KR101253370B1 - Method and system for deriving an encryption key using joint randomness not shared by others - Google Patents

Abstract

The present invention relates to a method and system for deriving an encryption key using JRNSO (joint randomness not shared by others). Communication entities generate JRNSO bits from channel impulse response (CIR) estimates, which are used to generate an encryption key. The authentication type may be IEEE 802.1x or may be a pre-shared key system. In an IEEE 802.1x system, a master key, pairwise master key (PMK) or pairwise transient key (PTK) can be generated using the JRNSO bit. The encryption key can be generated using the Diffie-Hellman key derivation algorithm.

Description

METHOD AND SYSTEM FOR DERIVING AN ENCRYPTION KEY USING JOINT RANDOMNESS NOT SHARED BY OTHERS}

The present invention relates to wireless communication security. More specifically, the present invention relates to a method and system for deriving encryption keys using joint randomness (JRNSO) that is not shared with others.

IEEE 802.11i uses a counter mode (CTR) in which a wireless LAN (WLAN) operating in the IEEE 802.11 standard uses cipher-block chaining with a message authentication code (CCMP) encapsulation technology and then AES ( advanced encryption standard) algorithms are used to ensure that data can be delivered securely. To achieve this goal, IEEE 802.11i provides two ways in which a pair of communication nodes can derive a key that can be used to encrypt the exchanged packet.

The first approach is based on IEEE 802.1x authentication technology that requires a remote authentication server (eg, a RADIUS server). In IEEE 802.1x, an access point (AP) functions as a router between a wireless transmit / receive unit (WTRU) and an authentication server that wants to connect with an AP. The authentication server provides the public key to the WTRU through the AP. The WTRU may verify this public key by checking the public key with a digital certificate provided by the certificate server. The WTRU then derives a random secret (i.e. master secret), encrypts the master secret with the provided public key, and sends the master secret to the authentication server. Thus, only the authentication server can decrypt the master secret using the corresponding private key. The authentication server and the WTRU use this master secret to derive the master key (MK). The authentication server and the WTRU then derive a pairwise master key (PMK) from the MK. The authentication server provides this PMK to the AP. The AP and the WTRU then derive a pairwise transient key (PTK) using the PMK. Part of this PTK is a temporary key (TK), which is the actual key used in CCMP technology to encrypt packets. Since this approach uses a remote authentication server and digital certificate (which is generally expensive), this approach is usually implemented in commercial WLANs.

A second approach, which is more suitable for home or small business networks, uses a pre-shared key (PSK). In this manner, a 256 bit user configurable secret key is stored on the communication node. If the WTRU wants to connect with the AP, as in the IEEE 802.1x system, the WTRU derives the PTK using the PSK as a PMK (without derivation of the master secret and MK) and uses a portion of the PTK as the TK.

There are two or more problems with IEEE 802.11i systems. First, the final TK has only as much security as the PSK in the case of a master secret or home or small business network exchanged in the case of an IEEE 802.1x network. In an IEEE 802.1x system, an attacker can steal the master secret by stealing the private key of the authentication server. In a home network, the PSK is estimated using a brute-force attack (the PSKs in the home do not change regularly or come from "weak" pass phrases) or by stealing the key. Can be. By knowing the master secret or PSK, the intruder arrives at a value that matches the PMK in the same way as the two legitimate communication nodes, and then derives the matching PTK value. Thus, knowing the authentication credentials is sufficient to know the derived encryption key. Also, when keys are updated during a session, the MK and PMK are usually left untouched and only new PTKs are derived using information exchanged between PMK (which is incognito) and plaintext (non-password). . Since the PMK does not change, the PTK is not new and therefore not a new key.

In addition, the key derivation process is very complex and has many steps (such as MK, PMK, PTK and TK). This consumes time and resources.

The key can be thought of as a sequence of bits. A perfect secret random key of length N bits is an N-bit sequence S shared by entities. Assuming all the information is available in most systems, everyone's estimate of what the key sequence can be can be distributed over all possible 2 ^N N-bit sequences with approximately equal probability.

The prior art encryption system relies on the fact that it can be extremely difficult in terms of computational resources inferring encryption keys. However, in most of these systems, once an accurate estimate is made, it is very easy to verify that this estimate is really accurate. In practice, the prior art involves that this assumption is applicable to any public key system (i.e., the decryption key is kept secret but the encryption key is public).

