U.S. patent application number 11/483176 was filed with the patent office on 2007-06-28 for method for providing information security for wireless transmissions.
Invention is credited to Douglas I. Ayerst, Walter Lee Davis, Scott Alexander Vanstone.
Application Number | 20070150740 11/483176 |
Document ID | / |
Family ID | 24731380 |
Filed Date | 2007-06-28 |
United States Patent
Application |
20070150740 |
Kind Code |
A1 |
Davis; Walter Lee ; et
al. |
June 28, 2007 |
Method for providing information security for wireless
transmissions
Abstract
A wireless communication system includes a pager or similar
device that communicates to a home terminal. The home terminal
confirms the identify of the pager and attaches a certificate to
the message for ongoing transmission. Where the recipient is also a
pager, an associated home terminal verifies the transmission and
forwards it in a trusted manner without the certificate to the
recipient.
Inventors: |
Davis; Walter Lee;
(Arlington, VA) ; Ayerst; Douglas I.; (Delray
Beach, FL) ; Vanstone; Scott Alexander;
(Campbellville, CA) |
Correspondence
Address: |
Ralph A. Dowell of DOWELL & DOWELL P.C.
2111 Eisenhower Ave
Suite 406
Alexandria
VA
22314
US
|
Family ID: |
24731380 |
Appl. No.: |
11/483176 |
Filed: |
July 10, 2006 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09680501 |
Oct 5, 2000 |
|
|
|
11483176 |
Jul 10, 2006 |
|
|
|
Current U.S.
Class: |
713/180 |
Current CPC
Class: |
H04W 12/069 20210101;
H04L 2209/56 20130101; H04L 2209/80 20130101; H04L 9/321 20130101;
H04L 9/3247 20130101; H04W 12/106 20210101; H04L 9/3263
20130101 |
Class at
Publication: |
713/180 |
International
Class: |
H04L 9/00 20060101
H04L009/00 |
Claims
1) A method of communicating between a pair of correspondents
through an intermediary comprising the steps, registering one of
said correspondents with said intermediary to share an identifier,
preparing at said one correspondent a secure communication
including a message between said correspondents, preparing a
signature component including a derivation of said secure
communication and said identifier forwarding said signature
component to said intermediary and verifying said signature
component at said intermediary, attaching to said communication a
certificate of the public key and identity of said one
correspondent, and forwarding said communication and certificate to
said other correspondent.
2) A method according to claim 1 wherein said signature component
includes a unique to each communication.
3) A method according to claim 1 wherein said communication
includes a message signed by said one correspondent.
4) A method according to claim 3 wherein said secure communication
includes ciphertext encrypted with a public key of the other of
said correspondents.
5) A method according to claim 1 wherein said intermediary recovers
said identifier from said signature component and retrieves said
certificate based on said identifier.
6) A method according to claim 1 wherein aid intermediary forwards
said communication and certificate to a recipient who utilizes said
certificate to determine the public key of said one
correspondent.
7) A method according to claim 6 wherein recipient signs a message
including said public key of said one correspondent and forwards
said secure communication and said signed message to said other
correspondent.
8) A method according to claim 7 wherein said other correspondent
retrieves said public key of said one correspondent from said
signed message and extracts said message from said secure
transmission.
9) A method according to claim 1 wherein said registration includes
transferring a public key of said intermediary to said one
correspondent and transferring said public key of said one
correspondent to said intermediary.
10) A method according to claim 9 wherein said one correspondent
includes a public key of a trusted party and said intermediary has
a certificate of its public key signed by said trusted party, said
one correspondent verifying said public key of said intermediary
with said public key of said trusted party.
11) A method according to claim 10 wherein said public key of said
intermediary is used to sign its public key for secure transfer to
said intermediary.
12) A method according to claim 11 wherein said one correspondent
forwards authorization information to said intermediary during
registration and said intermediary verifies that said one
correspondent is not prior registered with a certifying
authority.
13) A method according to claim 12 wherein said authorization
information includes an address particular to said one
correspondent for identification by said verifying authority.
14) A method according to claim 11 wherein said identifier is
transferred from said intermediary upon verification by said
certifying authority.
15) A method according to claim 14 wherein transfer of said
identifier is secured by the public key of said one correspondent
and said private key of said intermediary.
Description
[0001] This application is a continuation of U.S. patent
application Ser. No. 09/680,501 filed on Oct. 5, 2000.
[0002] The present invention relates generally to cryptographic
schemes, and specifically to cryptographic schemes relating to
wireless applications.
