GB2411801A - Establishing secure connections in ad-hoc wireless networks in blind trust situations - Google Patents

Establishing secure connections in ad-hoc wireless networks in blind trust situations Download PDF

Info

Publication number
GB2411801A
GB2411801A GB0405037A GB0405037A GB2411801A GB 2411801 A GB2411801 A GB 2411801A GB 0405037 A GB0405037 A GB 0405037A GB 0405037 A GB0405037 A GB 0405037A GB 2411801 A GB2411801 A GB 2411801A
Authority
GB
United Kingdom
Prior art keywords
initiation signal
user
data
received
wireless connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0405037A
Other versions
GB2411801B (en
GB0405037D0 (en
Inventor
Georgios Kalogridis
Chan Yeob Yeun
Gary Clemo
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toshiba Europe Ltd
Original Assignee
Toshiba Research Europe Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Toshiba Research Europe Ltd filed Critical Toshiba Research Europe Ltd
Priority to GB0405037A priority Critical patent/GB2411801B/en
Publication of GB0405037D0 publication Critical patent/GB0405037D0/en
Publication of GB2411801A publication Critical patent/GB2411801A/en
Application granted granted Critical
Publication of GB2411801B publication Critical patent/GB2411801B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

Ad-hoc or spontaneous networks are not generally able to rely upon certifying authorities or the like to provide trust in the party you are communicating with. Therefore the establishment of secure links in such networks is problematic, three solutions are proposed. In the first a device joining the ad-hoc network will only establish a secure link if only one other device attempts to communicate with. This builds on the resurrecting ducking approach where a device connects to the first, of possibly many, other devices it communicates with by trying to ensure that malicious devices are not in the vicinity. The second requires a user to authorise the link before establishment. The third establishes a link, but assigns a level of trust to it which limits how data received over the link can be processed.