For example, if p and q are two large prime numbers and s = pq, it is well known that the problem of factoring the product of two large prime numbers is very computationally difficult. If a party chooses p and q as secrets and makes their product s publicly available, then use these products as encryption keys for the encryption system, the product cannot be easily decrypted without knowing p and q. An eavesdropper who wants to intercept an encrypted message attempts to initiate eavesdropping by trying to factor s, but it is difficult to figure out this computationally. However, when the eavesdropper estimates p, it quickly and easily verifies that it has the correct answer. The ability to know whether the correct answer is obtained by estimation distinguishes between complete and computational confidentiality. Full confidentiality means that even if the attacker correctly guessed the key, he would not have the ability to determine whether the attacker actually estimated the key correctly.

Therefore, it is desirable to generate a cipher with a key without this limitation of the prior art.

The present invention relates to a method and system for deriving an encryption key using JRNSO. Communication entities generate JRNSO bits from the CIR estimate, and the JRNSO bits are used to generate an encryption key. The authentication type may be IEEE 802.1x or a pre-shared key system. In an IEEE 802.1x system, MK, PMK and / or PTK may be generated using JRNSO bits. The encryption key can be generated using the Diffie-Hellman key derivation algorithm.

Using the method of the present invention, an intruder possessing an authentication credential (e.g., digital certificate or PSK) does not share the same encryption key because the WTRU and AP do not share the same channel and thus cannot form the same JRNSO bit. It cannot be derived.

Furthermore, the present invention provides a simpler key derivation where only one short secret is exchanged and one set of keys is derived, instead of one long secret being exchanged and three sets of keys (ie, MK, PMK and PTK) derived. By providing a method, it saves power on a mobile device.

Hereinafter, the term "WTRU" includes but is not limited to a user device, STA, fixed or mobile subscriber unit, pager, or any other type of device operable in a wireless environment. The term "AP", referred to below, includes, but is not limited to, Node-B, base station, site controller, or any other type of interfacing device operable in a wireless environment.

Features of the invention may be organized into integrated circuits (ICs) or composed of circuits comprising a plurality of interconnecting components. The invention may be implemented as a digital signal processor (DSP), software, middleware, hardware, application or future system architecture. The elements may be subcomponents of a large communication system or ASIC and some or all processing elements may be shared for other elements.

In a wireless communication system, it is difficult to correlate random sources without a priori communication, but the wireless channel provides this resource only in the form of a channel impulse response (CIR). Specifically, in some communication systems, two communicating parties (eg, Alice and Bob) will measure very similar CIR estimates. Wideband code division multiple access (WCDMA) time division duplex (TDD) systems have this characteristic. On the other hand, a party not physically located in the same place as Alice and Bob is likely to observe a CIR that has little correlation with Alice and Bob. This difference can be used to generate a complete secret key. The channel is the source of JRNSO, and the CIR estimate is the sample obtained from this channel.

Hereinafter, the Diffie-Hellman key derivation process will be described. Alice and Bob agree to use the prime p and base g. Alice selects the secret integer a and sends g ^a mod p to Bob. Bob chooses the secret integer b and sends g ^b mod p to Alice. Alice computes (g ^b mod p) ^a mod p Bob computes (g ^a mod p) ^b mod p. (g ^b mod p) ^a mod p and (g ^a mod p) ^b mod p are the same. As an example, Alice and Bob agree to use prime numbers p = 23 and radix g = 3. Alice selects the secret integer a = 6 and sends g ^a mod p = 3 ⁶ mod 23 = 16 to Bob. Bob chooses the secret integer b = 15 and then sends g ^b mod p = 3 ¹⁵ mod 23 = 12 to Alice. Alice computes (g ^b mod p) ^a mod p = 12 ⁶ mod 23 = 9. Bob computes (g ^a mod p) ^b mod p = 16 ¹⁵ mod 23 = 9.

This method requires a larger number to be safe. If p is a prime number greater than 300 and a and b are greater than number 100 (even for legitimate communication parties), this operation is too resource intensive, making intrusion practically impossible. As such, this prevents such a protocol from being implemented on mobile devices with limited battery power.

By using JRNSO, if one (or both) of the numbers p or g is secretly agreed, this allows for two security nodes to use a smaller number for a, b, p and / or g while achieving significant security. Let's do it. The Diffie-Hellman shared key can function as an encryption key or can be used to encrypt and transmit the actual encryption key. The smaller the number, the less resource intensive the key derivation process is, so that the key derivation process can be used on the mobile device.

