of a transmission channel |
FR3046315B1 (en) * | 2015-12-29 | 2018-04-27 | Thales | METHOD FOR UNIVALENT AND UNIVERSAL EXTRACTION OF KEYS FROM THE PROPAGATION CHANNEL |
KR20180097903A (en) * | 2017-02-24 | 2018-09-03 | 삼성전자주식회사 | Apparatus and method for generating secure key in wireless communication system |
US11349656B2 (en) | 2018-03-08 | 2022-05-31 | Ubiq Security, Inc. | Systems and methods for secure storage and transmission of a data stream |
GB201817117D0 (en) * | 2018-10-19 | 2018-12-05 | Nat Univ Ireland Maynooth | Encryption method |
EP3697052A1 (en) * | 2019-02-14 | 2020-08-19 | Siemens Aktiengesellschaft | Method and system for transfer of data in a network |
WO2023287537A1 (en) * | 2021-07-16 | 2023-01-19 | Qualcomm Incorporated | Secret key verification in wireless communication |
KR102675382B1 (en) * | 2022-01-18 | 2024-06-17 | 광주과학기술원 | Apparatus for signal transmission , apparatus for signal reception, method for signal transmission and method for signal reception in cryptographic key generation system based on autoencoder |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0301282A1 (en) * | 1987-07-31 | 1989-02-01 | BBC Brown Boveri AG | Signal transmission method |
US5450456A (en) * | 1993-11-12 | 1995-09-12 | Daimler Benz Ag | Method and arrangement for measuring the carrier frequency deviation in a multi-channel transmission system |
EP0767543A3 (en) * | 1995-10-06 | 2000-07-26 | Siemens Aktiengesellschaft | Code division multiplex communication with interference suppression |
US5745578A (en) * | 1996-06-17 | 1998-04-28 | Ericsson Inc. | Apparatus and method for secure communication based on channel characteristics |
JP2006180549A (en) * | 2002-02-28 | 2006-07-06 | Matsushita Electric Ind Co Ltd | Communication apparatus and communication method |
JP2004032679A (en) * | 2002-02-28 | 2004-01-29 | Matsushita Electric Ind Co Ltd | Communication apparatus and communication system |
JP2003273856A (en) * | 2002-03-14 | 2003-09-26 | Communication Research Laboratory | Communication apparatus and communication method |
JP4245972B2 (en) * | 2002-05-29 | 2009-04-02 | Nttエレクトロニクス株式会社 | Wireless communication method, wireless communication device, communication control program, communication control device, key management program, wireless LAN system, and recording medium |
US7587598B2 (en) * | 2002-11-19 | 2009-09-08 | Toshiba America Research, Inc. | Interlayer fast authentication or re-authentication for network communication |
JP2004187197A (en) * | 2002-12-06 | 2004-07-02 | Doshisha | Radio communication system, radio communication method and radio station |
JP2004208073A (en) * | 2002-12-25 | 2004-07-22 | Sony Corp | Radio communication system |
JP2005130127A (en) * | 2003-10-22 | 2005-05-19 | Sumitomo Electric Ind Ltd | Confidential communication method and communication terminal |
US7505596B2 (en) * | 2003-12-05 | 2009-03-17 | Microsoft Corporation | Automatic detection of wireless network type |
EP1758292A4 (en) * | 2004-07-29 | 2011-10-12 | Panasonic Corp | Wireless communication apparatus and wireless communication method |
KR20070042160A (en) * | 2004-08-04 | 2007-04-20 | 마쓰시다 일렉트릭 인더스트리얼 컴패니 리미티드 | Radio communication method, radio communication system, and radio communication device |
EP1775875A1 (en) * | 2004-08-04 | 2007-04-18 | Matsushita Electric Industrial Co., Ltd. | Radio communication device, radio communication system, and radio communication method |
-
2006
- 2006-01-19 EP EP06718847A patent/EP1847060A4/en not_active Withdrawn
- 2006-01-19 CN CN2010102981704A patent/CN101951383B/en not_active Expired - Fee Related
- 2006-01-19 KR KR1020077018125A patent/KR101011470B1/en not_active IP Right Cessation
- 2006-01-19 CA CA2596067A patent/CA2596067C/en not_active Expired - Fee Related
- 2006-01-19 JP JP2007553138A patent/JP4734344B2/en not_active Expired - Fee Related
- 2006-01-19 KR KR1020117010823A patent/KR20110076992A/en not_active Application Discontinuation
- 2006-01-19 WO PCT/US2006/001839 patent/WO2006081122A2/en active Application Filing
- 2006-01-19 MX MX2007009063A patent/MX2007009063A/en not_active Application Discontinuation
- 2006-01-19 KR KR1020077018514A patent/KR101253370B1/en not_active IP Right Cessation
- 2006-01-20 TW TW095102241A patent/TWI378701B/en not_active IP Right Cessation