BACKGROUND OF THE INVENTION
[0003] Information security is required to secure many types of
transactions performed electronically using a wide range of
computing and communication technologies. As consumers demand more
flexible, convenient services, technologies such as wireless
networks, paging infrastructures and smart cards are being deployed
to support critical, information sensitive applications including
account inquiries, electronic cash, secure communications and
access control. One of the key features of each of these
technologies is that they offer consumers the convenience of
service anywhere, any time. The convenience offered to consumers
results in a challenge for the vendors to create smaller and faster
devices while providing a high level of security for information
computed and transmitted.
[0004] Information security is provided through the application of
cryptographic systems (commonly referred to as cryptosystems). The
two main classes of cryptosystems are symmetric and public key. In
a symmetric cryptosystem, two users wishing to participate in a
secure transaction must share a common key. Therefore, each user
must trust the other not to divulge the key to a third party. Users
participating in a secure transaction using public key
cryptosystems will each have two keys, known as a key pair. One of
the keys is kept secret and is referred to as the private key,
while the other can be published and is referred to as the public
key. Typically, applications use a combination of both these
classes of cryptosystems to provide information security. Symmetric
technologies are typically used to perform bulk data encryption,
while public key technologies are commonly used to perform key
agreement, key transport, digital signatures and encryption of
small messages.
[0005] Since the introduction of public key cryptosystems, there
have been many implementations proposed. All of these public key
systems are based on mathematical problems which are known to be
hard, that is, it is thought that breaking a system is equivalent
to solving a hard mathematical problem. These problems are
generally easy to solve for numbers that are small in size, but
become increasingly difficult as lager numbers are used. One of the
differences among the systems is how large the numbers have to be
so that the system is too hard to solve given present and
anticipated computing power. This is typically linked to the length
of the key and referred to as the key size. A system using a small
key size while maintaining a high level of security is considered
better, as it requires less information to be transmitted and
stored.
[0006] Diffie-Hellman key agreement provided the first practical
solution to the key distribution problem by allowing two parties to
securely establish a shared secret over an open channel. The
original key agreement protocol provides unauthenticated key
agreement. The security is based on the discrete logarithm problem
of finding integer x given a group generator .alpha., and an
element .beta., such that .alpha..sup.x=.beta..
[0007] Rivest Shamir Adleman (RSA) was the first widely deployed
realization of a public key system. The RSA system is a full public
key cryptosystem and can be used to implement both encryption and
digital signature functions. The security of the RSA cryptosystem
depends on the difficulty of factoring the product of two large
distinct prime numbers. To create a private key/public key pair, a
user chooses two large distinct primes P and Q, and forms the
product n=PQ. With knowledge of P and Q, the user finds two values
e and d such that ((M).sup.e).sup.d mod n=M.
[0008] The public key of the user is the pair (e, n) while the
private key is d. It is known that the recovery of d from and e and
n requires the recovery of P and Q, and thus is equivalent to
factoring n.
[0009] Elliptic curve cryptosystems are based on an exceptionally
difficult mathematical problem, Thus, elliptic curve systems can
maintain security equivalent to many other systems while using much
smaller public keys. The smaller key size has significant benefits
in terms of the amount of information that must be exchanged
between users, the time required for that exchange, the amount of
information that must be stored for digital signature transactions,
and the size and energy consumption of the hardware or software
used to implement the system. The basis for the security of the
elliptic curve cryptosystem is the assumed intractability of the
elliptic curve discrete logarithm problem. The problem requires an
efficient method to find an integer k given an elliptic curve over
a finite field, a point P on the curve, another point Q such that
Q=kP.
[0010] In this system, the public key is a point (Q) on an elliptic
curve (represented as a pair of field elements) and the private key
is an integer (k). Elliptic curves are defined over an underlying
field and may be implemented over the multiplicative group F.sub.p,
(the integers modules a prime p) or characteristic 2 finite fields
(F.sub.2m where m is a positive integer).
[0011] There are typically three levels in a cryptosystem, which
are encryption, signatures, and certificates. These three levels
can be implemented using to above mentioned systems or a
combination thereof.
[0012] The first level of a cryptosystem involves encrypting a
message between correspondent A and correspondent B. This level is
vulnerable to attack since there is no way for correspondent A to
verify whether or not correspondent B sent the message, or if a
third party in the guise of correspondent B sent the message.
[0013] Therefore, the second level of signing a message was
introduced. Correspondent B can sign the encrypted message using,
for example, a hashing function to hash the original message. If
correspondent A uses the same hashing function on the decrypted
message and it matches the signature sent by correspondent B, then
the signature is verified. However, a third party may act as an
interloper. The third party could present itself to correspondent A
as if it were correspondent B and vice versa. As a result, both
correspondents would unwittingly divulge their information to the
third party. Therefore, the signature verifies that the message
sent by a correspondent is sent from that correspondent, but it
does not verify the identity of the correspondent.