Figure 1 shows a block diagram of a system 100 comprising two communication entities (first node 110 and second node 150) for deriving a JRNSO bit and a secret key in accordance with the present invention. One of these may be a WTRU and the other may be an AP. For simplicity, FIG. 1 shows a point-to-point communication system with only two communication entities 110, 150. However, the present invention can also be applied to a point-to-multipoint communication system that includes more than two entities. Further, although the first node and the second node may be identical entities that contain essentially the same elements, a simplification of the description assuming that the first node leads the generation of the JRNSO bit and the secret key, which will be described in detail below. For the sake of brevity, it should be noted that FIG. 1 illustrates only relevant elements for the first node and the second node.

According to the invention, one of the communication entities leads the generation. Assume that the first node 110 leads the generation of a secret key. The first node 110 includes a channel estimator 112, a post processor 114 (optional), an error correction encoder 118, a sync code generator 120 (optional), a secret key generator 116, and a multiplexer 122. It includes.

The channel estimator 112 of the first node 110 generates a CIR estimate 113 based on the received signal 111 from the second node 150. In addition, the channel estimator 152 at the second node 150 generates a CIR estimate 153 based on transmissions transmitted by the first node 110. The output of channel estimators 112 and 152 is a digitized representation of the CIR estimate. Any prior art method may be used to generate the CIR estimate. For example, entities 110 and 150 may send a special signaling or pilot sequence to another node to assist in generating the CIR estimate. The CIR estimate may be generated and stored in any manner including, but not limited to, the time domain and the frequency domain, or may be expressed using an abstract vector space or the like. The method and representation method of generating the CIR estimate should be the same at both the first node 110 and the second node 150.

Depending on the implementation, only some of the information in the CIR estimate may be reciprocal and thus suitable for generation of a common secret key. For example, entities 110 and 150 may be selected to use only amplitude / power profile information of the CIR estimate and may ignore phase information.

Post processor 114 may optionally process the CIR estimate using conventional techniques. Post processor 114 (such as a low pass filter or interpolating filter) removes noise and redundancy. In addition, the post processor 114 is required when the entities are equipped with multiple antennas for multiple-input multiple-output (MIMO), and accordingly, the CIR estimate is different depending on the number of antennas and the difference in antenna pattern. do. In this case, entities 110 and 150 may need to exchange information about the antenna configuration of the entities.

Because of channel reciprocity, the CIR estimates produced by the first node 110 and the second node 150 are expected to be very similar. However, there are three major errors that introduce inconsistencies into the CIR estimates. First, channel reversibility is assumed to be the simultaneous estimation of the channel at both entities. The difference in concurrency results in a slight difference in channel estimation. Second, the digitized CIR estimate needs to be synchronized with respect to the starting point. For example, if the CIR estimate is digitized in the time domain, the start of a significant portion of the CIR estimate may occur at different locations relative to the reference zero time of the two entities 110, 150. This problem is illustrated in FIG. 2. As another example, if the CIR estimate is stored using a frequency domain representation, another starting frequency / reference phase can be assumed to determine the storage parameter. Third, CIR estimates also vary due to errors caused by interference inherent in wireless communications.

Regarding the first misorder, to ensure concurrency in channel estimation, the channel estimation timing can be fixed for special system times, such as radio frames or slot boundaries. Alternatively, a synchronization signal may be inserted into a signal (such as a pilot signal) that entities 110 and 150 transmit to support channel estimation. Synchronization can be obtained from this pilot signal without the need to insert special signals. Alternatively, channel estimation may be performed with reference to an absolute time reference, such as a global positioning system (GPS). Alternatively, round trip delay can be measured and synchronization can be realized based on this round trip delay.

Regarding the second misorder, the starting point of the CIR estimate may be recorded at the first node 110 and transmitted to the second node 150. Alternatively, special synchronization codes (eg comma-free codes) can be used. Typically, only limited performance is required from this code since the synchronization problem is limited to only a few samples. Special synchronization signals related to a common timing source (eg, GPS) can be generated by the terminals and CIR measurements can be made on these signals. Synchronization issues can be addressed by handling CIRs in domains where this synchronization issue is not an issue. For example, assuming phase information is ignored, there is no synchronization problem in the frequency domain.

Depending on the interference level of the channel, secrecy rate loss can be large or minimized. For example, in a noisy channel, since the phase information is very unreliable, the phase information is ignored and the secret rate loss is minimized.