Description

2411 801 The present invention relates to a wireless network, a device for
use in a wireless network and a method of configuring a wireless network.
As electronic communications become ever more a part of everyday life, issues of secure data transmission are becoming increasingly important. This is especially the case for wireless communications, in which data is broadcast from one device to another and can be received by other devices. In order to stop any malicious devices in range from intercepting wireless communications between two devices, cryptographic techniques are typically used to provide secure communication channels.
Broadly speaking at present two basic cryptographic techniques, symmetric and asymmetric, are employed to provide secure data transmission between electronic devices. Symmetric cryptography uses a common secret key for both encryption and decryption, along traditional lines. The data is protected by restricting access to this secret key and by key management techniques, for example, using a different key for each transmission or for a small group of data transmissions. A well-known example of symmetric cryptography is the US Data Encryption Standard (DES) algorithm (FIPS- 46, FIPS-47-1, FIPS-74, FIPS-81 of the US National Bureau Standards). A variant of this is triple DES (3DES) in which three keys are used in succession to provide additional security. Other examples of symmetric cryptographic algorithms are RC4 from RSA Data Security, Inc and the International Data Encryption Algorithm (IDEA).
Asymmetric or so-called public key cryptography uses a pair of keys one "private" and one "public" (although in practice distribution of the public key is also often restricted).
A message encrypted with the public key can only be decrypted with the private key, and any other device with the public key can securely send data to the first device by encrypting it with the public key safe in the knowledge that only the private key can be used to decrypt the data.
Asymmetric cryptographic systems are generally used within an infrastructure known as Public Key Infrastructure (PKI) which provides key management functions.
Asymmetric cryptography can also be used to digitally sign messages by encrypting either the message or a message digest, using the private key. Providing the recipient has the original message they can compute the same digest and thus authenticate the signature by decrypting the message digest. A message digest is derived from the original message and is generally shorter than the original message making it difficult to compute the original message from the digest; a so-called hash function may be used to generate a message digest.
A Public Key Infrastructure normally includes provision for digital identity Certificates.
To prevent an individual posing as somebody else an individual may prove his identity to a certification authority which then issues a certificate signed using the authority's private key and including the public key of the individual. The Certification Authority's public key is widely known and therefore trusted and since the certificate could only have been encrypted using the authority's private key, the public key of the individual is verified by the certificate. Within the context of a mobile phone network a user or the network operator can authenticate their identity by signing a message with their private key; likewise a public key can be used to verify an identity. Further details of PKI for wireless applications can be found in WPKI, WAP-217-WPKI, version 24 - April 2001 available at www.waptorum.org and in the X.509 specifications (PKIX) which can be found at www.ietf.org, all hereby incorporated by reference.
Asymmetric cryptography was first publicly disclosed by Dime and Hellman in 1976 (W. Dime and D.E. Hellman, "New directions in cryptography", IEEE Transactions on Information Theory, 22 (1976), 644-654) and a number of asymmetric cryptographic techniques are now in the public domain of which the best known is the RSA (Rives", Shamir and Adleman) algorithm (R.L. Rivest, A. Shamir and L.M. Adleman, "A method for obtaining digital signatures and public-key cryptosystems", Communications of the ACM, 21 (1978), 120- 126).
The symmetric and asymmetric cryptographic techniques outlined above each have advantages and disadvantages. Asymmetric approaches are less resource-efficient, requiring complex calculations and relatively longer key lengths than symmetric approaches to achieve a corresponding level of security. A symmetric approach, however, requires storage of secret keys within a device and does not provide non- repudiation.
A common approach is to combine both these approaches, broadly speaking using public key techniques to transfer a secret session key. A communications session may then be established using this key, to encrypt data to allow two devices to communicate securely over a wireless network.
There exists a large variety of traditional cryptographic techniques that facilitate key exchange between two parties. The most well-known one is the Diffe-Helman Key exchange algorithm, mentioned above. The idea behind Diffie-Helman is to allow two users to establish a shared secret key, known only to them.
The Diffe-Hellman key exchange protocol allows two users to exchange a secret key k over an insecure medium, without the two users sharing any prior secrets. This protocol uses private randomly generated numbers and large prime numbers to allow users to generate a shared key. However, it is well known that the Diff'e-Hellman key exchange protocol does not authenticate the participants involved in the exchange.
Authentication is the term given to any process through which one proves and verifies certain information. For example, a recipient of a transmission may want to verify the origin of the transmission and the identity of the sender. The fact that the Diffe- Hellman key exchange protocol does not authenticate the participants means that it is therefore susceptible to man-in-the-middle attacks.
There are other approaches to secret key establishment which can provide a means for authenticating both devices. However, such approaches are heavily dependent on the existence of an infrastructure, e.g. PKI mentioned above. These approaches typically attempt to develop a network of trust between all the devices involved in the protocol, and the network of trust can be either centralized or decentralized. The principle behind these approaches is that two unknown devices can authenticate each other simply because they both know a common trusted third party who can provide to both of them information that allows them to authenticate each other.
However, protocols of this type suffer from the problem that additional security may need to be provided for an unknown device to register with a trusted third party for first time. Secondly, protocols of this type necessarily require a security infrastructure that allows each device to be in communication with the trusted third party. This need for a security infrastructure renders such protocols inapplicable for the setting up of an ad- hoc network.
The term ad-hoc (or "spontaneous") network is used to describe a local area network or other small network, especially one with wireless or temporary plug-in connections, in which new devices can be quickly added. For wireless networks suitable for use in the home, it is not a commercially viable solution to uniquely and globally register mass produced and merchandised wireless equipment with a trusted third party. Furthermore, a consumer is likely to purchase goods from many different manufacturers, and an infrastructure reliant method could only be relied on for an ad hoc network if every device made by every manufacturer was configured to use the same trusted third party.
On this basis, infrastructure reliant methods for sharing configuration information or cryptographic data are not suitable for ad-hoc networks.
Other approaches to the setting up of wireless networks will now be described with reference to Figure I of the accompanying drawings. Figure I shows a block diagram illustrating the basic set-up of a typical wireless network, such as a wireless local area network. The illustrated wireless network 2 comprises a primary device 4 in communication with a first secondary device 6 over a first wireless communications path 8 and also in communication with a second secondary device 10 over a second wireless communications path 12.
Communications between the primary device 4 and the secondary devices 6 and 10 are typically encrypted using a symmetric cryptographic technique using a secret encryption key K before transmission to protect against eavesdropping by intruders and also to prevent unauthorised access to the primary device 4. One such security protocol is the wired equivalent privacy (WEP) protocol in which communications are encrypted with a secret key prior to transmission. The IEEE 802.11 standard specifies a 64- bit WEP key, which comprises a 40-bit shared secret, the remaining 24 bits being a non-secret initialization vector. Several proprietary extensions of the IEEE 802.11 standard have emerged, the most common being a 128-bit solution (104-bit shared secret, 24-bit initialization vector), although there are also some 152-bit solutions (128-bit shared secret, 24-bit initialization vector).
With a security protocol such as the WEP protocol, it is of course necessary for each of the devices 4, 6 and 12 in the wireless network 2 to have knowledge of the secret key.
The distribution of the secret key clearly raises both practical and security issues.
Therefore, the distribution of the encryption information must be performed in a manner that is secure, so that only those devices that are authorised gain knowledge of the secret key. It is also very important that the method of transferring the secret key is user- friendly, to ease the installation process and to prevent installation errors by the user.
This is especially so when the wireless network is being set up in a home environment without skilled IT support or advice. A consumer cannot be presumed to be either skilled enough or willing enough to go through a set of complicated installation procedures in order to set up a wireless network of devices.
To explain the process of installing a new device into a wireless network, Figure 1 also illustrates a third secondary device 14 that is to be installed into the existing wireless network 2 such that wireless communication can be established between the primary device 4 and the third secondary device 14. As part of this procedure, the third secondary device 14 must be supplied with the secret key K that is being used by the primary device 4 for wireless communications, as well as any other configuration parameters that are required for establishing wireless communication with the primary device 4, such as for example the transmission frequency pattern to be used.
However, if the primary device 4 and the third secondary device 14 are completely unknown to each other, and there is no trusted infrastructure to authenticate the devices, then providing the third secondary device 14 with the secret key K is clearly a security problem. It will be apparent that the point of symmetrically encrypting transmissions with a key will be lost if the key is made freely available to other, potentially malicious devices.
Theoretically, the problem of two or more completely unknown devices wishing to establish a secure link is considered to be an unsolvable problem. However, various methods have been adopted in order to try and provide a workable solution.
Some current technologies targeted at the home, such as the Digital Enhanced Cordless Telecommunications (DECT) technology and Bluetooth (RTM) , adopt a "press the button now" approach, in which the user is required to set manually both the primary device 4 and the third secondary device 14 into a registration mode as a primitive form of authentication. Then, for a limited period, the two devices 4 and 14 transfer encryption keys K and the like in unencrypted form. However, even though the window of transmitting the encryption keys K is a constrained and unpredictable time window, there is still a significant risk of eavesdropping by a malicious device. This is because if a malicious device intercepted the transmitted secret key K, the malicious device could then use the key K to share information with primary device 4. Such methods are therefore inherently lacking in security.
Security can be enhanced beyond a simple "press the button now" approach by using human interaction to physically authenticate the devices involved in an exchange by entering data on both devices. For example, the third secondary device 14 could be installed into the wireless network 4 by entering the encryption key K manually into the third secondary device 14, for example via a keypad.
This overcomes the problem of the eavesdropping of the encryption key K, and is therefore fairly secure. However, such a method is not suited for all devices. For example, in the home entertainment environment the devices envisaged (for example, hi-fi equipment such as speakers, amplifiers and tuners) are likely to have no user interface at all, and highly unlikely to have a full keyboard. On this basis, the entry of the required encryption key K into the third secondary device 14 is likely to be difficult, if not impossible.
In addition, user-friendliness and the ease of installing a new device are extremely important in the domestic market. Requiring the user to enter encryption keys and other configuration parameters into a new device is likely to be both unpopular to the user and unreliable.
Another example of a user entry system is physical address authentication, such as the Media Access Control (MAC) Address Authentication procedure, which is part of the IEEE 802.1 1 wireless local area network standard. The MAC address is a unique value associated with each network adapter, and is also known as a hardware address or physical address. A MAC address therefore uniquely identifies an adapter on a local area network. MAC addresses are 12-digit hexadecimal numbers (48 bits in length).
By convention, MAC addresses are usually written in the format "MM-MM-MMSS- SS-SS", where the first half (MM-MM-MM) contains the ID number of the adapter manufacturer and the second half (SS-SS-SS) represents the serial number assigned to the adapter by the manufacturer.
However, as for requiring the user to enter a lengthy encryption key, there are barriers to this technique being adopted in the consumer market. These are mainly due to the complexity involved in entering the lengthy code correctly into a device by an inexperienced user. This is made even more difficult and error-prone in view of the limited user interface available on many home devices. The provision of a more complex user interface (for example a full keyboard, or a method for connecting a Personal Computer to the device) for every device in a home network would be expensive, and would likely to be undesirable to the consumer.
In addition, there have been numerous recent proposals for manual secure authentication which have also been extended for manual secure key exchange.
An example of this is IST-SHAMAN, WP2, Security for distributed terminals, public document, http://www.isrc.rhul.ac.uk/shaman/docs/dl3a2vl.pdf. However, like all the similar approaches discussed above, this approach requires the devices involved to both have input (keyboard) and output (display) facilities in order the user to read and write a short message authentication code. On this basis, this method is not suitable for many wireless devices.
Another approach to the problem of establishing a secure link between two unknown devices is often referred to as the "Resurrecting Duckling" approach. This was disclosed by F. Stajano and R.J. Anderson, "The Resurrecting Duckling: Security Issues in Ad- Hoc Wireless Networks," Proc. Seventh Security Protocols Workshop, Lecture Notes in Computer Science 1796, Springer-Verlag, Berlin, 2000, pp. 172-182.
This method involves devices simulating the way a duckling emerging from its egg and recognizes its "mother". A duckling will presume that the first moving object that a duckling sees that makes a sound will be its "mother", regardless of what it actually is or looks like. This natural phenomenon shown in animals such as ducks is called mprntmg.
In the "Resurrecting Duckling" approach a device will recognize the first entity that sends it a secret key as its "owner" or mother. As soon as this "ignition key" is received, the device is no longer a "newborn" and will stay faithful to its owner for the rest of its life. If several entities are present at the device's "birth", i.e. when it is first switched on, then the first entity that sends the device a key becomes the owner. The device will then blindly trust its owner, and thus be a slave device. However the opposite will not apply, and the owner device will not blindly trust the slave.
The "Resurrecting Duckling" approach attempts to overcome the technical differences in establishing blind friendships in a simple way that mimics nature. It is disclosed as a solution for devices with a "Peanut CPU", a weak battery and a high latency network interface. However, this approach does not provide good enough security for use in ad- hoc environments. This is because it builds on blind trust relationships and offers insufficient safeguards against malicious third parties.
According to a first aspect of the invention, there is provided a method of configuring a wireless connection between a first device and a second device, the method comprising at the second device: receiving an initiation signal from the first device; establishing if any other initiation signals are received in a predetermined time after the receipt of the initiation signal from the first device; determining that a connection may be established between the first device and the second device if no initiation signals from devices other than the first device are received in the predetermined time; and configuring a wireless connection between the first device and the second device if it is determined that the first device may connect to the second device.
The predetermined time provides a time window for one device to connect to another device without further security measures. For example, if the second device receives an initiation signal from a third device during the predetermined time after the receipt of the initiation signal from the first device, then the second device will not establish an automatic connection with either the first device or the third device. In this situation, the second device will have received two initiation signals from unknown devices, and thus will have no secure way of determining which one it should connect to (as all the devices are unknown to each other and there is no third party infrastructure to authenticate the devices). Therefore, the first aspect of the invention provides a safeguard against the second device forming a connection with a malicious device instead of the first device.
The method may further comprise determining that the first device may be connected to the second device if only one initiation signal is received in the predetermined time.
The method may further comprise the second device sending configuration data to the first device following the receipt of an initiation signal, and using the configuration data to configure the wireless connection. The configuration data could be sent to the first device after the predetermined time or during the predetermined time. The configuration data could be sent to the first device even if it is determined that the first device may not connect to the second device.
The configuration data could be used to configure a temporary wireless connection between the first device and the second device for use during the predetermined time.
This temporary wireless connection could then be terminated if the second device determines that the first device cannot be validly connected to the second device.
The initiation signal could comprise information data of the first device. This information data could comprise information relating to the nature and capabilities of the first device.
In some embodiments, the configuration data comprises a session key used for encryption of transmission data sent between the second device and the first device once a wireless connection has been configured between the first device and the second device. The method may further comprise, at the first device, on receipt of the configuration data from the second device, determining if the second device may be connected to the first device and sending a connection refusal signal to the second device if the second device may not be connected to the first device; and at the second device, receiving the connection refusal signal and outputting an alert to the user.
The method may further comprise, at the first device, on receipt of the configuration data from the second device: outputting to a user interface an indication that configuration data has been received from the second device; receiving from a user input an indication of whether the second device may be connected to the first device; and, terminating the wireless connection between the second device and the first device if the user input indicates that second device may not be connected to the first device.
The initiation signal may comprise information data of the first device, and the method could further comprise at the second device, on receipt of initiation signals from any device other than the first device within the predetermined time: outputting to a user interface an indication that an initiation signal has been received from the first device using the information data of the first device; and receiving a user indication that the user determines that the first device may be connected to the second device. In some embodiments, the method could further comprise outputting to said user interface an indication to the user that an initiation signal has been received from a device other than the first device.
The initiation signal from the first device could comprise a public key of the first device corresponding to a private key of the first device, and the method could further comprise the second device encrypting the configuration data using the public key of the first device before sending the configuration data to the first device. The first device could then decrypt the configuration data using its private key. Therefore, embodiments according to the first aspect of the invention can be used to exchange configuration data (which could include a session key) in a secure manner.
The method may further comprise the first device determining a first trust parameter relating to the connection between the first device and the second device, and using the first trust parameter to determine the actions taken by the first device in response to data received from the second device over the wireless connection. In some embodiments, the second device transmits to the first device second specification information including information indicative of the capabilities of the second device, and the method further comprises the first device determining the first trust parameter by comparing the second specification information with predetermined criteria.
The method may further comprise the second device determining a second trust parameter relating to the connection between the second device and the first device, and using the second trust parameter to determine the actions taken by the second device in response to data received from the first device over the wireless connection.
The initiation signal of the first device may include first specification information indicative of the capabilities of the first device, and the method may furler comprise the second device, determining the second trust parameter by comparing the first specification information contained in the initiation signal with predetermined criteria.
Both the second device and the first device could be arranged to only accept one wireless connection at a time. In this situation, if a connection is formed between one device and another device then connection attempts from other devices would be refused or ignored.
After a connection has been established with the first device, the method may further comprise the second device determining if an initiation signal from another device other than the first device is received in a second predetermined time, and if so performing any one or more of: sending a connection refusal signal to said another device; terminating the wireless connection between the second device and the first device; and outputting to a user interface an indication that an initiation signal has been received from a device other that the first device.
The method may further comprise, at the second device or the first device, after a connection has been established with the first device or the second device respectively: transmitting a further initiation signal periodically for a third predetermined time; determining if further configuration data from another device other than the first device is received in a second predetermined time, and if so performing any one or more of: sending a connection refusal signal to said another device; terminating the wireless connection between the second device and the first device; and outputting to a user interface an indication that further configuration data has been received from a device other that the first device.
According to a second aspect of the invention, there is provided a wireless communications device arranged to establish a wireless connection with a first device, the device comprising: a receiver for receiving an initiation signal from said first device; a processor arranged to establish if any other initiation signal is received in a predetermined time after the receipt of the initiation signal from said first device, and to determine that the first device may be connected to said first device if no initiation signals from devices other than the first device are received within the predetermined time; a generator for generating configuration data used for configuring a wireless connection between the device and the first device; and a transmitter arranged for sending the generated configuration data to the first device if the first device may be connected to the device.