- 2006-01-20 TW TW095128389A patent/TWI404393B/en not_active IP Right Cessation
-
2007
- 2007-08-16 NO NO20074210A patent/NO20074210L/en not_active Application Discontinuation
Non-Patent Citations (3)
Title |
---|
HAVISH KOORAPATY ET AL: "Secure Information Transmission for Mobile Radio", IEEE COMMUNICATIONS LETTERS, IEEE SERVICE CENTER, PISCATAWAY, NJ, US, vol. 4, no. 2, 1 February 2000 (2000-02-01), XP011010169, ISSN: 1089-7798 * |
HERSHEY J E ET AL: "UNCONVENTIONAL CRYPTOGRAPHIC KEYING VARIABLE MANAGEMENT", IEEE TRANSACTIONS ON COMMUNICATIONS, IEEE SERVICE CENTER, PISCATAWAY, NJ. USA, vol. 43, no. 1, 1 January 1995 (1995-01-01), pages 3-06, XP000487370, ISSN: 0090-6778, DOI: DOI:10.1109/26.385951 * |
See also references of WO2006081122A2 * |
Also Published As
Publication number | Publication date |
---|---|
JP4734344B2 (en) | 2011-07-27 |
CN101951383A (en) | 2011-01-19 |
TWI378701B (en) | 2012-12-01 |
CA2596067A1 (en) | 2006-08-03 |
TW200633460A (en) | 2006-09-16 |
CN101951383B (en) | 2013-06-19 |
EP1847060A4 (en) | 2011-09-14 |
KR101253370B1 (en) | 2013-04-11 |
TWI404393B (en) | 2013-08-01 |
CA2596067C (en) | 2013-09-17 |
NO20074210L (en) | 2007-10-24 |
MX2007009063A (en) | 2007-10-02 |
KR20070088821A (en) | 2007-08-29 |
JP2008529413A (en) | 2008-07-31 |
WO2006081122A3 (en) | 2007-11-22 |
KR101011470B1 (en) | 2011-01-28 |
TW200723818A (en) | 2007-06-16 |
KR20110076992A (en) | 2011-07-06 |
KR20070096008A (en) | 2007-10-01 |
WO2006081122A2 (en) | 2006-08-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2596067C (en) | Method and system for deriving an encryption key using joint randomness not shared by others | |
US8280046B2 (en) | Method and system for deriving an encryption key using joint randomness not shared by others | |
Zhang et al. | Design of an OFDM physical layer encryption scheme | |
US8238551B2 (en) | Generation of perfectly secret keys in wireless communication networks | |
US20070036353A1 (en) | Authentication and encryption methods using shared secret randomness in a joint channel | |
Toorani et al. | An elliptic curve-based signcryption scheme with forward secrecy | |
KR20110117169A (en) | Identity based authenticated key agreement protocol | |
JP2014509094A (en) | System and method for securing wireless communication | |
Yao et al. | Post Quantum KEM authentication in SPDM for secure session establishment | |
Hwang et al. | A Key management for wireless communications | |
Aizan et al. | Implementation of BB84 Protocol on 802.11 i | |
Xu et al. | Anti-Quantum Certificateless Group Authentication for Massive Accessing IoT devices | |
Mulkey et al. | Towards an efficient protocol for privacy and authentication in wireless networks | |
Lavanya et al. | Privacy Preserving Physical Layer Authentication Scheme for LBS based Wireless Networks | |
de Ree et al. | Grain-128PLE: generic physical-layer encryption for IoT networks | |
Wan et al. | Access control protocols with two-layer architecture for wireless networks | |
JARECKI | Password Authenticated Key Exchange: Protocols and Security Models | |
Lim et al. | Secure deniable authenticated key establishment for internet protocols | |
Patrick | Wireless LAN Security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20070827 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA HR MK YU |
|
R17D | Deferred search report published (corrected) |
Effective date: 20071122 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/00 20060101AFI20071210BHEP Ipc: H04K 1/00 20060101ALI20071210BHEP |
|
DAX | Request for extension of the european patent (deleted) | ||
A4 | Supplementary search report drawn up and despatched |
Effective date: 20110812 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/08 20060101ALI20110808BHEP Ipc: H04L 9/00 20060101AFI20110808BHEP Ipc: H04K 1/00 20060101ALI20110808BHEP Ipc: H04L 9/32 20060101ALI20110808BHEP |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: INTERDIGITAL TECHNOLOGY CORPORATION |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: MUKHERJEE, RAJAT, PRITAM Inventor name: RUDOLF, MARIAN |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: MUKHERJEE, RAJAT, PRITAM Inventor name: RUDOLF, MARIAN |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: MUKHERJEE, RAJAT, PRITAM Inventor name: RUDOLF, MARIAN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20180801 |