Referring back to FIG. 1, the post-processed CIR estimate 115 is supplied to the secret key generator 116, the sync code generator 118, and the error correction encoder 120. Secret key generator 116 generates secret key 117 from the CIR estimate 115, which is the JRNSO bits.

The sync code generator 120 generates a sync signal / code 121 for concurrency and to synchronize the "start point". The error correction encoder 118 generates error parity bits 119 by performing error correction coding on the CIR estimate 115. Error correction coding may be block coding or convolutional coding. The present invention utilizes systematic error correction coding such that the original message (ie, the encoder input that is the CIR estimate 115) is also output from the error correction encoder 118. According to the present invention, only the parity bit 119 is multiplexed by the multiplexer 122 into the synchronization signal / code 121 and then transmitted to the second node 150. The multiplexed bit stream 123 is transmitted to the second node 150.

The second node 150 includes a channel estimator 152, a sync bit demodulator 154, a parity bit demodulator 156, a post processor 158 (optional), a sync unit 160, an error correction decoder 162 and a secret. A key generator 164. Channel estimator 152 generates a CIR estimate from the received signal 151 transmitted by first node 110. The CIR estimate 153 is optionally processed by the post processor 158 as described above. The sync bit demodulator 154 demodulates the received signal 151 to recover the sync signal / code 155. The parity bit demodulator 156 demodulates the received signal 151 to recover the parity bit 157. The synchronization signal / code 155 is supplied to the synchronization unit 160 and the parity bit 157 is supplied to the error correction decoder 162. The post processed CIR 159 is processed by the sync unit 160. The synchronization unit 160 corrects the discrepancies between the CIR estimates due to lack of concurrency and / or misalignment of the starting point according to the synchronization signal / code 155.

The error correction decoder 162 performs error correction decoding while processing the CIR estimate 159 processed by the synchronization unit 160 as a message part of the code word, where the message part of the code word possibly contains an error, The error is corrected using the received parity bit 157. If the block code is well selected, the output 163 of the error correction decoder 162 corresponds with a very high probability to the CIR estimate generated by the first node 110. Thus, the first node 110 and the second node 150 succeed in obtaining the same data sequence while revealing only a part of the same data sequence (ie, parity bits) in public, and can derive the same JRNSO bits.

Error correction decoder 162 may be used to support synchronization of the starting point of the digitized CIR estimation. Second node 150 generates a set of CIR estimates and decodes each probable CIR estimate into parity bit 157. The error correction decoder 162 counts the number of errors in each CIR estimate. The correction process results in a very low number of corrections, but at a very high probability, most corrections result in a very high number of corrections. In this way, error correction decoding processing can support starting point synchronization.

If the CIR estimate is aligned between the first node 110 and the second node 150, the secret key generator 164 may have the same secret key 165 as the secret key 117 generated by the first node 110. Create

3 shows a flow diagram of a process 300 for deriving a JRNSO bit and a secret key for wireless communication in accordance with the present invention. The first node generates a CIR estimate from the transmission information sent by the second node and the second node generates a CIR estimate from the transmission information sent by the first node (step 302). In order to correct the inconsistency of the CIR estimate produced by the first node with the CIR estimate produced by the second node (and, optionally, to support synchronization of the CIR estimate), the first node may use a parity bit (and Optionally, a synchronization signal / code is transmitted to the second node (step 304). The parity bit is generated by error correction coding in the CIR estimate generated by the first node. The second node synchronizes the CIR estimate generated by the second node with the CIR estimate generated by the first node using the sync signal / code transmitted by the first node or by using the other schemes described above (step 306). The second node then performs error correction decoding the synchronized CIR estimate with parity bits, thereby correcting for inconsistencies between the synchronized CIR estimate and the CIR estimate generated by the first node (step 308). Steps 302 to 308 may be repeated several times. In this way, the first node and the second node can obtain the same CIR estimate (JRNSO bit). The first node and the second node then generate a secret key from the same CIR estimate (step 310).

4 shows a flow diagram of a process 400 for deriving an encryption key using JRNSO bits in accordance with one embodiment of the present invention. In step 402, if the WTRU is associated with an AP, the WTRU determines whether the authentication type supported by the wireless network is IEEE 802.1x or PSK (step 404). If IEEE 802.1x is supported, the authentication, authorization, and accounting (AAA) server and the WTRU authenticate each other using digital certificates (step 406). As part of the authentication signaling, the WTRU sends an encrypted secret to the AAA server using the AAA server's public key so that only the AAA server can decrypt the encrypted secret using the corresponding private key. This secret is used as a seed to derive the encryption key. The AAA server then sends the secret to the AP (step 408). If the supported authentication type is PSK, the PSK is set as the default secret (step 410).