According to a third aspect of the invention, there is provided a wireless network comprising at least two devices capable of establishing a wireless connection, the network comprising, a first device comprising a transmitter arranged for transmitting an initiation signal, a second device comprising: a receiver arranged for receiving the initiation signal from the first device; a processor arranged to establish if any other initiation signal is received in a predetermined time after the receipt of the initiation signal from the first device, and to determine that the first device may be connected to the second device if no initiation signals from devices other than the first device are received within the predetermined time; and a generator for generating configuration data used for configuring a wireless connection between the device and the first device a transmitter arranged for sending the generated configuration data to the first device if the first device may be connected to the second device, wherein the configuration data is used to configure a wireless connection between the first device and the second device if the first device.
According to a fourth aspect of the invention, there is provided a method of establishing a secure wireless connection between a first device and a second device; the method comprising: receiving the an initiation signal from the first device, the initiation signal comprising information dataof the first device and a public key of the first device; outputting to a user interface an indication that an initiation signal has been received from the first device based upon the information data; receiving a user indication of whether the user determines that the first device may be connected to the second device; encrypting a session key using the public key of the first device to form encrypted data; transmitting the encrypted data for reception by the first device, if the user indicates that the first device may be connected to the second device.
Arrangements of this aspect of the invention provide a method of exchanging a key that is both relatively secure and very user friendly. One of the advantages of such over conventional methods is that they involve the user authenticating one of the parties.
Both the first device and the second device could be unknown to each other, and therefore establishing connections based on blind trust would be insecure. However, the user would be aware of the devices that he or she is trying to connect, and would therefore not allow the second device to connect to the first device unless the information provided to him or her matches what they know about the nature of the first device. Once the user provides an indication that he or she regards that the first device may be connected to the second device, a session key is exchanged. Only the first and second devices would be able to obtain the session key as in encrypted with the public key of the first device, and could only be decrypted with the private key of the first device.
Therefore, although the security mechanism would be transparent to the user, the actions of the user would have helped ensure the security of the protocol.
It is considered an unsolvable problem that two devices with no prior knowledge of each other can set up a connection between themselves in a secure manner, without the intervention of a trusted third party. However, such arrangements rely on the user of the devices to provide a form of authentication in a way that is user friendly and unobtrusive. If a malicious device attempted to establish a connection with the second device, the second device would provide an indication to the user that the malicious device was trying to establish a connection with the second device. If the displayed information seemed unexpected in any way, for example if the user had not recently purchased any new wireless equipment, then the user could simply refuse to allow the displayed display to be connected to the second device.
Such an arrangement provides more security than establishing wireless connections on the basis of blind trust, but does not inconvenience the user in any way. From the point of view of the user, they are just selecting one device to connect to another. However, in the background the devices are performing a secure key exchange based on the tacit user authentication.
In some embodiments, the second device receives the user indication that the first device is to be connected to the second device.
In some embodiments, a third device receives the user indication that the first device is to be connected to the second device. The third device may transmit the encrypted data for reception by the first device if the user indicates that the first device may be connected to the second device, and the method may further comprise the third device: receiving a second initiation signal from the second device, the second initiation signal comprising information data of the second device and a public key of the second device; encrypting the session key using the public key of the second device to form second encrypted data; and transmitting the second encrypted data for reception by the second device, if the user indicates that the first device may be connected to the second device; wherein the encrypted data includes command data for instructing the first device to connect to the second device using the session key, and the second encrypted data includes second command data for instructing the second device to connect to the first device using the session key.
The method may further comprise establishing whether an initiation signal from a device other than the first device is received in a predetermined time from the receipt of the initiation signal from the first device, and on receipt of an initiation signal from a device other than the first device within the predetermined time, outputting to a user interface an indication to the user that an initiation signal has been received from a device other than the first device.
The method may further comprise the first device, on receipt of the encrypted data, decrypting the encrypted data with a private key corresponding to the public key to obtain the session key; outputting to a user interface an indication that a session key has been received for use with the second device; receiving a user indication of whether the user determines that the first device may be connected to the second device; and terminating further communication with the second device if the user indication indicates that the first device may not be connected to the second device.
The method may further comprise the first device determining a first trust parameter relating to the connection between the first device and the second device, and using the first trust parameter to determine the actions taken by the first device in response to data received from the second device over the wireless connection. The encrypted data may includes second specification information indicative of the capabilities of the second device, and the method may further comprise the first device, determining the first trust parameter by comparing the second specification information with predetermined criteria.
The method may comprise the second device determining a second trust parameter relating to the connection between the second device and the first device, and using the second trust parameter to determine the actions taken by the second device in response to data received from the first device over the wireless connection. The second device may receive first specification information indicative of the capabilities of the first device, and may determine the second trust parameter by comparing the first specification information with predetermined criteria.
According to a fifth aspect of the invention, there is provided a wireless communications device arranged to establish a wireless connection with a first device, the device comprising: a receiver for receiving an initiation signal from the first device, the initiation signal comprising information data of the first device and a public key of the first device; an interface for providing the user with an indication that an initiation signal has been received from the first device; a user input arranged to receive a user indication of whether the user determines that the first device may be connected to the wireless communication device; a processor for encrypting a session key using the public key of the first device to from encrypted data; and a transmitter for sending the encrypted data to the first device if the user indication indicates that the first device may be connected to the wireless communication device.
According to a sixth aspect of the invention, there is provided a wireless network comprising at least two devices capable of establishing wireless communication, the network comprising: a first device comprising: a transmitter for transmitting an initiation signal, the initiation signal comprising information data of the first device and a public key of the first device; a second device comprising: a receiver for receiving an initiation signal from the first device, the initiation signal comprising information data of the first device and a public key of the first device; an interface for providing the user with an indication that an initiation signal has been received from the first device; a user input arranged to receive a user indication of whether the user determines that the first device may be connected to the second device; a processor for encrypting a session key using the public key of the first device to from encrypted data; and a transmitter for sending the encrypted data to the first device if the user indication indicates that the first device may be connected to the second device.
According to a seventh aspect of the invention, there is provided a method of configuring a wireless connection between a first device and a second device, the method comprising: sending an initiation signal; receiving generated configuration data from the second device sent in response to the initiation signal; setting up a wireless connection between the first device and the second device using the configuration data; determining a first trust parameter relating to the wireless connection between the first device and the second device; controlling the actions taken by the first device in response to data received from the second device using the first trust parameter.
The provisions of the trust parameters therefore enable devices to establish a limited trust connection, in which restrictions are placed on the actions the devices take in response to received data. A device cannot have any control over the type data that it is sent over the wireless connection by other devices, but can only limit the actions that it performs in response to the data it receives. Therefore, a device cannot stop a malicious device from sending to it such data as requests to reveal security information, but it can choose to ignore such data.
The limited trust connections provided by such methods enable wireless connections to be more secure, as unknown devices effectively place limits on the privileges that they give to other devices. In this situation, privileges could be considered as the right to have you requests actioned by the receiving device. Furthermore, such methods provide a means of increasing the security of a wireless connection with minimal additional overheads and cost.
In addition, such methods provide a strong deterrent to potential hackers, as the rewards for successfully launching a spoofing attack are low, as the resulting wireless connection are always subject to trust limitation determined by the individual devices and not by any other devices.
The first trust parameter may be determined based upon the security of the method used to send configuration data from the second device. The first trust parameter may be determined based upon the capabilities of the second device.
The configuration data may include second specification information indicative of the capabilities of the second device, and the method may further comprise determining the first trust parameter by comparing the second specification information with predetermined criteria.
The method may further comprise the second device: receiving the initiation signal from the first device; sending configuration data to the first device; using the configuration data to set up a wireless connection between the first device and the second device; determining a second trust parameter relating to the wireless connection between the second device and the first device; and controlling the actions taken by the second device in response to data received from the first device using the second trust parameter.
The second trust parameter may be determined based upon whether the second device can authenticate the initiation signal sent by the first device. The second trust parameter may be determined based upon the capabilities of the first device.
The initiation signal may comprise first specification information including information indicative of the capabilities of the first device, and the method may further comprise determining the second trust parameter by comparing the first specification information with predetermined criteria.
The method may further comprise upgrading the first and/or second trust parameter to an upgraded first trust parameter and/or second trust parameter respectively, based upon: providing the user with an indication that a wireless connection has been established between the first and second devices, and receiving a user indication that the first and/or second trust parameter is to be upgraded.
The method may further comprise upgrading the first and second trust parameter to an upgraded first trust parameter and second trust parameter respectively, based upon providing a secret key to the first device and the second device.
According to an eighth aspect of the invention, there is provided a wireless communications device comprising: a receiver arranged for receiving an initiation signal from a first device; a transmitter for sending configuration data to the first device, wherein the configuration data is used to set up a wireless connection between the first device and the wireless communications device; a processor arranged to determine a second trust parameter relating to the wireless connection between the wireless communications and the first device, and to determine the actions taken by the wireless communications device in response to data received from the first device.
According to a ninth aspect of the invention, there is provided a wireless communications device comprising: a transmitter for sending an initiation signal to a second device; a receiver for receive configuration data from the second device in response to the initiation signal, wherein the configuration data is used to set up a wireless connection between the wireless communications device and second device; a processor arranged to determine a first trust parameter relating to the wireless connection between the wireless communications device and the second device, and to determine the actions taken by the wireless communications device in response to data received from the second device.
According to a tenth aspect of the invention, there is provided a method of configuring a wireless connection between a first device and a second device, the method comprising at a third device: receiving a first initiation signal from the first device, the initiation signal comprising first information data of the first device; receiving a second initiation signal from the second device, the initiation signal comprising second information data of the second device; outputting to a user interface an indication that the first initiation signal has been received from the first device based upon the first information data; outputting to a user interface an indication that the second initiation signal has been received from the second device based upon the second information data; receiving a user indication of whether the user determines that the first device may be connected to the second device; transmitting first configuration data to the first device and second configuration data to the second device, the first configuration data including first command data for instructing the first device to connect to the second device, and the second configuration data including second command data for instructing the second device to connect to the first device.
Embodiments will now be described, by way of example, and with reference to the accompanying drawings in which: Figure 1 is a schematic diagram of a conventional ad hoc wireless network; Figure 2 is a schematic diagram of three devices capable of wirelessly communicating with each other in accordance with an embodiment of the invention; Figure 3 is a schematic diagram of two devices in wireless communication in accordance with an embodiment of the invention; Figure 4 is a flow diagram of a method of establishing a wireless connection according to a first embodiment of the invention; Figure 5 is a flow diagram of a method of establishing a wireless connection according to a second embodiment of the invention; Figure 6 is a flow diagram of a method of establishing a wireless connection according to a third embodiment of the invention; and Figure 7 is a schematic diagram of a practical implementation of an embodiment of the invention.
Figure 2 shows three devices that are capable of wirelessly communicating with each other: a first device 15, a second device 25, and a third device 35.
Figure 3 schematically shows the components of the first device 15 and the second device 25 communicating with each other over a wireless channel. The first device 15 comprises a transmitter 16, a receiver 17, a processor 18 and a memory 19. The second device 25 comprises a transmitter 26, a receiver 27, a processor 28, a memory 29, and a display 24.
These devices could be any device suitable for establishing a wireless network in an ad hoc environment, and could include home appliances with wireless communications capabilities.
A method of establishing a wireless connection between the first device 15 and the second device 25 according to a first embodiment will be described with reference to Figure 4. In this embodiment, it is presumed that, neither the first device 15 nor the second device 25 have had any prior communication with each other, and therefore the protocol must establish "blind friendship" between the two. The first device 15 will be considered to be the initiator of the protocol, but it will be understood throughout the following description that the roles of the first and second devices are interchangeable.
At step S 1, the first device 15 begins searching for other devices to communicate with.
In a practical implementation, this could be due to the fact that the first device 15 has just been purchased or as the result of a prompt from the user of the first device 15.
In order to search for other devices to communicate with, the first device 15 transmits an initiation signal using the transmitter 16. The initiation signal comprises information indicating that the first device 15 is seeking to establish a wireless network. Initiation signals could be transmitted periodically until a wireless connection is established.
In a general case, the initiation signal could just include information that indicates that it is from a first device 15, and contain no information about the nature of the device.
However, the initiation signal could comprise information that identifies the first device 15. For example, it could include a data representing a graphical representation of the device, and a model number. The initiation signal could also include information relating to which wireless frequencies that the first device 15 would be able to connect to the second device 25 via.
At step S2, the initiation signal is received by the second device 25. As discussed, both the first and second device are unknown to each other. Therefore, the second device 25 has no way of establishing whether the first device 15 is trusted, as the second device 25 would not be able to authenticate the first device 15 in any way, regardless of any identification data included in the initiation signal. Hence, the second device 25 would not be able to determine with any certainty that the initiation signal is from the first device 15 or whether it is from any other device in wireless communications range, such as the third device 35.
Therefore, if a user switches on the first device 15 and the second device 25, some safeguards have to be in place to prevent a third device 25 from connecting with either the first device 15 or the second device 25 against the user's wishes.
At step S3, the second device 25 waits for a predetermined time after the receipt of the initiation signal from the first device 15, and at step S4, the second device 25 establishes whether initiation signals from devices other than the first device 15 have been received in the predetermined time.
If the second device 25 only receives initiation signals from the first device 15 during the predetermined time, then the second device 25 proceeds to step S6 and sends generated configuration data to the first device 15. The configuration data includes information that the first device 15 and the second device 25 can use to set up a wireless connection between them, such as for example the transmission frequency pattern to be used.
However, if more than one initiation signal is received during the predetermined time at S4, then in this arrangement of the first embodiment, the second device 25 proceeds to S5 and has no further involvement in the protocol and would not set up a wireless connection with the first device 15. In other arrangements, the second device 25 could set up a connection with the first device 15 providing additional security measures were provided.
The predetermined time therefore provides a time window for one device to connect to another device without further security measures. In this embodiment the predetermined time is two seconds. The longer the predetermined time, the greater the chance of initiation signals from all the devices in range being received. In some embodiments the predetermined time could be up to 10 seconds. For example, the predetermined time could be from 0.5 to 2 seconds. Furthermore, the length of the predetermined time could vary from device to device. The longer the predetermined time, the longer the second device 25 will have to operate its receiver 27, which will use power resources.
Therefore, if the second device 25 is a mobile device, the length of the predetermined time could be determined by the battery resources of the second device 25. Additionally the longer this time is the longer time a connection will need to be automatically established, which will have a direct effect on the efficiency and performance of the whole protocol from a user perspective.
If the second device 25 receives an initiation signal from the third device 35 during the predetermined time after the receipt of the initiation signal from the first device 15, then the second device 25 will not establish an automatic connection with either the first device 15 or the third device 35.
In this situation, the second device 25 will have received two initiation signals from unknown devices, and thus will have no secure way of determining which one it should connect to (as all the devices are unknown to each other and there is no third party infrastructure to authenticate the devices).
Therefore, the first embodiment provides a safeguard against the second device 25 forming a connection with a malicious device instead of the first device 15.
Consider the situation in which the user only possesses two devices capable of forming a wireless connection. If the user switches them both on in the absence of any other suitable wireless devices in range, then at Step S4 only initiation signals from the first device 15 would be received by the second device 25 during the predetermined time, and the second device 25 would therefore set up a connection with the first device 15. A wireless connection would have therefore been set up between the two devices in a way that is both very convenient for the user (as from the user's point of view it just involved turning the devices on) and reasonably secure.
However, if a third device 35, which could be malicious, tries to establish a connection with the second device 25 by sending an initiation signal during the predetermined time after the receipt of the initiation signal from the first device 15, then the second device would not connect to either the first device 15 or the third device 35 without further security measures. Furthermore, if the second device 25 receives the initiation signal from the malicious device before the initiation signal from the first device 15, the initiation signal from the first device 15 would then be received in the predetermined time after the receipt of the initiation signal from the malicious device. Therefore, the second device 25 would still not connect to the malicious device, for the same reasons.
In either of the above two situations, the second device 25 would require further security measures in order to establish a connection with either the first 15 or third device 25, as will be discussed below.
However, this arrangement is potentially vulnerable to a spoofing attack, in which the malicious third device 35 attempts to convince the second device 25 that it is actually the first device 15. Such an attack could proceed by the third device 25 receiving an initiation signal sent by the first device 15, and sending a bogus initiation signal to the second device 25. The bogus initiation signal could include, for example, data that indicates that the signal is from the first device 15, but could specify a different communications channel to be used to the one specified in the genuine initiation signal from the first device 15.
The second device 25 would then have received two similar initiation signals, both appearing to be from the first device 15. The second device 25 would be unable to choose between the genuine initiation signal from the first device 15 specifying one communications channel to be used and the bogus initiation signal from the third device specifying another communications channel to be used. Therefore, the second device could be arranged not to establish a connection with either device in this situation, and the second device 25 could alert the user of the second device 25 that a malicious device could be present in wireless communications range.
The security of the protocol could be enhanced further by the first device 15 being arranged to send only one initiation signal in the predetermined time. In such situations, the second device 25 could be arranged to connect to the first device 15 only if one initiation signal is received in the predetermined time, and not to establish a connection with any device if multiple initiation signals are received, even if the multiple initiation signals appear to have originated from a single device. This would help prevent the third device 35 launching the spoofing attack as described above.