The AP and the WTRU generate JRNSO bits using the process described above (step 412). Note that the JRNSO bit may not be generated only after the secret has been delivered, but may be generated at any stage prior to the generation of the encryption key. The AP and the WTRU derive an encryption key using the secret and JRNSO bits (step 414). The AP and WTRU then exchange a portion of the encryption key to verify the key and identity (step 416). As is currently done in IEEE 802.11i, a group key can be derived and sent to the WTRU using the encryption key as a PTK (step 418).

If sufficient JRNSO bits have not been generated by the time the encryption key is ready to be derived, a process according to the IEEE 802.11i standard may follow. It should be noted that steps 402 to 410 are necessary for initial derivation and that encryption key update or refresh can only be performed by deriving a new JRNSO bit.

To update the key, for 802.1x, new secrets can be exchanged and new JRNSO bits can be generated, or alternatively, new JRNSO bits can be used with old secrets. Only the second option is available for the PSK case. History information may be used to authenticate the JRNSO bits. Both parties may cache some pre-accepted portion of the earlier keys. The attacker could not simply decrypt the master secret using the stolen private key, but would have to infer the derived old keys.

This process clearly separates the functionality of authentication and key generation in the system. The AAA server deals only with authenticating clients, while the AP handles key generation. This is different from IEEE 802.1x, where the AAA server is involved in both key derivation and authentication. JRNSO allows a new new encryption key to be derived dynamically hundreds of times per second (depending on channel conditions). This is different from the prior art where key updates are pre-programmed and not cryptographically new, and the prior art in which new secrets must be exchanged to generate new keys. There is no MK or PMK in the process 400 of the present invention. Therefore, this processing is simplified than the prior art.

In the existing 802.11i protocol, an attacker who obtained authentication credentials (for 802.1x) or PSK (for PSK authentication) would have to eavesdrop on signaling exchanges just to get the information on the encryption keys. In contrast, using the method of the present invention, since an attacker possessing an authentication credential (eg, a digital certificate or PSK) does not share the same channel shared by the WTRU and the AP and therefore cannot form the same JRNSO bit. The encryption key cannot be derived.

Under the current IEEE 802 standard, key updates are not really cryptographically secure because only the PTK changes and the MK and PMK remain the same. Since the PTK is a PMK appended with random information exchanged for plain text, updating the key would not serve any cryptographic purpose if the attacker had just inferred the PMK. The master secret used to derive the MK and then PMK serves cryptographic purposes, and as a result the secret is very long (e.g. 48 bytes). Thus, for a new key in IEEE 802.11i, it is necessary to exchange a really randomly derived long 48-byte number (this is resource intensive). However, according to the present invention, the exchanged secret services to authenticate the secret key derived from the JRNSO bit, and therefore only needs to be long enough (e.g., about 16 bytes) to prevent brute force attacks. This makes it possible to generate a new secret key whenever the key needs to be updated using JRNSO. Instead of one long secret being exchanged and three sets of keys (i.e. MK, PMK and PTK) derived, the present invention provides a simpler method of deriving keys where only one short secret is exchanged and one set of keys is derived. to provide. This saves power on the mobile device.

5 illustrates a flow diagram of a process 500 for deriving an encryption key using JRNSO bits in accordance with another embodiment of the present invention. This process 500 is similar to the process 400. Steps 502 to 512 are the same as steps 402 to 412 and are therefore not described for simplicity of explanation. After the secret is delivered to the AP and the JRNSO bit is generated, the AP and the WTRU derive the PMK using the secret and the JRNSO bit (step 514). Thereafter, a group key is derived and sent to the WTRU as currently done in IEEE 802.11i (step 516).

6 illustrates a flow diagram of a process 600 for deriving an encryption key using JRNSO bits in accordance with another embodiment of the present invention. In step 602, if the WTRU is associated with an AP, the WTRU determines whether the authentication type supported by the wireless network is IEEE 802.1x or PSK (step 604). If IEEE 802.1x is supported, the AAA server and the WTRU authenticate each other using digital certificates and exchange master secrets (step 606). The AAA server and the WTRU derive the MK using the master secret (step 608). The AAA server and the WTRU then derive a PMK from the MK and the AAA server sends this PMK to the AP (step 610). If the supported authentication type is PSK, the PSK is set as a PMK (step 611).