In other arrangements of the first embodiment, if initiation signals from more that one device are received at step S4, then the second device 25 would perform additional steps in order to determine that the first device 15 can be validly connected to the second device 25.
For example, the additional steps could involve requesting an input from the user in order to determine which device to connect to, from the choice of all the devices from which initiation signals have been received in the predetermined time.
In such an arrangement, the second device 25 could use the received initiation signals to display an indication to the user of all the devices from which initiation signals have been received in the predetermined time. Thus the initiation signals could comprise a graphical representation of the device and a model number, which could therefore be displayed to the user on the second device 25 on the display 24. The user would then be presented information about all the candidate devices, and could then choose which device is to be connected with the second device 25, and input their choice via a key pad or other suitable input means.
Therefore, in such an arrangement, the first device 15 would automatically establish a connection with the second device 25 if no initiation signals from other devices are received in the predetermined time. However, if initiation signals from other devices are received, then the second device 25 would display details of all the devices and require user interaction in order to establish a wireless connection with any of the devices.
Alternatively, the second device 25 could provide the indication to the user of all the devices from which initiation signals have been received in the predetermined time via another means, such as an audible signal.
In the arrangements of the first embodiment described so far, the generated configuration data is sent after the predetermined time. However, it could be sent during the predetermined time. In such situations, the second device 25 would send generated configuration data to the first device 15 once an initiation signal is received. However, thesecond device 25 would still not determine that the first device 15 can be validly connected to the second device 25 until the expiry of the predetermined time, and therefore would not actually establish a wireless connection with the first device 15 until after predetermined time.
Alternatively, the generated configuration data could be sent during the predetermined time, and a temporary wireless connection could be set up for use during the predetermined time. However, if after the expiry of the predetermined time, the second device 25 determines that the first device cannot be validly connected to the second device 25 (i.e. if initiation signals from multiple sources are received) then the temporary wireless connection could be terminated.
Other arrangements of the first embodiment can include further modifications to increase the security of the protocol. For example, the initiation signal from the first device 15 could comprise a public key Kpub of the first device 15. The corresponding private key Kpv' could be stored in the memory 19 of the first device 15, and not revealed to any other devices.
The addition of a public key Kpub/ to the initiation signal would not by itself add to the security of the protocol, as it could not be used to authenticate the first device 15.
However, the public key Kpub could be used by the second device 25 to encrypt the configuration data before it is sent it to the first device 15. Then, when the first device receives the encrypted configuration data, the first device 15 could decrypt it using its private key Kp,/. Therefore, in such arrangements, only the first device 15 would be able to obtain the wireless communication parameters included in the configuration data, as only the first device 15 would have access to its private key Kprv/.
In order to prevent a malicious device copying the relevant portion of the initiation signal from the first device and including a public key KpUbM of the malicious device in a bogus initiation signal that appeared to originate from the first device 15, the second device 25 could only accept initiation signals containing one public key in a predetermined time. If initiation signals containing more that one public key are received in the predetermined time, then the second device 25 could provide the user with a suitable security alert, for example by displaying a warning message. This would further help prevent spoofing attacks of the type mentioned above.
Security can also be improved by including a session key k in the configuration data sent by the second device 25 to the first device 15. The session key k could be a symmetric key and could be used to encrypt transmission data sent between the second device 25 and the first device 15 once a wireless connection has been configured between the first device 15 and the second device 25. The session key k could be either newly generated on the second device 25 or retrieved from the memory 29 of the second device 25.
Thus arrangements of the first embodiment can be used to exchange a session key k in a secure manner, as for the reasons given above the presence of malicious device is likely to be detected.
The provision of a session key k in the configuration data would ensure that future communications between the first and second devices would be protected from eavesdroppers, as no other devices could posses the session key k. It is therefore beneficial that the secret key only be used for communication between the first and second devices, and not be revealed to any other devices.
Although the arrangements of the first embodiment described so far rely on a protocol that does not authenticate the parties involved in the exchange, there is a security benefit to be gained in the second device 25 sending an encrypted session key to the first device over the conventional "press the button now" approaches to key exchange discussed above.
This is because the previously described arrangements of the first embodiment only allow the first device 15 to be connected to the second device 25 with no user intervention if no initiation signals from devices other than the first device 15 are received in the predetermined time.
Therefore, if the user is trying to connect only two devices, and initiation signals from only one device are received, then it is reasonably safe to assume that the initiation signal has been received from the first device 15. Therefore, the above described exchange of a session key k is secure, as only the first device 15 (who implicitly must be genuine if only initiation signals from the first device 15 have been received) would be able to decrypt the configuration data encrypted with the private key Spin/ of the first device 15.
The only threat to the above described scenario, would be for the intruder device to impersonate the first device 15, and send a bogus initiation signal that would appear as if it had come from the first device 15. However, it has been described above how this threat could be minimised.
Security can be further enhanced by only allowing the devices to accept one wireless connection at a time. In such a situation, if the second device 25 and the third device 35 establish a wireless connection, and the second device 25 receives an initiation signal from the first device 15, the second device 25 would send a signal to the first device 15 indicating that that the second device 25 already has a wireless connection.
In such a situation, the first device 15 could indicate to the user of the first device that its connection attempt failed. If the user only possessed two wireless devices, then this indication would serve to alert the user that a malicious device could be present in wireless communications range.
In a practical scenario in which a user has two devices, the user may operate them such that they seek out connections at staggered intervals. For example, the devices could be configured to seek out new connections when they are first turned on. In this situation, the first device 15 may be turned on a few minutes later than the second device 25.
When the second device 25 is turned on it could start sending out initiation signals periodically in order to try and establish a wireless connection. At this point, the first device 15 will be inactive, and thus not able to respond. However, a malicious third device 35 could be present and could establish a connection with the second device 25.
If the first device 15 is then turned on, the first device 15 will send out an initiation signal as described above. It will be received by the second device 25, but this device is configured to only accept one wireless connection at a time. Therefore it could send a message to the first device 15 to indicate that its connection attempt failed. Furthermore, in some arrangements in this situation the second device 25 could display to the user that the first device 15 is trying to establish a connection with it, and offer the user the choice of which of the first or third devices that they wish the second device 25 to be connected to.
In addition, in some arrangements, the second device 25 could terminate its connection or suspend data transfer with the third device 35, and then wait for a user indication of which of the first device 15 or the third device 35 the second device 25 is to be connected to.
However, any arrangement that allows a device to cause another device to either repeatedly send connection failure messages, request user inputs, or even terminate connections suffers from the disadvantage that it could lead to a malicious device exploiting this to launch a denial of service attack.
For example, if the first device 15 were connected to the second device 25, and the third device 35 repeatedly transmitted initiation signals, then these initiation signals could be received by one or both of the first and second devices. In some arrangements, the first and/or second devices could ignore these messages. However, in other arrangements they would have to repeatedly send connection failure messages to the third device 35, wait for user prompts and/or terminate their existing connections. A malicious third device 35 could exploit this behaviour in order to tie up system resources of the first and second devices.
In order to avoid the possibility of such a denial of service attack being launched, once a connection has been established, the devices according to the first embodiment could wait for a second predetermined time during which they would respond to received initiation signals.
Considering the situation in which the second device 25 has just connected to the first device 15. During the second predetermined time, which would typically be longer that the predetermined time discussed above, if an initiation signal is received from the third device 35, then the second device 25 could send a connection failure message to the third device 35. The second device 25 could also terminate its connection with the first device 15 and/or wait for a user input to either re-establish its connection to the first device 15 or instruct the second device 25 to connect to the third device 35. However, after the second predetermined time, the second device 25 would ignore initiation signals from other devices, including the third device 35.
Therefore, the provision of the second predetermined time enables devices to have a second time window in which to assess whether other devices are in range and trying to establish communication with them. The second predetermined time could be 10 minutes, but could vary from device to device.
In a practical scenario this functionality is useful, as the user could turn its devices on at staggered intervals, without one of the devices being locked out from the other devices.
Furthermore, in addition to the above, once a connection has been established between the first and second devices, the first device 15 could continue to seek new connections by periodically transmitting initiation signals, even though it already is connected to the second device 25. Similarly, the second device 25 could perform the same process and keep periodically transmitting initiation signals.
The first device 15 (or second device 25) could keep periodically transmitting initiation signals for a third predetermined time. During the third predetermined time, if a third device 35 replies and sends configuration data to the first device 15, then the first device could send a connection failure message to the third device 35. Furthermore, the first device 15 could offer the user the choice of which of the second or third devices that they wish the first device 15 to be connected to. In addition, the first device 15 could terminate its connection with the second device 25. Alternatively, the first device 15 could perform any combination of sending a connection failure message, terminating the existing connection and waiting for a user prompt.
The third predetermined time could be ten minutes, or could vary form device to device.
In the above description of arrangements of the first embodiment, the first device 15 has been the initiator of the protocol and has sent an initiation signal. However, it will be appreciated that the second device may also be adapted to send initiation signals.
Therefore, if the first and second devices are turned on at the same time, both devices may send initiation signals and also receive them. In this situation, one of the devices could act as a 'master' for the purposes of the protocol, and perform the method steps set out in Figure 4. The other device could simply ignore the received initiation signal.
Alternatively, both devices could perform the method of Figure 4, and two sets of configuration data would then be sent. At this point, it would be necessary for one set of configuration data to be ignored, and one device to act as the master. This could be done, for example, on the basis of the relative capabilities of the devices.
A method of establishing a wireless connection between the first device 15 and the second device 25 according to a second embodiment will be described with reference to Figure 5. As for the first embodiment, it is presumed that, neither the first device 15 nor the second device 25 have had any prior communication with each other, and therefore the protocol must establish "blind friendship" between the two.
Arrangements of the second embodiment provide a method of exchanging a key that is both relatively secure and very user friendly.
At step S 11, the first device 15 begins searching for other devices to communicate with.
In order to search for other devices to communicate with, the first device 15 transmits an initiation signal using the transmitter 16. In this embodiment, the initiation signal comprises information data that identifies the first device 15 and a public key Kpub' of the first device 15. The information data could include a graphical representation of the device, and a model number, or any of the other types of information data discussed in relation to the other embodiments.
At step S12, the initiation signal is received by the second device 25.
The second device 25 then uses the information data of the first device 15 to provide an indication to the user that the first device 15 is trying to establish a connection with the second device 25 at step S13. For example, the second device 25 could comprise a display, and could display information indicative of the information data as a graphical representation of the first device 15. The graphical representation could also include other identification information of the first device 1 15, such as a model number or a
short description of the first device 15.
The user then determines whether to allow the first device 15 to be connected to the second device 25, and inputs their choice via a key pad or other suitable input means.
Therefore, at step S 14 the second device 25 receives an indication from the user of whether the first device 15 can be validly connected to the second device 25.
Alternatively, the second device 25 could provide the indication to the user via some other suitable means, such as an audible signal.
If the user determines that he or she does not want the first device 15 to be connected to the second device 25, then the user provides a suitable indication on the second device 25, and the second device 25 takes no further action at step S 15.
However, if the user determines that the first device 15 can be validly connected to the second device 25, the second device 25 encrypts a generated session key k with the public key KpUb/ of the first device 15 at S 16. The session key k is a symmetric key, and could be either newly generated on the second device 25 or retrieved from the memory 29 of the second device 25.
The encrypted session key k is then sent to the first device 15, where it can be decrypted using the private key Kp,/ of the first device 15. The session key k is then used to encrypt transmission data sent between the second device 25 and the first device 15 once a wireless connection has been configured between the first device 15 and the second device 25.
The provision of an encrypted session key k sent from the second device 25 to the first device 15 therefore ensures that future communications between the first and second devices would be protected from eavesdroppers, as no other devices could posses the session key k, as no other device could have access to the private key Kp,, / of the first device 15.
One of the main advantages of the methods of the second embodiment over conventional methods is that they use a protocol that involves the user authenticating one of the parties. Both the first device 15 and the second device 25 are unknown to each other, and therefore establishing connections based on blind trust would be insecure. However, the user would be aware of the devices that he or she is trying to connect, and would therefore not allow the second device 25 to connect to the first device 15 unless the information provided to him or her matches what they know about the nature of the first device 15.
Once the user provides an indication that he or she regards that the first device 15 can be validly connected to the second device 25, the protocol automatically exchanges a session key k that only the first and second devices would be able to obtain (as the session key k in encrypted with the public key KpUb/ of the first device 15).
Therefore, although the security mechanism would be transparent to the user, the actions of the user would have helped ensure the security of the protocol.
As discussed, it is considered an unsolvable problem that two devices with no prior knowledge of each other can set up a connection between themselves in a secure manner, without the intervention of a trusted third party. However, arrangements according to the second embodiment rely on the user of the devices to provide a form of authentication in a way that is user friendly and unobtrusive.
If a malicious device attempted to establish a connection with the second device 25, the second device 25 would provide an indication to the user that the malicious device was trying to establish a connection with the second device 25. This would involve displaying information about the malicious device to the user. The user might be able to determine from the displayed information whether the malicious device should be connected to the second device 25, as the user would be aware of all the devices that they own. If the displayed information seemed unexpected in any way, for example if the user had not recently purchased any new wireless equipment, then the user could simply refuse to allow the displayed display to be connected to the second device 25.
Such an arrangement provides more security than establishing wireless connections on the basis of blind trust, but does not inconvenience the user in any way. From the point of view of the user, they are just selecting one device to connect to another. However, in the background the devices are performing a secure key exchange based on the tacit user authentication.
If the second device 25 received initiation signals from more than one device at Step 2, the second device 25 could display to the user information data relating to all the devices that sent initiation signals. The users would therefore be presented with a choice of devices to connect to. Once the user has provided an indication of which device to connect to, the second device 25 could perform the rest of the above described method.
Therefore, if a malicious device attempted to establish a connection with the second device 25 at the same time as the first device 15, the user would be presented with a choice of which device to connect to.
One of the limiting factors in the security of the above described arrangements of the second embodiment is that a malicious device could impersonate the information data of the first device 15. This could be achieved, for example, by the malicious device copying the relevant portion of the initiation signal from the first device and including a public key KpUbM of the malicious device in a bogus initiation signal.
This bogus initiation signal could be sent to the second device 25, and the information data that was copied from the genuine initiation signal from the first device 15 could be displayed to the user. Hence, the user could be duped into believing that that the first device 15 was trying to establish a wireless connection with the second device 25.
However, an initiation signal would have also been received from the first device 15, and thus the second device 25 would display to the users that two devices were attempting to establish a connection with it.
Alternatively, the second device 25 could display a warning signal to the user if it received two initiation signals that appeared to be from the same device (i.e. comprising the same information data), but that contained different public keys.
Clearly, if the malicious device included the public key of the first device 15 in the bogus initiation signal, then the attack would always fail because the malicious device would not be able to obtain the session key k, as it would not posses the private key Kp,/ of the first device 15.
In the arrangements of the second embodiment described so far, the generated session key k is sent after the receipt of a user indication that the first device can be validly connected to the first device. However, it could be sent before the receipt of the user indication. In such situations, the second device 25 could send the generated session key k to the first device 15 once an initiation signal is received. However, the second device would still not determine that the first device can be validly connected to the second device 25 until the receipt of a user indication, and therefore would not actually establish a wireless connection with the first device 15 until then.
Alternatively, the generated session key k could be sent before the receipt of the user indication, and a temporary wireless connection could be set up for use until the receipt of the user indication. This temporary wireless connection could then be terminated if, after the receipt of the user indication, the second device 25 determines that the first device cannot be validly connected to the second device 25.
Security can be further enhanced by only allowing each device to accept one wireless connection at a time, without express the consent of the user (for example by the user providing a suitable indication). In such a situation, if the second device 25 and a third device 35 establish a wireless connection, and the second device 25 receives an initiation signal from the first device 15, the second device 25 would send a signal to the first device 15 indicating that that the second device 25 already has a wireless connection. In such a situation, the first device 15 could indicate to the user of the first device 15 that its connection attempt failed.
In addition, in some arrangements, the second device 25 could terminate its connection with the third device 35, and then wait for a user indication of which of the first device or the third device 35 the second device 25 is to be connected to. However, any arrangement that allows a device to cause another device to either repeatedly send connection failure messages, request user inputs, or even terminate connections suffers from the disadvantage that it could lead to a malicious device exploiting this to launch a denial of service attack.
In order to avoid the possibility of such a denial of service attack being launched, once a connection has been established, devices according to the second embodiment could wait for a second predetermined time during which they would respond to further initiation signals. Considering the situation in which the second device 25 has just connected to the first device 15. During the second predetermined time, if an initiation signal is received from the third device 35, then the second device 25 could send a connection failure message to the third device 35. The second device 25 could also terminate its connection with the first device 15 and/or wait for a user input to either re- establish its connection to the first device 15 or instruct the second device 25 to connect to the third device 35. However, after the second predetermined time, the second device would ignore initiation signals from other devices, including the third device 35.
Therefore, the provision of the second predetermined time enables devices to have a second time window in which to assess whether other devices are in range and trying to establish communication with them. The second predetermined time could be l O minutes, but could vary from device to device.
Furthermore, once a connection has been established, the first device 15 (or the second device 25) could keep transmitting initiation signals periodically for a third predetermined time. During the third predetermined time, if the third device 35 replies and sends configuration data to the first device 15, then the first device 15 could send a connection failure message to the third device 35. Furthermore, the first device 15 could offer the user the choice of which of the second or third devices that they wish the first device 15 to be connected to. In addition the first device 15 could terminate its connection with the second device 25. Alternatively, the first device 15 could perform any combination of sending a connection failure message, terminating the existing connection and waiting for a user prompt.
In the above description of arrangements of the second embodiment, the first device 15 has been the initiator of the protocol and has sent an initiation signal. However, it will be appreciated that the second device may also be adapted to send initiation signals.
Therefore, if the first and second devices are turned on at the same time, both devices may send initiation signals and also receive them. In this situation, one of the devices could act as a 'master' for the purposes of the protocol, and perform the method steps set out in Figure 5. The other device could simply ignore the received initiation signal.
Alternatively, both the first device 15 and the second device 25 could display to the user that the other device was trying to establish a connection, and the user could ignore one display.
In the arrangements of the second embodiment described so far, the second device 25 has received an initiation signal from a first device 15, and provided an indication to the user that the first device 15 is trying to establish a connection with the second device.
However, in other arrangements of the second embodiment, a third device 35 could receive the initiation signal from a first device 15, and set up a wireless connection between the first and second devices. This could involve the third device receiving an initiation signal from both the first and the second device and providing an indication to the user about both the first and the second device. At this point the third device could establish an individual wireless connection with the first device 15 and with the second device 25, and then instruct the first and second devices to set up a connection between them.
In such a situation, the initiation signal of the first device 15 could comprise the public key Kpub' of the first device 15, and the initiation signal of the second device 25 could comprise the public key KpUb2 of the second device 25. The third device 35 could then receive an indication from the user that the first device 15 can be validly connected to the second device 25, at which point the third device 35 could send a generated session key k to the first and second device, encrypted with respective public keys of the first and second devices from the their initiation signals, and respective instructions to the first and second devices to communicate using the generated session key k.
It will also be understood that the third device 35 could only establish a connection with one of the devices in order to set up a wireless connection between the first and second devices. For example, the public key KpUb/ of the first device 15 could be provided by the third device 35 to the second device 25, and the second device 25 could then send the encrypted generated session key k to the first device.
In such arrangements, if the devices are only allowed to establish one wireless connection at a time, the third device could establish a connection with the first device and the second device 25, before instructing the second device 25 to establish a connection with the first device 15. In such situations, the third device 35 could then terminate its connection with the first and second device in order to preserve the rule of only establishing one connection at a time.
In all the previously described arrangements of the first and secondembodiments, it has been assumed that if the second device 25 (or in some situations the third device 35) determines that the first device 15 can be validly connected to the second device 25, then a wireless connection is established between the first and second devices.
However, in other arrangements of both the first and second embodiments, the first device 15 does not automatically allow a wireless connection with the second device 25 on receipt of configuration data and/or a session key k. In such arrangements, the configuration data of the second device 25 includes information about the nature and capabilities of the second device 25. The first device then compares this received information against stored criteria, and only establishes a wireless connection if it determines that the second device 25 is suitable. For example, the first device 15 could be a speaker, and the second device a stereo. In this situation, the first device 15 could establish the wireless connection on the basis that the stored criteria indicate that a speaker could be usefully connected to a stereo.
However, security can be improved by providing the user with an indication that configuration data has been received from the second device 25. This could be done in the form of a graphical representation on the first device 15 or by another suitable means. The first device 15 could then wait for a user indication that the second device can be validly connected to the first device 15. This could be done by using key pad or other suitable input means on the first device 15.
The first device 15 could then terminate the wireless connection between the second device 25 and the first device 15 if the user of the first device 15 determines that the second device 25 cannot be validly connected to the first device 15.
However, it will be appreciated that the first device 15 cannot authenticate the second device 25. Therefore, a malicious device could send configuration data including bogus information that contained faked information comprising the nature and capabilities of the second device 25. For example, the second device 25 could be a stereo, and the malicious device could sending configuration data that appeared to be from a stereo of the same type. In such a situation, the user of the first device could be fooled into accepting a connection with the malicious device, believing it was the genuine second device 25.
This problem could be alleviated by the first device 15 being arranged to establish only one connection at a time. Then, if more than one set of configuration data is received, the first device 15 would either establish a connection to the device that sent the configuration data on the basis predetermined criteria, or it would wait for a user input.
However, once a wireless connection is established, if configuration data from another device is received, then the first device 15 would reject the newly received configuration data.
In any situation in which the first device 15 rejects the configuration data of another device, it is advantageous from a security point of view if the first device 15 sends a connection failure signal to that device indicating that a connection could not be established. The receipt of such a signal at the second device 25 could trigger a user alert as it could indicate the presence of a security risk.
For example, consider the situation in which a second device 25 sends configuration data to the first device 15, and at the same time a malicious device launches a spoofing attack, and sends bogus configuration data to the first device 15. If the genuine configuration data from the second device 25 is received first, then the first device 15 would request a user prompt and connect to the second device 25. The first device 15 would then reject any bogus configuration data that it later received from the malicious device, and send a connection failure signal to the malicious device. Thus the spoofing attack would fail.
However, if the bogus configuration data is received first, then the user of the first device may inadvertently instruct the first device 15 to establish a connection with the malicious device. In this situation, the first device 15 would then receive the genuine configuration data from the second device 25. This would be rejected, and a connection failure signal would be sent to the second device.
On receipt of the connection failure message, the second device 25 alerts the user. This is because if the user has two devices or if the user believed that they had already set up a connection between the first and second devices, then such the receipt of a connection failure message at the second device 25 would provide a good indication that a malicious device is trying to establish unauthorised connections.
A method of establishing a wireless connection between the first device 15 and the second device 25 according to a third embodiment will be described with reference to Figure 6. As for the first embodiment, it is presumed that, neither the first device 15 nor the second device 25 have had any prior communication with each other, and therefore the protocol must establish "blind friendship" between the two.
At step S2 l, the first device 15 commences searching for other devices to communicate with. In order to search for other devices to communicate with, the first device 15 transmits an initiation signal using the transmitter 16. In this embodiment, the initiation signal could comprise any of the types of information discussed in relation to the other embodiments.
At step S22, the initiation signal is received by the second device 25. At step S23, the second device 25 determines whether to establish a wireless connection with the first device 15. This step could be achieved by any of the methods of determining whether to connect the first device 15 to the second device 25 described in relation to the first or second embodiments. Alternatively, the determining step could be performed by a conventional method, and could be automatic with no security considerations or otherwise.
The configuration data is used to set up a wireless connection between the first and the second devices at step S24.
The first device 15 then determines a first trust parameter that it will have with the second device over the wireless connection at step S25, and the second device then determines a second trust parameter that it will have with the first device 15 over the wireless connection at step S26.
The first trust parameter is used to determine the actions taken by the first device 15 in response to received data from the second device 25 over the wireless connection.
Therefore, the first trust parameter determines the level of control that the second device will have over the first device 15. If the first device 15 placed no limits on the actions that it would take in response to received data from the second device 25 over the wireless connection, then the second device 25 would have complete control over the first device 15. This is because the second device 25 could send commands to the first device 15 to reveal security data, which the first device 15 would then obey.
However, as embodiments deal with situations where there is no trusted third party and no way of authenticating the second device, the first trust parameter would never allow the second device 25 to have complete control over the first device 15, and vice versa.
The first trust parameter is determined by comparing specification information of the second device 25 contained in the configuration data against first trust criteria stored in the memory 19 of the first device 15. The specification information of the second device includes information relating to the capabilities of the second device 25, and thus could provide the first device 15 with an indication of what trust limits might need to be put in place.
Alternatively, the security of the method used to establish the wireless connection could be used as a basis for determining the first trust parameter. For example, if the first device 15 formed a connection with the second device 25 using a method of establishing a wireless connection that involved sharing of a secret key in a secure manner, then the first device 15 may be more trusting of the second device 25, than if no cryptographic data had been shared.
Furthermore, the number of devices in wireless range of the first device 15 (which it could be aware of by for example the number of connection attempts that it received) could also be a factor in how trusting the first device 15 is of the second device 25. If many devices are in range, then it may be beneficial if the first device 15 is more cautious and less trusting of the second device than if the second device 25 is the only device in range.
Similarly, the second trust parameter is used to determine the actions taken by the second device 25 in response to received data from the first device 15 over the wireless connection. Therefore, the second trust parameter determines the level of control that the first device 15 will have over the second device 25.
The second trust parameter is determined by comparing specification information of the first device 15 contained in the initiation signal against second trust criteria stored in the memory 29 of the second device 25. The specification information of the first device 15 includes information relating to the capabilities of the first device 15.
For example, the first device 15 could be a speaker and the second device 25 could be a stereo, and both could be unknown to each other. In this situation, the first and second trust parameters are determined after a wireless connection has been established between the speaker and the stereo. At step S25, the first device 15 (the speaker) compares specification information of the second device 25 against its stored first trust criteria. The first trust criteria contains information about the actions that the speaker will take in response to different types of data from different devices. The resulting first trust parameter for use with the second device 25 (the stereo) could comprise information indicating that the speakers would always accept and play music data received from the stereo; but that it would never take any action in response to a request from the stereo to reveal security information (such as a private key).
At step S26, the second device 25 compares specification information of the first device against its stored second trust criteria. The second trust criteria also contains information about the actions that the second device 25 would take in response to different types of data from different devices. The resulting second trust parameter for use with the first device 15 (the speaker) could comprise information indicating that the stereo would only accept data relating to the maintenance of the commutations link between the first and the second device, and would not take any action in respect to any other data or requests from the first device 15.
If a malicious device launches a spoofing attack and sends data over the wireless connection to the second device 25, while pretending to be from the first device 15, then the second device would not grant the malicious device full control over it, but would only take the actions determined by the second trust parameter.
Using the above example, if a malicious device pretended to be the stereo in communication with the speaker, then if the attack succeeds the malicious device would have established a connection with the speaker. However, the only actions that the speaker would perform in response to data sent by the stereo is to play received music data. Therefore, the security risks involved are small.
Furthermore, if a malicious device pretended to be the speaker in communication with the stereo, then if the attack succeeds, the malicious device would have established a connection with the speaker. However, the stereo would not act on any received data unless it is strictly communications related, and therefore the security risks involved in this are also small.
The provisions of the trust parameters therefore enable devices to establish a limited trust connection, in which restrictions are placed on the actions the devices take in response to received data. A device cannot have any control over the type data that it is sent over the wireless connection by other devices, but can only limit the actions that it performs in response to the data it receives. Therefore, a device cannot stop a malicious device from sending to it such data as requests to reveal security information, but it can choose to ignore such data.
The limit trust connections provided by arrangements of the third embodiment enable wireless connections to be more secure, as unknown devices effectively place limits on the privileges that they give to other devices. In this situation, privileges could be considered as the right to have you requests actioned by the receiving device.
Furthermore, the arrangements of the third embodiment provide a means of increasing the security of a wireless connection with minimal additional overheads and cost.
Such methods provide a strong deterrent to potential hackers, as the rewards for successfully launching a spoofing attack are low, as the resulting wireless connection are always subject to trust limitation determined by the individual devices and not by any other devices.
Arrangements of the third embodiment contrast to the "Resurrecting Duckling" approach, as in that model, although the "mother" device imposes limits on the trust that it will give the "duckling" device, the "duckling" device will always blindly trust the "mother" device.
In other arrangements of the third embodiment, the trust level established between the first and second devices could be upgraded using one or more additional security measures.
For example, if the first device 15 has no prior knowledge of the second device 25, a limited trust connection could be established with the second device 25 as described above. In practical systems, the level of trust used between two blind devices would probably be fairly limited, in order to ensure security. However, the user may wish to enhance the functionality of the wireless connection by enabling one device to take more actions in response to received data from another device. For example, the user may wish the second device 25 to have the authority to command the first device 15 to establish a connection with a third device 35.
In order to achieve this, the first device 15 may have to increase its trust parameter with the second device 25, as to set up a new connection it would need to act on a request from the second device 25 to establish a new connection.
Using the above example of a stereo and a speaker, if the user of the stereo wanted the speaker to establish a connection with a compatible television, the trust parameter of the speaker with respect to the stereo would need to be upgraded. This is because, in the above example, the trust parameter of the speaker was such that the speaker would only accept and play music data from the stereo. Therefore, under these trust conditions, a request from the stereo to establish a connection with the television would be ignored.
In order to increase the trust parameter, additional security measures could be used. For example, the user could physically exchange a new secret key between the two devices.
This physical exchange of a key could be performed by the user manually entering a key using a keypad on both devices. Alternatively another method of physically exchanging a key could be used.
In other arrangements, the additional security means could comprise the user inputting in each device the MAC address of the other device.
* In all the arrangements of the third embodiment, the level of trust between two devices could depend on the method used to exchange the session key (if used). In general, the less secure the method used to distribute the key, the less trust each device would grant each other over the wireless network. The least secure way of transferring a session key would be for one device to broadcast it over the wireless link unencrypted. In such situations, the level of trust between the devices using that session key could be relatively low (i.e. each device granting the other few privileges).
However, if a more secure method of distributing the session key was used (e.g. the physical exchange methods mentioned above) then the level of trust could be relatively higher.
In some embodiments, if one of the first device 15 repeatedly sent the second device 25 data that was rejected because it was of a type not accepted as a result of the second trust parameter (for example an instruction to delete files), then the second device 25 could take action. For example, the second device 25 could alert the user or even cancel its connection with the first device 15. Furthermore, the second device 25 could be arranged to cancel the wireless connection with the first device 15 and alert the user if certain types of data were received. For example, a single request to reveal security information from an untrusted device could trigger a user alert.
It will be appreciated that the same device could be capable of performing the first, second and third embodiments, either in combination or separately with other devices.
Such devices could be any device suitable for use in ad hoc network in the home environment.
In a practical implementation of the invention, many devices may be in wireless communications range of each other. Different devices could be capable of forming a variety of different types of connection with the various other devices.
A fourth embodiment will now be described with reference to Figure 7. Figure 7 shows four devices in wireless communications range of each other. However, it will be appreciated that many more devices could be present within wireless communications range.
Figure 7 shows device A 40, device B 50, device C 60, and device D 70. Each of these devices could be a device suitable for use in an ad hoc network in the home environment.
In order to deal with the possibility of a device being in range of many other devices, some with different capabilities to each other, devices in arrangements of the fourth embodiment are classified as either "strong" or"weak". Whether an individual device is strong or weak determines the status of that device with regard to other devices in the setting up of a wireless connection, as will be explained in more detail below.
A strong device is a device that is permitted by the protocol to accept (either with or without user interaction) or reject an initiation signal from another device. A strong device could be granted some control over another device, but this control would be limited by the trust parameters set by the other device. A strong device could also be controlled by another strong device, subject to the limits determined by the trust parameters.
A weak device is a device that cannot reply to an initiation signal from another device in any way. Therefore a weak device can only establish a wireless connection by sending an initiation signal and receiving configuration data. Consequently, a weak device could not establish a wireless connection with another weak device, only with another weak device.
A weak device would typically establish a wireless connection with any strong device that replies to its initiation signal with suitable configuration data. However, limits could be set to ensure that weak device only set up wireless connections with strong devices that are compatible with it, or able to usefully share data with it.
A weak device could allow itself to be controlled (subject to a trust parameter that it would determine) by a strong device. However, a weak device would never allow a strong device to have total control over it. Furthermore, a strong device would typically not allow a weak device to have any control over it at all.
Examples of devices that could be classified as strong include devices that are capable or storing and processing a variety of types of data. A strong device may also typically have a display and a user interface. On the other hand, examples of weak devices could include devices with limited processing power that act as a way of delivering data (e.g. music) to a user. For example a PDA or a stereo with a graphical display could be a strong device. A set of speakers could be a weak device.
The roles of"strong" and "weak" need not be fixed, and the same device could act as either strong or weak depending on the preferences of the user or depending on the type of device it is in communication with.
In Figure 7, both devices A and D are weak devices, and devices B and C are strong devices. In the following description it will be assumed that all the devices shown in Figure 7 are turned on at the same time.
As with the previously discussed embodiments, when each device is turned on it sends out an initiation signal. In the discussion of this embodiment, the initiation signals will be referred to as FRIEND() messages.
Considering device A 4O, it transmits a FRIEND(A) message, which would be received by device B. device C and device D. In this embodiment, the FRIEND(A) message has the form: FRIEND(A): IA | | MA | | PA | | TA | | CKpubA | | SKsigA(IA | | MA | | OA | | TA) where: IA = an identifier to identify that the FRIEND(A) message is from device A, and includes information on the type of device that device A is; MA is data indicating the model number of device A; PA IS data indicating a graphical representation of device A; TA is a timestamp; CKpUbA is a certificate containing a public key KpUbA of device A; SKsigA() iS a digital signature function based on device A's private key KsigA for digital signing and 1I denotes concatenation of data items.
However, it will be appreciated, that the FRIEND(A) message need not contain all this information, and could contain any of the information comprised in the initiation signals described in relation to the first three embodiments. For example, MA and PA are optional, and could be used by devices receiving the FRIEND(A) in order to provide an indication to the user of information about device A. The timestamp TA is also optional, but helps prevent replay attacks as old messages could be ignored. The signed data is also optional, but its benefits will be discussed later. In this embodiment, the identifier IA includes information that indicates that device A is a weak device.
As discussed, device D is a weak device so it would not take any action with regard to the FRIEND(A) message as it is not permitted to reply. However, devices B and C use the FRIEND(A) message as a basis for determining whether to establish a wireless connection with device A. Considering the actions taken by device B. as a first step it establishes from the information included in the FRIEND(A) message (for example the identifier IA and the model number data MA) whether device A is the type of device that device B is able to establish a connection with. Device B could establish this by determining if the identifier IA matches stored criteria that indicate what sort of device that device B could usefully connect to. For example, device B could be a stereo, and device A could be a wireless speaker. In this situation, device B could determine that it is willing (subject to the constraints of the protocol) to set up a wireless connection (and therefore share data) with a speaker, i.e. devices of a type that a user of a stereo might desire it to connect to.