The AP and the WTRU generate JRNSO bits using the process described below (step 612). It should be noted that the JRNSO bit may not be generated only after the PMK is derived, but may be generated at any stage prior to the generation of the encryption key. The generation of JRNSO bits can be performed before deriving PMK (for 802.1x) to speed up the key derivation process. The generation of this JRNSO bit can also be performed during the 4-way handshake process to derive the PTK. This allows the system to conform to PSK authentication. Also, parity check can be performed at any time prior to inducing PTK.

The AP and the WTRU derive a PTK using the PMK and JRNSO bits (step 614). PTK can be derived as follows.

PTK = PRF (PMK, plaintext information, JRNSO bit)

Thereafter, as is currently done in IEEE 802.11i, group keys are derived and exchanged (step 616).

7 shows a flow diagram of a process 700 for deriving an encryption key using JRNSO bits in accordance with another embodiment of the present invention. In step 702, if the WTRU is associated with an AP, the WTRU determines whether the authentication type supported by the wireless network is IEEE 802.1x or PSK (step 704). In this embodiment, PSK is not supported and only IEEE 802.1x is supported. If the PSK is of the type supported by the network, the process ends. If IEEE 802.1x is supported, the AAA server and the WTRU exchange the premaster secret and the AAA server sends the premaster secret to the AP (step 706).

The WTRU and the AP derive the MK using the premaster secret and JRNSO bits (step 710). The WTRU and the AP then derive the PMK using the MK and JRNSO bits (step 712). The AP and the WTRU derive a PTK using the PMK (step 714). Thereafter, the group key is derived and exchanged as currently done in IEEE 802.11i (step 716).

8 shows a flow diagram of a process 800 for deriving an encryption key using the Diffie-Hellman protocol in accordance with the present invention. The WTRU 802 and the AP 804 agree to use JRNSO to derive a key by exchanging a JRNSO initiation message and a JRNSO initiation confirmation for the AP (steps 812, 814). The WTRU 802 and the AP 804 generate JRNSO bits from the transmission information between each other based on the CIR estimates (steps 816 and 818). The WTRU 802 (leading portion) performs error correction coding on the generated CIR estimate to generate parity bits and sends the parity bits to the AP 804 (step 820). The AP 804 may perform error correction decoding using the received parity bits and optionally send a confirmation notification (step 822). Steps 816 to 822 may be repeated several times.

The WTRU 802 and AP 804 have a predefined lookup table (LUT) that stores secret numbers p and g (decimal) for mapping JRNSO bits to p and g values. For example, if the JRNSO measurement produces 5 bits of secret data, the WTRU 802 and AP 804 may select one of 16 possible eigenvalues for the prime number p and the other 16 values for base g. have. It should be noted that other methods, apparent to those skilled in the art, may be used in place of the LUT. The stored decimal number must be a large number, but according to the present invention it is not necessarily necessary to be as large as in the conventional Diffie-Hellman protocol because of the additional layer of security with p and g secrets. The prime number should also vary preferably to such an extent that it would be difficult for an attacker to guess the range of modulo values. Mapping JRNSO bits to LUT values can be publicly known, but because the attacker cannot eavesdrop on JRNSO measurements, the attacker does not know if the values are actually selected.

The WTRU 802 and the AP 804 select the secret integers a and b, respectively, and send g ^a mod p and g ^b mod p to the other party, respectively, deriving b and a (steps 824 and 826). The WTRU 802 and the AP 804 use it to derive the shared secret (step 828). The WTRU and the AP either transmit the encrypted JRNSO key using the shared secret or use the shared secret as the JRNSO key (step 830).

While the features and components of the invention have been described in particular combinations in the preferred embodiments, each feature or component may be used alone or in combination with the features and components of the invention, without the need for other features and components of the preferred embodiments. Or may be used in various combinations without its features and components.

1 shows a block diagram of a system comprising two communication entities for deriving a secret key in accordance with the present invention.

2 illustrates a discrepancy problem of the CIR estimates due to different starting points at the first node and the second node.

3 shows a flowchart of a process for deriving a secret key in accordance with the present invention.

4 shows a flowchart of a process for deriving an encryption key using JRNSO bits in accordance with an embodiment of the present invention.

5 shows a flowchart of a process for deriving an encryption key using JRNSO bits in accordance with another embodiment of the present invention.

6 shows a flowchart of a process for deriving an encryption key using JRNSO bits in accordance with another embodiment of the present invention.