However, if device B had received a FRIEND() message indicating that the device from which it was sent was a device completely unrelated to audio equipment, then device B would ignore the FRIEND() message, on the basis that no useful wireless connection could be formed.
Once device B has determined that it is willing (in principle) to set up a wireless connection (and therefore share data) with device A, then device B starts the process of establishing whether to actually set up a wireless connection with device A. As a first step, device B waits for a predetermined time after receiving an initiation signal in order to establish if any other wireless devices are trying to establish a connection with it. If only one FRIEND() message is received in the predetermined time, device B would establish a connection with it in the manner similar to that described in the first embodiment. In this embodiment, the predetermined time is 2 seconds.
However, in this example device B would have also received a FRIEND(C) message from device C, and a FRIEND(D) message from device D. Therefore, more that one FRIEND() message with have been received in the predetermined time after the receipt of the first FRIEND() message.
Therefore, as discussed in relation to the first embodiment, device B could not automatically send generated configuration data to device A with any degree of security.
Although the FRIEND(A) message contains signed data SKsgA(IA | I MA | | OF | | TA), if device A is complete unknown to device B then device B would not be able to authenticate the signed data. However, device B could have a set of authentication keys stored during manufacture, that could be used to verify the signed data. For example, if device A and device B were from the same manufacturer, then device B could recognise the signature. In such a situation, device B may regard device A as being more trustworthy than a device whose signature (if present) that it cannot recognise.
However, signatures can be faked or copied, and therefore device B would not regard device A as being fully trustworthy.
Device B displays to the user information regarding devices A, C and D. In this arrangement of the fourth embodiment, this comprises device B displaying a graphical representation of device A obtained from the data PA, along with the model number of device A obtained from MA. Corresponding information is also displayed for devices C and D. At this point device B waits for a user indication as to which device to establish a wireless connection with. If the user indicates that device B is to establish a connection with device A, for example by using a key pad or other suitable input means, then device B would take no further action with regard to the FRIEND() messages received from devices C and D. In a practical implementation the graphical display on device B could be implemented using a high level network wizard on device B. The user could be presented with the a graphical representation and model number of each device (obtained from the FRIEND() messages), and could link devices that the user wishes to be connected with arrows. The protocol could then automatically take the steps to establish the desired connections.
In order to continue the process of establishing a connection with device A, device B generates a REPLY(B+A) message, where: REPLY(B. A): IB | | MB | | PB | | TB | | EK hA (kBA) | | SKsgB(]B | | MB | | PB | | TB) where: IB = an identifier to identify that the REPLY(B+A) is from device B. including information on the type of device that device B is; MB is a data indicating the model number of device B; PB is data indicating a graphical representation of device B; TB is a timestamp; EK hA () is an asymmetric encryption function using the KpubA of device A; SKsigB() iS a digital signature function based on device BPS private key KsigB for digital signing and 11 denotes concatenation of data items.
In this embodiment, the data included in the REPLY() message mirrors what is included in the FRIEND() message. However, it will be appreciated that the content of the REPLAY() message could vary.
Device A is a weak device, and in this embodiment on receipt of a REPLY() message, only establishes if device B is a device that it is capable of communicating with it before setting up a wireless connection. Device Awould therefore decrypt the session key kBA with its private key KPr,,A, and set up a wireless connection without any more input from the user. The session key kid is then used to encrypt transmissions between device A and device B. However, before devices A and B start sharing data over the newly formed wireless communication channel, both devices A and B determine respective trust parameters, as described in relation to the third embodiment. The trust parameters therefore provide limits on the actions each device takes in response to received data.
The trust parameter for device B is determined by comparing information included in the identifier IA in the FRIEND(A) that provides information on the type of device that device A. This information indicates that device A is a weak device, and includes an indication of the capabilities of device A. As device B is a strong device, it could determine that it would only accept data relating to maintenance of the communications channel between it and device A. Therefore, it would ignore any other data that is received from (or appears to have been sent from) device A. Therefore, any data from device A such as a request to establish a connection with another device or reveal security information, would be ignored.
Device A is a weak device, and therefore may establish a trust parameter that places fewer restrictions on the actions device A can take in response to data received from device B. For example, if device A were a speaker, it could determine that it would accept all music data from device B. and play this music data. However, the trust parameter would prohibit device A to ever take any action in response to a request from device B to reveal any security information.
At the start of the protocol exchange, device B would have sent a FRIEND(B) message that would have been received at devices A, C, and D. Devices A and D would have ignored the FRIEND(B) message because the are both weak devices, and cannot reply to FRIEND() messages. This would have also had the consequence that there was no need for device A and device B to consider which device was to construct the configuration data, and which was going to accept it from the other.
It will be appreciated that, at the point at which device B waits for a user indication of which device to establish a wireless connection with, if the user indicates that device B is to establish a connection with device D, then the method would proceed in a similar way to that described in relation to device A. This is because device A and device D and both weak devices, and so accept REPLY() messages with few considerations.
However, if the user indicates that device B is to establish a connection with device C, then the method would proceed in a different way. In this situation, device B would take no further action with regard to the FRIEND() messages received from devices A and D. Instead, device B generates a REPLY(B+C) message, having the same general form as the above mentioned REPLY(B+A) message, but with a session key kBC encrypted with the public key of device C. REPLY(B. C): IB | | MB | | PR | | TB | | E]Y bC (kBC) | | SKsigB(IB | | MB | | PB | | TB) where: 1B = identifier to identify that the REPLY(B+C) is from Device B. including information on the type of device that device B is; MB is a data indicating the model of device B; PB is data indicating a graphical representation of device B.; TB is a timestamp; E, c () is an asymmetric encryption function using the KpUbC of device C, SKsigB() iS a digital signature function based on device B's private key KSI8B for digital signing and 1l denotes concatenation of data items.
Device C is a strong device and would not establish a connection automatically with device B on receipt of the REPLY(B+C) message. Instead device C could display to the user information regarding devices B. In this arrangement of the fourth embodiment, this comprises device C displaying a graphical representation of device B obtained from the data PB, along with the model number of device B obtained from MB.
Device C then waits for a user indication as to whether to establish a wireless connection with device B. If the user indicates that device C is to establish a connection with device B. for example by using a key pad or other suitable input means, then device C would accept the REPLY(B+C) message and extract the session key kBC as described above.
However, it will be appreciated that in addition to device B receiving a FRIEND(C) message from device C, device C would have received a FRIEND(B) message from device B. Therefore, device C (who would have also received FRIEND() messages from devices A and D) would have displayed to the user information regarding devices B. A and D, and waited for a user indication of which device to connect to.
If at this point the user indicated on device C that it was to establish a connection with device B. as well as providing an indication on device B that it is to establish a connection with device C, then the indication on device C could be used as confirmation of the connection, and device C would not seek a further user input on receipt of a REPLY(B+C) message.
However, it will be appreciated that if the user provided an indication on device C that it is to establish a connection with device B. as well as indication on device B that it is to form a connection with device C, then device B would send a REPLY(B C) to device C and device C to send a REPLY(C+B) message to device B. Therefore, device C would have received a REPLY(B+C) message from device B comprising one set of configuration data (including one session key) and device B would have received a REPLY(C B) message from device C comprising another set of configuration data including another session key.
If both device B and device C receive a REPLY() message then one device would need to perform the role of 'master' and establish which of the two session keys is to be used.
This could be done on the basis of which device sent the REPLY() message first, or on the basis of determining from the identifiers of each device which device should take priority. For example, it could be determined that the device with the most capabilities could be the master device, and the other device would use the configuration data of the master device.
Once it has been determined which configuration data is to be used, devices B and C establish a connection, and determine their trust parameters.
So far, the setting up of only direct connections between the devices in Figure 7 has been considered. However, at the stage at which device B has received FRIEND() messages from devices A, C and D, the user could determine that that they wish device A to be connected to device C. Device C is a strong device, and so device C could establish a connection with device A directly. However, in some arrangements of the fourth embodiment, although device C is a strong device, it may not have a user interface. Therefore, if device C receives multiple FREIND() messages in a predetermined time, then device C may have no way of establishing which device to connect to as no user interaction could be sought.
However, another strong device such as device B could be used to set up a connection between device A and device C. As discussed, if all the devices are turned on at the same time, then each device transmits a FRIEND() message. At device B. information about each device is displayed to the user, and device B waits for a user indication as to which device to establish a wireless connection with.
If the user indicates on device B that device A is to establish a connection with device C, then device B could act as a mediator and instruct device A to communicate with device C. As a first step, device B could establish a separate connection with device A and device C. Device B could send a REPLY(B+A) message to device A, and a REPLY(B C) message to device A, where: REPLY(B+A): IB | | MB | | PB | | TB | | EK bA (kBA) | | SKsigB(IB I I MB | I PB I I TB) REPLY(B+C): IB | | MB | | PB | | TB | | EK he (kBC) | | SKSBB(IB I I MB I I PB | | TB) Device A and device C could then obtain the respective sessions keys kin and Kit for use with device B. Device B would then separately determine trust parameters for device A and device C, and devices A and C would determine trust parameters for device B. Device B could then send a COMMAND(B+A) message to device A, where: COMMAND(B+A): E[M (kACl | connect(Ic)) where: Sac is a session key generated by device B for use between communications between device A and device C and Ic is an identifier to identify device C, including information about device C. The COMMAND(B+A) message contains instructions to enable device A to set up a connection with device C, using a session key kAC that would be only known to them (and device B).
In the above example, the identifier IC iS the same identifier that device B received in the FRIEDN(C) message from device C. However, in other arrangements, different identifiers could be used.
Device B could then send a COMMAND(B+C) message to device C, where: COMMAND(B t C): Ed, (kAC|| COnneCt(IA)) where: kAC is a session key generated by device B for use between communications between device A and device C and IA is an identifier to identify device A, including information about device A. Both device A and device C have therefore received instructions to establish a connection with each other using a session key kAC. This could be then used to encrypt further communications between device A and device C. In embodiments in which device C has a user interface, but in which the user decides to use device B to set up a connection between device A and device C, device C could wait for a user prompt before forming an initial connection with device B (i.e. on receipt of a REPLY(B+C) message). Furthermore, device C could also wait for a user prompt on receipt of a COMMAND(B+C) message that requested that device C establish a connection with device A. Alternatively, device C could accept the REPLY(B+C) message or the COMMAND(B C) message automatically, without needed a user interaction.
It will also be appreciated that in order for device B to be able to set up a connection between device A and device C, the trust parameters of device A and device must allow the connection to occur. In other words, the trust parameter of device A must be such that device A would act on a request from device B to set up a connection with device C. Similarly, the trust parameter of device C must be such that device C would act on a request from device B to set up a connection with device A. In this situation, it may be desirable that the trust level of devices A and C be upgraded before either device A or device C take any action in regard to the request from device B to set up a new connection. However, the protocol discussed in relation to this embodiment could be sufficiently secure for one device to accept a request from another device to set up a new connection.
It has been discussed that the FRIEND() messages and the REPLY() messages contain clear data and data signed with a signature key of the sending device. However, if the devices are unknown to each other (and no appropriate restored authentication keys are stored on the devices), the signatures would not be recognised, and therefore could be ignored.
However, including a signature does still have benefits, and it does offer a form of integrity. This means that, while the protocol is not an authentication protocol, it is analogous to a blind date protocol. In other words, it allows one device to introduce itself to another and to give some information about itself For example, on receipt of a FRIEND(A) message from device A, device B could be aware that the FRIEND(A) message might be coming from a bogus device. However, if the user indicates that a connection is to be formed between device B and device A, then device B would set up a connection with device A. This connection would not be totally secure, as the user could have been fooled by bogus identification data and the FRIEND(A) message could have in fact originated from a malicious device. However, the presence of a malicious device would be detected in other ways are described in more detail below.
Device B could store a log of communications, and remember signatures. Therefore, if device A formed a connection with device B. and the trust level was developed (for example by the user entering a key into both devices), device B could store the signature of device A. Then, if the connection between device A and device B was broken for some reason, for example if device was taken out of communications range, device B would be able to later recognise the signature of device A. For example, if a user decided to lend device A to a friend, the connection between device A and device B would be broken.
Then, if device A were returned by the friend, device A would begin the process of seeking wireless connections by sending a FRIEND(A) message. This could be received at device B. and the signature of device A contained in the FRIEND(A) message could be recognised. Device B could therefore automatically establish a connection with the same level of trust as the original connection between device A and device B. user to take a few steps). Finally keeping a historic log of interactions with a number of devices would eventually make the device mature The security of arrangements of the fourth embodiment will now be analysed.
Consider the situation in which a bogus device E attempts to impersonate establish a wireless connection with the devices shown in Figure 7.
Device E could send out a FRIEND() message, where: FRIEND(E): IE | | ME | | PE | | TE | | CKpubE | | SKsigE(IE | | ME | | OF | | TE) where: IE = an identifier to identify that the FRIEND(E) message is from device E, and includes information on the type of device that device E is; ME is data indicating the model number of device E; PE is data indicating a graphical representation of device E; TE is a timestamp; CKpUbE is a certificate containing a public key KpUbE of device E; SKsigE() iS a digital signature function based on device E's private key KsgE for digital signing and 1l denotes concatenation of data items.
This FRIEND(E) message would be received by devices A, B. C and D. Furthermore, devices A and D would ignore this message as they are weak devices that do not reply to FRIEND() messages.
Devices B and C may have already have set up connections and not be able to establish more than one connection at a time, in which case they would ignore the FRIEND(E) message from device E, and the attack by device E would fail.
Alternatively, if device E launches the attack by sending a FRIEND(E) message at the same time as each device is turned on, devices B and C would not establish a connection with device E without user input. This is because they would not recognise the signature of device E and would have received more that one FRIEND() message in the predetermined time.
Therefore, whether device E connects to device B or C would depend on the user.
Clearly, if the identifier IE, model number ME or photo PE of device E represent a device that the user does not possess, then the user would not allow device E to connect to device B or C. However, it is necessary to consider what would occur if device E sent bogus data in the FRIEND(E) message, that contained faked data that appeared to originate from a different device.
Consider the situation that would occur if device E impersonated device A. For example, device E could receive a FRIEND(A) message from device A and include the identifiers from this message in its FRIEND(E) message, but with a different public key.
In this situation, having received the FRIEND(E) message device B could use any of the security measures discussed in relation to the first and second embodiments, such as alerting the user if two FRIEND() messages were received containing the same identifiers but different public keys.
However, even if the attack succeeds and the user indicates to device B to connect to device A, but device B connects to device E instead of device A, then there would be no great security risk. This is because device A is a weak device, and so device B would only set up a limited trust connection with device E and would grant device E no control over it. Therefore, if device A is a speaker and device B a stereo, if device E successfully impersonates device A then it would have no means of controlling device B. This is because device B would only accept communications related data from device A -and therefore it would only accept such data from device E impersonating device A. Consider the situation if device E impersonated device C. For example, device E could receive a FRIEND(C) message from device C and include the identifiers from this message in its FRIEND(E) message, but with a different public key.
Having received the FRIEND(E) message device B. device B would display to the user details of all the devices from which FRIEND() messages have been received. If the attack succeeds and the user indicates to device B to connect to device C, but device B connects to device E instead, then there would still be no great security risk.
As device C is a strong device, then it is possible that device B would allow it to have some control over it. For example, device B could allow device C to instruct it to form a new connection with device A. However, the trust parameters ensure that device B would never allow device C (or consequently a device pretending to be device C) to have full control over it.
However, it is still likely that the attack would be detected. This is because if the genuine device C sent a REPLY(C+B) to device B at this point, then device B would reject this configuration data and sent a DECLINE(B+C) message to the real device C, where a user alert would be displayed. The user would have expected device B to be already connected to device C at this stage, and so an alert at device C indicating that a connection attempt with device B was rejected would be enough to put doubts in the mind of the user.
It is also necessary to consider what would occur if device E launches an attack by receiving a FRIEND() message from a device and sending a bogus REPLY() message.
For example, if a FRIEND(A) message was sent from device A, and received at device B. device B could generate a REPLY(B+A) message as described above. However, device E could sent a bogus REPLY(E+A) message that included faked identifiers of device B. However, this attack would likely either fail or be detected. If device B sends the REPLY(B+A) message to device A before device E could sent the bogus REPLY(E+A), then device A would reject the REPLY(E. A) message as it could only accept one connection at a time without the consent of the user.
If device E sends the REPLY(EtA) message to device A before device A could sent the bogus REPLY(B+A), then device A would reject the REPLY(B A) , and send a failure message to device B. This triggers a user alert, which would indicate the likely presence of a malicious device.
The strongest possible attack would be for device E to launch a full man in the middle attack and impersonate device A to device B. and device B to device A. However, if other devices are present in range then this attack would likely fail for the above reasons.
However, even if it is not detected then the security risks are limited. Device E would only have access to data sent between device A and device B. which are encrypted with a session key. However, this session key would not be used for communications between any other devices, and so device E could not use it to communicate with other devices.
Furthermore, the trust parameters ensure that device A would always have limited functionality over device B and vice versa. In addition, device E would need to be constantly online to act as a router, and the attack would fail if device E goes off line.
In order to provide a further measure to prevent any unwanted connections, it would be beneficial for all devices to display their connections to a user.
Contrary to what one might expect from knowledge of conventional systems, is that in arrangements of the fourth embodiment the existence of more than two devices wishing to establish connections at the same time is actually more secure than the primitive scenario which consists of just two devices. The reason is that the existence of a bogus device sending FRIEND() messages cannot go without being detected, since now the process is not automatic and the user is able to monitor the process in a robust way.
Embodiments provide methods of establishing wireless connections that are secure, yet easy for the user to perform. These methods require no extra hardware on the wireless devices such a smart cards or IR scanners, and are therefore cheap to implement.
A relatively secure link can established over an insecure wireless link, without prior relationships, knowledge or infrastructure. User interaction is reduced to minimal and the security aspects are completely transparent to the user since.
Furthermore such methods require no supporting external hardware or software infrastructure. The method could be provided on a computer readable medium, which could be uploaded to conventional devices. Alternatively, it could be stored in hardware during manufacture.
Embodiments provide a method that combines low-level key-exchange as well as higher level authorization and access control, as well as elements of intrusion detection. The protocol establishes a link, but the devices can remains alert and in case some suspicious signals can be detected. Furthermore the same protocol could not just exchange a key and let higher layer entities decide what they can do over that link. The very same protocol is aware of its weaknesses and it thus applies some initial limitations and access control for the sake of security.
Since the present invention can be implemented by software, the present invention encompasses computer code provided to a general purpose computer on any suitable carrier medium. The carrier medium can comprise any storage medium such as a floppy disk, a CD ROM, a magnetic device or a programmable memory device, or any transient medium such as any signal e.g. an electrical, optical or microwave signal.

Claims (45)

  1. CLAIMS: 1. 45 A method of configuring a wireless connection between a
    first device and a second device, the method comprising at the second device: receiving an initiation signal from the first device; establishing if any other initiation signals are received in a predetermined time after the receipt of the initiation signal from the first device; determining that a connection may be established between the first device and the second device if no initiation signals from devices other than the first device are received in the predetermined time; and configuring a wireless connection between the first device and the second device if it is determined that the first device may connect to the second device.
  2. 2. A method according to Claim 1, further comprising: determining that the first device may be connected to the second device if only one initiation signal is received in the predetermined time.
  3. 3. A method according to Claim I or 2, further comprising at the second device: sending configuration data to the first device following the receipt of an initiation signal; and using the configuration data to configure the wireless connection.
  4. 4. A method according to Claim 3, wherein the configuration data comprises a session key used for encryption of transmission data sent between the second device and the first device once a wireless connection has been configured between the first device and the second device.
  5. 5. A method according to Claim 3 or 4, further comprising, at the first device, on receipt of the configuration data from the second device, determining if the second device may be connected to the first device and sending a connection refusal signal to the second device if the second device may not be connected to the first device; and at the second device, receiving the connection refusal signal and outputting an alert to the user.
  6. 6. A method according to any one of Claims 3 to 5, further comprising, at the first device, on receipt of the configuration data from the second device: outputting to a user interface an indication that configuration data has been received from the second device; receiving from a user input an indication of whether the second device may be connected to the first device; and terminating the wireless connection between the second device and the first device if the user input indicates that second device may not be connected to the first device.
  7. 7. A method according to any one of the preceding Claims, wherein the initiation signal comprises information data of the first device, the method further comprising at the second device, on receipt of initiation signals from any device other than the first device within the predetermined time: outputting to a user interface an indication that an initiation signal has been received from the first device using the information data of the first device; and receiving a user indication that the user determines that the first device may be connected to the second device.
  8. 8. A method according to Claim 7, further comprising outputting to said user interface an indication to the user that an initiation signal has been received from a device other than the first device.
  9. 9. A method according to any one of the preceding claims, wherein the initiation signal from the first device comprises a public key of the first device, the method further compnslng: at the second device, encrypting the configuration data using the public key of the first device before sending the configuration data to the first device.
  10. 10. A method according to any one of the preceding claims, further comprising at the first device: determining a first trust parameter relating to the connection between the first 45device and the second device; and using the first trust parameter to determine the actions taken by the first device in response to data received from the second device over the wireless connection.
  11. 1 1. A method according to Claim 10, wherein the second device transmits to the first device second specification information including information indicative of the capabilities of the second device, the method further comprising: at the first device, determining the first trust parameter by comparing the second specification information with predetermined criteria.
  12. 12. A method according to any one of the preceding claims, further comprising, at the second device: determining a second trust parameter relating to the connection between the second device and the first device; and using the second trust parameter to determine the actions taken by the second device in response to data received from the first device over the wireless connection.
  13. 13. A method according to Claim 12, wherein the initiation signal of the first device includes first specification information indicative of the capabilities of the first device, the method further comprising: at the second device, determining the second trust parameter by comparing the first specification information contained in the initiation signal with predetermined criteria.
  14. 14. A method according to any one of the preceding claims, further comprising, at the second device, after a connection has been established with the first device: determining if an initiation signal from another device other than the first device is received in a second predetermined time, and if so performing any one or more of: sending a connection refusal signal to said another device; terminating the wireless connection between the second device and the first device; and outputting to a user interface an indication that an initiation signal has been received from a device other that the first device.
  15. 15. A method according to any one of the preceding claims, further comprising, at the second device or the first device, after a connection has been established with the first device or the second device respectively: transmitting a further initiation signal periodically for a third predetermined time; determining if further configuration data from another device other than the first device is received in a second predetermined time, and if so performing any one or more of: sending a connection refusal signal to said another device; terminating the wireless connection between the second device and the first device; and outputting to a user interface an indication that further configuration data has been received from a device other that the first device.
  16. 16. A wireless communications device arranged to establish a wireless connection with a first device, the device comprising: a receiver for receiving an initiation signal from said first device; a processor arranged to establish if any other initiation signal is received in a predetermined time after the receipt of the initiation signal from said first device, and to determine that the first device may be connected to said first device if no initiation signals from devices other than the first device are received within the predetermined time; a generator for generating configuration data used for configuring a wireless connection between the device and the first device; and a transmitter arranged for sending the generated configuration data to the first device if the first device may be connected to the device.
  17. 17. A wireless network comprising at least two devices capable of establishing a wireless connection, the network comprising, a first device comprising a transmitter arranged for transmitting an initiation signal, a second device comprising: a receiver arranged for receiving the initiation signal from the first device; a processor arranged to establish if any other initiation signal is received in a predetermined time after the receipt of the initiation signal from the first device, and to determine that the first device may be connected to the second device if no initiation signals from devices other than the first device are received within the predetermined time; and a generator for generating configuration data used for configuring a wireless connection between the device and the first device a transmitter arranged for sending the generated configuration data to the first device if the first device may be connected to the second device, wherein the configuration data is used to configure a wireless connection between the first device and the second device if the first device.
  18. 18. A method of establishing a secure wireless connection between a first device and a second device; the method comprising: receiving the an initiation signal from the first device, the initiation signal comprising information data of the first device and a public key of the first device; outputting to a user interface an indication that an initiation signal has been received from the first device based upon the information data; receiving a user indication of whether the user determines that the first device may be connected to the second device; encrypting a session key using the public key of the first device to form encrypted data; transmitting the encrypted data for reception by the first device, if the user indicates that the first device may be connected to the second device.
  19. 19. A method according to Claim 18, wherein the second device receives the user indication that the first device is to be connected to the second device.
  20. 20. A method according to Claim 18, wherein a third device receives the user indication that the first device is to be connected to the second device.
  21. 21. A method according to Claim 20, wherein the third device receives the initiation signal from the first device, and transmits the encrypted data for reception by the first device if the user indicates that the first device may be connected to the second device, the method further comprising at the third device: receiving a second initiation signal from the second device, the second initiation signal comprising information data of the second device and a public key of the second device; encrypting the session key using the public key of the second device to form second encrypted data; and transmitting the second encrypted data for reception by the second device, if the user indicates that the first device may be connected to the second device; wherein the encrypted data includes command data for instructing the first device to connect to the second device using the session key, and the second encrypted data includes second command data for instructing the second device to connect to the first device using the session key.
  22. 22. A method according to any one of Claims 18 to 21, further comprising, establishing whether an initiation signal from a device other than the first device is received in a predetermined time from the receipt of the initiation signal from the first device, and on receipt of an initiation signal from a device other than the first device within the predetermined time, outputting to a user interface an indication to the user that an initiation signal has been received from a device other than the first device.
  23. 23. A method according to any one of Claims 18 to 22, further comprising: at the first device, on receipt of the encrypted data, decrypting the encrypted data with a private key corresponding to the public key to obtain the session key; outputting to a user interface an indication that a session key has been received for use with the second device; receiving a user indication of whether the user determines that the first device may be connected to the second device; and terminating further communication with the second device if the user indication indicates that the first device may not be connected to the second device.
  24. 24. A method according to any one of Claims 18 to 23, further comprising at the first device: determining a first trust parameter relating to the connection between the first device and the second device; and using the first trust parameter to determine the actions taken by the first device in response to data received from the second device over the wireless connection.
  25. 25. A method according to Claim 24, wherein the encrypted data includes second specification information indicative of the capabilities of the second device, the method further comprising: at the first device, determining the first trust parameter by comparing the second specification information with predetermined criteria.
  26. 26. A method according to any one of Claims 18 to 25, further comprising, at the second device: determining a second trust parameter relating to the connection between the second device and the first device; and using the second trust parameter to determine the actions taken by the second device in response to data received from the first device over the wireless connection.
  27. 27. A method according to Claim 26, wherein the second device receives first specification information indicative of the capabilities of the first device, the method further comprising: at the second device, determining the second trust parameter by comparing the first specification information with predetermined criteria.
  28. 28. A wireless communications device arranged to establish a wireless connection with a first device, the device comprising: a receiver for receiving an initiation signal from the first device, the initiation signal comprising information data of the first device and a public key of the first device; an interface for providing the user with an indication that an initiation signal has been received from the first device; a user input arranged to receive a user indication of whether the user determines that the first device may be connected to the wireless communication device; a processor for encrypting a session key using the public key of the first device to from encrypted data; and a transmitter for sending the encrypted data to the first device if the user indication indicates that the first device may be connected to the wireless communication device.
  29. 29. A wireless network comprising at least two devices capable of establishing wireless communication, the network comprising: a first device comprising: a transmitter for transmitting an initiation signal, the initiation signal comprising information data of the first device and a public key of the first device; a second device comprising: a receiver for receiving an initiation signal from the first device, the initiation signal comprising information data of the first device and a public key of the first device; an interface for providing the user with an indication that an initiation signal has been received from the first device; a user input arranged to receive a user indication of whether the user determines that the first device may be connected to the second device; a processor for encrypting a session key using the public key of the first device to from encrypted data; and a transmitter for sending the encrypted data to the first device if the user indication indicates that the first device may be connected to the second device.
  30. 30. A method of configuring a wireless connection between a first device and a second device, the method comprising: sending an initiation signal; receiving generated configuration data from the second device sent in response to the initiation signal; setting up a wireless connection between the first device and the second device using the configuration data; determining a first trust parameter relating to the wireless connection between the first device and the second device; controlling the actions taken by the first device in response to data received from the second device using the first trust parameter.
  31. 31. A method according to Claim 30, wherein the first trust parameter is determined based upon the security of the method used to send configuration data from the second device.
  32. 32. A method according to Claim 30 or 31, wherein the first trust parameter is determined based upon the capabilities of the second device.
  33. 33. A method according to any one of Claims 30 to 32, wherein the configuration data includes second specification information indicative of the capabilities of the second device, the method further comprising: determining the first trust parameter by comparing the second specification information with predetermined criteria.
  34. 34. A method according to any one of Claims 30 to 33, further comprising: at the second device: receiving the initiation signal from the first device; sending configuration data to the first device; using the configuration data to set up a wireless connection between the first device and the second device; determining a second trust parameter relating to the wireless connection between the second device and the first device; and controlling the actions taken by the second device in response to data received from the first device using the second trust parameter.
  35. 35. A method according to Claim 34, wherein the second trust parameter is determined based upon whether the second device can authenticate the initiation signal sent by the first device.
  36. 36. A method according to Claim 34 or 35, wherein the second trust parameter is determined based upon the capabilities of the first device.
  37. 37. A method according to any one of Claims 30 to 36, wherein the initiation signal comprises first specification information including information indicative of the capabilities of the first device, the method further comprising: determining the second trust parameter by comparing the first specification information with predetermined criteria.
  38. 38. A method according to any one of Claims 34 to 36, further comprising upgrading the first and/or second trust parameter to an upgraded first trust parameter and/or second trust parameter respectively, based upon: providing the user with an indication that a wireless connection has been established between the first and second devices, and receiving a user indication that the first and/or second trust parameter is to be upgraded.
  39. 39. A method according to any one of Claims 34 to 38, further comprising upgrading the first and second trust parameter to an upgraded first trust parameter and second trust parameter respectively, based upon providing a secret key to the first device and the second device.
  40. 40. A wireless communications device comprising: a receiver arranged for receiving an initiation signal from a first device; a transmitter for sending configuration data to the first device, wherein the configuration data is used to set up a wireless connection between the first device and the wireless communications device; a processor arranged to determine a second trust parameter relating to the wireless connection between the wireless communications and the first device, and to determine the actions taken by the wireless communications device in response to data received from the first device.
  41. 41. A wireless communications device comprising: a transmitter for sending an initiation signal to a second device; a receiver for receive configuration data from the second device in response to the initiation signal, wherein the configuration data is used to set up a wireless connection between the wireless communications device and second device; a processor arranged to determine a first trust parameter relating to the wireless connection between the wireless communications device and the second device, and to determine the actions taken by the wireless communications device in response to data received from the second device.
  42. 42. A method of configuring a wireless connection between a first device and a second device, the method comprising at a third device: receiving a first initiation signal from the first device, the initiation signal comprising first information data of the first device; receiving a second initiation signal from the second device, the initiation signal comprising second information data of the second device; outputting to a user interface an indication that the first initiation signal has been received from the first device based upon the first information data; outputting to a user interface an indication that the second initiation signal has been received from the second device based upon the second information data; receiving a user indication of whether the user determines that the first device may be connected to the second device; transmitting first configuration data to the first device and second configuration data to the second device, the first configuration data including first command data for instructing the first device to connect to the second device, and the second configuration data including second command data for instructing the second device to connect to the first device.
  43. 43. Processor control code to, when running, perform the method of any one of claims 1 to 15, claims 18 to 27, claims 30 to 39, or claim 42.
  44. 44. A carrier carrying the processor control code of claim 43.
  45. 45. A method substantially as hereinbefore described with reference to figures 2 to 7 of the accompanying drawings.
GB0405037A 2004-03-05 2004-03-05 Wireless network Expired - Fee Related GB2411801B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0405037A GB2411801B (en) 2004-03-05 2004-03-05 Wireless network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0405037A GB2411801B (en) 2004-03-05 2004-03-05 Wireless network