7 shows a flowchart of a process for deriving an encryption key using JRNSO bits in accordance with another embodiment of the present invention.

8 shows a flowchart of a process for deriving an encryption key using a Diffie-Hellman key derivation algorithm in accordance with the present invention.

Claims (38)

A method of deriving a secret key to secure wireless communication between a first node and a second node, the method comprising: Generating, by the first node, a first channel impulse response (CIR) estimate based on a transmission transmitted by the second node; Sending a signal by the first node to the second node such that the second node generates a second CIR estimate; Generating, by the first node, a sync code from a signal transmitted by the second node; Generating parity bits by the first node performing error correction coding on the first CIR estimate; The first node sending the sync code and the parity bits to the second node such that the second node can synchronize the second CIR estimate with the first CIR estimate; Correcting the error of the first CIR estimate by the first node to produce a corrected CIR estimate; The first node generating a secret key based on the corrected CIR estimate Secret key derivation method comprising a. The method of claim 1, Postprocessing the first CIR estimate by the first node to remove noise and redundancy from the first CIR estimate Secret key derivation method further comprising. The method of claim 1, wherein transmitting the sync code and the parity bits to the second node comprises: Generating, by the first node, a multiplexed bit stream by multiplexing the sync code and the parity bits; The first node transmitting the multiplexed bit stream to the second node Secret key derivation method comprising a. 2. The method of claim 1, wherein the parity bits are generated by applying block coding to the first CIR estimate. 2. The method of claim 1, wherein the parity bits are generated by applying systematic convolutional coding to the first CIR estimate. delete 2. The method of claim 1, wherein the secret key is generated using a Diffie-Hellman key derivation algorithm. 8. The method of claim 7, wherein the first node maps the first CIR estimate and the second CIR estimate to at least one of a p value and a q value, respectively, for the p and q values for the Diffie-Hellman key derivation algorithm. Secret key derivation method. In a method of deriving an encryption key to secure wireless communication, Obtaining, by a wireless transmit / receive unit (WTRU), a connection with an access point (AP); Determining a seed in accordance with supported authentication; Generating a channel impulse response (CIR) estimate based on the signal received from the AP; Correcting the error of the CIR estimate to produce a corrected CIR estimate; Generating joint-randomness-not-shared-with-others (JRNSO) bits from the corrected CIR estimates; Deriving a master key using the seed and the JRNSO bit; Deriving a pairwise master key (PMK) using the JRNSO bit with the seed or the master key; Performing at least one of deriving a pairwise transient key (PTK) using the JRNSO bit with the seed or the PMK or the master key Encryption key derivation method comprising a. The method of claim 9, further comprising receiving a group key from the AP, And the group key is derived from the PMK or the PTK. The method of claim 9, wherein determining the seed comprises: If the supported authentication type is not based on a pre-shared key (PSK), authenticating to an authentication server and reporting the seed to the authentication server; If the supported authentication type is based on the PSK, setting the PSK as the seed, the master key or the PMK. Encryption key derivation method comprising a. 10. The method of claim 9, further comprising generating another JRNSO bit to update the encryption key. As a result, a new encryption key is generated using the new JRNSO bit. And the encryption key can be the seed, the master key, the PMK, or the PTK. The method of claim 9, further comprising reporting a portion of the encryption key to the AP to verify an encryption key. And the encryption key can be the seed, the master key, the PMK, or the PTK. delete The method of claim 9, wherein determining the seed comprises: If the supported authentication type is not a PSK type, authenticate to an authentication server, report a master seed to the authentication server, derive a PMK from the master seed, If the supported authentication type is PSK, use the PSK as the PMK, Using the PMK as the seed Determining the PMK by means of a. 16. The method of claim 15, Receiving a group key from the AP, And the group key is derived from the PMK or the PTK. delete delete delete 12. The method of claim 11, Receiving a group key from the AP, And the group key is derived from the PMK or the PTK. A system for deriving a secret key to secure wireless communication between a first node and a second node, The first node, A first channel estimator for generating a first channel impulse response (CIR) estimate from a transmission transmitted by the second node; An error correction encoder that performs an error correction encoding on the first CIR estimate to generate a parity bit, and corrects an error of the first CIR estimate to produce a corrected CIR estimate; A sync code generator for generating a sync code from the signal transmitted by the second node; A secret key generator for generating a secret key