Publications (3)

Publication Number Publication Date
GB0405037D0 GB0405037D0 (en) 2004-04-07
GB2411801A true GB2411801A (en) 2005-09-07
GB2411801B GB2411801B (en) 2006-12-20

Family

ID=32088812

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0405037A Expired - Fee Related GB2411801B (en) 2004-03-05 2004-03-05 Wireless network

Country Status (1)

Country Link
GB (1) GB2411801B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1965541A1 (en) * 2007-03-01 2008-09-03 Seiko Epson Corporation System, apparatus and method for automated wireless device configuration
US8724515B2 (en) 2010-03-26 2014-05-13 Cisco Technology, Inc. Configuring a secure network
EP1997267A4 (en) * 2006-03-20 2017-05-17 Canon Kabushiki Kaisha Communication system, communication device and processing method therefor
US10045208B2 (en) 2012-03-31 2018-08-07 Nokia Technologies Oy Method and apparatus for secured social networking
US10362001B2 (en) 2012-10-17 2019-07-23 Nokia Technologies Oy Method and apparatus for providing secure communications based on trust evaluations in a distributed manner

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8316438B1 (en) 2004-08-10 2012-11-20 Pure Networks Llc Network management providing network health information and lockdown security
US8478849B2 (en) 2004-12-07 2013-07-02 Pure Networks LLC. Network administration tool
WO2006063118A2 (en) 2004-12-07 2006-06-15 Pure Networks, Inc. Network management
US8700743B2 (en) 2007-07-13 2014-04-15 Pure Networks Llc Network configuration device
US9026639B2 (en) 2007-07-13 2015-05-05 Pure Networks Llc Home network optimizing system
US9491077B2 (en) 2007-07-13 2016-11-08 Cisco Technology, Inc. Network metric reporting system
US8649297B2 (en) 2010-03-26 2014-02-11 Cisco Technology, Inc. System and method for simplifying secure network setup

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2350971A (en) * 1999-06-07 2000-12-13 Nokia Mobile Phones Ltd Security Architecture
US20020169874A1 (en) * 2001-05-09 2002-11-14 Batson Elizabeth A. Tailorable access privileges for services based on session access characteristics
US20020178365A1 (en) * 2001-05-24 2002-11-28 Shingo Yamaguchi Method and system for controlling access to network resources based on connection security
US20030056111A1 (en) * 2001-09-19 2003-03-20 Brizek John P. Dynamically variable security protocol
US20030061364A1 (en) * 2001-09-26 2003-03-27 International Business Machines Corporation Method and system in electronic commerce for providing a secure wireless connection service for mobile personal area networks
EP1324541A2 (en) * 2001-12-26 2003-07-02 Kabushiki Kaisha Toshiba Communication system, wireless communication apparatus, and communication method
WO2003077498A1 (en) * 2002-03-08 2003-09-18 Certicom Corp. Local area network
EP1376930A2 (en) * 2002-06-28 2004-01-02 Microsoft Corporation Systems and methods for application delivery and configuration management of mobile devices
WO2004052043A2 (en) * 2002-12-05 2004-06-17 Enocean Gmbh Method for initialising radio receivers

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2350971A (en) * 1999-06-07 2000-12-13 Nokia Mobile Phones Ltd Security Architecture
US20020169874A1 (en) * 2001-05-09 2002-11-14 Batson Elizabeth A. Tailorable access privileges for services based on session access characteristics
US20020178365A1 (en) * 2001-05-24 2002-11-28 Shingo Yamaguchi Method and system for controlling access to network resources based on connection security
US20030056111A1 (en) * 2001-09-19 2003-03-20 Brizek John P. Dynamically variable security protocol
US20030061364A1 (en) * 2001-09-26 2003-03-27 International Business Machines Corporation Method and system in electronic commerce for providing a secure wireless connection service for mobile personal area networks
EP1324541A2 (en) * 2001-12-26 2003-07-02 Kabushiki Kaisha Toshiba Communication system, wireless communication apparatus, and communication method
WO2003077498A1 (en) * 2002-03-08 2003-09-18 Certicom Corp. Local area network
EP1376930A2 (en) * 2002-06-28 2004-01-02 Microsoft Corporation Systems and methods for application delivery and configuration management of mobile devices
WO2004052043A2 (en) * 2002-12-05 2004-06-17 Enocean Gmbh Method for initialising radio receivers

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"Proceedings of the10th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS 2004)", published 26/05/2004, IEEE, pp80-85, Zhaoyu et al " A dynamic trust model for mobile ad hoc networks". *
Computer Communications 23 (17) (2000), published 2000, Elsevier, pp 1627-1637, N. Asokan et al, Key agreement in ad hoc networks, http://www.gta.ufrj.br/ïeric/tese/artigos/article-CompComm-2000-23-17-30.pdf (viewed 04/08/2004) *
Dirk Balfanz et al, Talking To Strangers: Authentication in Ad-Hoc Wireless Networks, presented at Symposium on Network and Distributed Systems Security (NDSS '02), San Diego, California, February 2002 http://www.gta.ufrj.br/ïeric/tese/artigos/balfan.pdf (viewed 04/08/2004) *
Frank Stajano et al, The Resurrecting Duckling: Security Issues for Ubiquitous Computing, 2002, http://www.computer.org/security/supplement1/sta/ (viewed 04/08/2004) *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7940744B2 (en) 2004-09-16 2011-05-10 Seiko Epson Corporation System, apparatus and method for automated wireless device configuration
EP1997267A4 (en) * 2006-03-20 2017-05-17 Canon Kabushiki Kaisha Communication system, communication device and processing method therefor
EP1965541A1 (en) * 2007-03-01 2008-09-03 Seiko Epson Corporation System, apparatus and method for automated wireless device configuration
US8724515B2 (en) 2010-03-26 2014-05-13 Cisco Technology, Inc. Configuring a secure network
US10045208B2 (en) 2012-03-31 2018-08-07 Nokia Technologies Oy Method and apparatus for secured social networking
US10362001B2 (en) 2012-10-17 2019-07-23 Nokia Technologies Oy Method and apparatus for providing secure communications based on trust evaluations in a distributed manner

Also Published As

Publication number Publication date
GB2411801B (en) 2006-12-20
GB0405037D0 (en) 2004-04-07

Similar Documents

Publication Publication Date Title
EP1335563B1 (en) Method for securing communication over a network medium
US11689870B2 (en) Hearing device and method of updating a hearing device
EP1536609B1 (en) Systems and methods for authenticating communications in a network
JP5431479B2 (en) Protocol for associating devices with stations
EP3308519B1 (en) System, apparatus and method for transferring ownership of a device from manufacturer to user using an embedded resource
KR101478419B1 (en) Temporary registration of devices
US9887848B2 (en) Client device with certificate and related method
EP1473899A1 (en) Security in a communications network
WO2019051776A1 (en) Key transmission method and device
JP6807153B2 (en) Devices and related methods for secure hearing device communication
US20220167173A1 (en) Hearing device system, devices and method of creating a trusted bond between a hearing device and a user application
KR100631199B1 (en) System and method for setting a device by a remote controller
JP2006303751A (en) Communications system, communication method, and communications terminal
GB2411801A (en) Establishing secure connections in ad-hoc wireless networks in blind trust situations
Kostiainen Intuitive Security Initiation Using Location-Limited Channels
EP3113407B1 (en) Client device with certificate and related method
JP2006526314A (en) Security in communication networks
KR101204648B1 (en) Method for exchanging key between mobile communication network and wireless communication network
WO2008004174A2 (en) Establishing a secure authenticated channel
WO2022135387A1 (en) Identity authentication method and apparatus
WO2022135386A1 (en) Method and device for identity authentication
US20230007482A1 (en) Method for provisioning keys in a network of connected objects
WO2022135385A1 (en) Identity authentication method and apparatus
JP2004072470A (en) Information communication apparatus and conference key sharing program
Suomalainen Multi-model security associations in personal networks

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20130305