from the corrected CIR estimate; A transmitter for transmitting the sync code and the parity bits to the second node such that the second node can synchronize a second CIR estimate with the first CIR estimate / RTI > The second node, A second channel estimator for generating the second CIR estimate from a transmission signal transmitted by the first node; A parity bit demodulator for receiving the parity bits; A sync bit demodulator for receiving the sync code; A synchronization unit for synchronizing the first CIR estimate with the second CIR estimate using the received sync code; An error correction decoder for performing error correction decoding on the synchronized second CIR estimate using the received parity bits; Secret key generator for generating a secret key from the second CIR estimate after correcting the error Secret key deriving system comprising a. 22. The system of claim 21, wherein the first node further comprises a first post processor to post-process the first CIR estimate to remove noise and overlapping portions from the first CIR estimate, And the second node further comprises a second post processor to post-process the second CIR estimate to remove noise and redundant portions from the second CIR estimate. 22. The system of claim 21 wherein the error correction encoder is a block coder that applies block coding to the first CIR estimate. 22. The system of claim 21 wherein the error correction encoder is a systematic convolutional encoder that applies systematic convolutional coding to the first CIR estimate. 22. The system of claim 21 wherein the secret key is generated using a Diffie-Hellman key derivation algorithm. The Diffie-Hellman method of claim 25, wherein the first node and the second node remove the inconsistency of at least one of p and q, and then map the first and second CIR estimates to the Diffie-Hellman, respectively. Selecting at least one of p and q values for the key derivation algorithm. In a wireless transmit / receive unit (WTRU) for inducing a secret key to secure wireless communication, Includes memory electronically coupled to the processor, The processor comprising: Report the seed to the authentication server; Generate a channel impulse response (CIR) estimate of a communication signal received from an access point (AP); Correct the error of the CIR estimate to produce a corrected CIR estimate; Generate joint-randomness-not-shared-with-others (JRNSO) bits from the corrected CIR estimates; Deriving a master key using the seed and the JRNSO bit, deriving a pairwise master key (PMK) using the JRNSO bit with the seed or the master key, and using the JRNSO bit with the seed or the PMK Or derive a pairwise transient key (PTK) using the master key to perform at least one of the above. A wireless transmit / receive unit that is configured. 28. The system of claim 27, wherein the processor is configured to receive a group key from the AP, And the group key is derived from the PMK or the PTK. 28. The WTRU of claim 27 wherein the processor is configured to authenticate using IEEE 802.1x authentication. 28. The WTRU of claim 27 wherein the processor is configured to authenticate using pre-shared key (PSK) authentication and use PSK as the seed. 28. The WTRU of claim 27 wherein the processor is configured to report a portion of an encryption key to the AP to verify the encryption key. delete In a wireless transmit / receive unit (WTRU) for inducing an encryption key to secure wireless communication, Includes memory electronically coupled to the processor, The processor comprising: Report the master seed to the authentication server; Generate a channel impulse response (CIR) estimate of a communication signal received from an access point (AP); Correct the error of the CIR estimate to produce a corrected CIR estimate; Generate joint-randomness-not-shared-with-others (JRNSO) bits from the corrected CIR estimates; Derive a pairwise master key (PMK) from the master seed, To derive a pairwise transient key (PTK) using the PMK and the JRNSO bits A wireless transmit / receive unit that is configured. 34. The method of claim 33, wherein the processor is configured to receive a group key from the AP, And the group key is derived from the PMK or the PTK. 34. The WTRU of claim 33 wherein the processor is configured to authenticate using IEEE 802.1x authentication. 34. The WTRU of claim 33 wherein the processor is configured to authenticate using pre-shared key (PSK) authentication, such that a PSK is set to the master seed, master key, or the PMK. In a wireless transmit / receive unit (WTRU) for inducing an encryption key to secure wireless communication, Includes a memory coupled to and operated by the processor, The processor comprising: Report the pre-master seed to the authentication server; Generate a channel impulse response (CIR) estimate of a communication signal received from an access point (AP), Correct the error of the CIR estimate to produce a corrected CIR estimate; Generate joint-randomness-not-shared-with-others (JRNSO) bits from the corrected CIR estimates; Derive a master key from the premaster seed and the JRNSO bit, Derive a pairwise master key (PMK) from the master key and the JRNSO bit, Using the PMK to derive a pairwise transient key (PTK) A wireless transmit / receive unit that is configured. 38. The system of claim 37, wherein the processor is configured to receive a group key from the AP, And the group key is derived from the PMK or the PTK.

Images