[0014] To prevent this type of attack, the correspondents may use a
trusted third party (TTP) to certify the public key of each
correspondent. The TTP has a private signing algorithm and a
verification algorithm assumed to be known by all entities. The TTP
carefully verifies the identity of each correspondent, and signs a
message consisting of an identifier and the correspondent's public
key. This is a simple example as to how a TTP can be used to verify
the identification of the correspondent.
[0015] Some of the most significant emerging areas for public key
cryptosystems include wireless devices. Wireless devices, including
cellular telephones, two-way pagers, wireless modems, and
contactless smart cards, are increasing in popularity because of
the convenience they provide while maintaining a low cost and small
form factor.
[0016] However, implementing the above mentioned cryptosystems
requires computational power, which is limited on such wireless
devices. Therefore, there is a need for a cryptosystem that
provides all of the advantages as described above, but requires
less power from the wireless device.
SUMMARY OF THE INVENTION
[0017] In accordance with the present invention there is provided a
method of communicating between a pair of correspondents through an
intermediary comprising the steps, registering one of said
correspondents with said intermediary to share an identifier,
preparing at said one correspondent a secure communication
including a message between said correspondents, preparing a
signature component including a derivation of said secure
communication and said identifier forwarding said signature
component to said intermediary and verifying said signature
component at said intermediary, attaching to said communication a
certificate of the public key and identity of the said one
correspondent, and forwarding said communication and certificate to
said other correspondent. BRIEF DESCRIPTION OF THE DRAWINGS
[0018] An embodiment of the invention will now be described by way
of example only with reference to the following drawings in
which:
[0019] FIG. 1 is a schematic drawing of a pager system;
[0020] FIG. 2 is a representation of a registration process for the
of FIG. 1
[0021] FIG. 3 is a representation of a message transfer system for
the system of FIG. 1
[0022] FIG. 4 is a schematic representation of an alternative
embodiment of a communication system.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
[0023] For convenience, like numerals in the description refer to
like structures in the drawings. Further, although the description
refers only to pagers, it is intended that the description includes
wireless devices in general.
[0024] Referring to FIG. 1, a paging system is represented
generally by the numeral 100. A first pager 102 is operatively
coupled with a first home terminal 104 through a wireless
communication. The first home terminal 104 is operatively coupled
to a second home terminal 106 via a network 108 and the second home
terminal 106 in turn is operatively coupled to a second pager 110.
The pagers 102, 110 are typically coupled to their respective home
terminals 104, 106 by radio frequency. The network 108 is typically
a public switched telephone network (PSTN), but can include a data
network, and the Internet.
[0025] Before a pager 102 can communicate with the home terminal
104 it must be registered. Every pager 102 contains a subscriber
unit address and a public key .sub.C of the pager manufacturer or
service provider (herein referred to as the company public key).
This information is loaded at the manufacture stage. The company
public key Q.sub.C is derived from a company private key
d.sub.C.
[0026] Each home terminal 104 has a private key d.sub.H and a
public key Q.sub.H. The public key Q.sub.N is signed by the company
private key d.sub.C to create a certificate denoted C.sub.M. The
company public key Q.sub.C could be system wide or defined for a
given region. A subscriber purchases a pager 102 from a retail
outlet and the pager is then loaded with a home index 112 and
identifier ID using the protocol outlined below. The home index is
typically a 32-bit index which uniquely identifies the pager 102
and correlates it with a specific home terminal 104.
[0027] The subscriber calls a number, typically a toll-free number,
to contact a service provider and a home terminal 104 is assigned.
The home terminal 104 sends the pager 102 its public key Q.sub.H
and its certificate C.sub.M. The pager verifies Q.sub.H, with the
company public key Q.sub.C. The pager generates a private key
d.sub.p and a corresponding public key Q.sub.p which is
communicated to the home terminal 104. The pager 102 sends to the
home terminal 104 the necessary authorization information
(including identification, credit card number, subscriber unit
address, and the like) encrypted under the home terminal public key
Q.sub.H). The home terminal gets authorization from a central
repository that this subscriber unit has not already been activated
and thereby prevents counterfeiting of subscriber units. The home
terminal 104 sets up a subscriber account and sends the pager 102
its home index and identifier ID encrypted under Q.sub.p and signed
by the home terminal.
[0028] Each pager 102 in a paging infrastructure 100 is registered
with a home terminal using the registration protocol described
above. The pagers have a private and public key pair, dp,Q.sub.p,
each of which are approximately 20 bytes in length. The home
terminals 104 have a private and public key pair dh, Q.sub.H each
of which are approximately 25 bytes in length. It is desirable to
have a longer key length at the home terminal for providing
additional security. Further, since the home terminal 104 does not
have the same power constraints as the pager 102, the extra
computational power required for the longer key is not a
significant issue. The additional security at the home terminal 102
is important since a compromise of the home terminal would permit
counterfeiting of subscriber units.
[0029] To reduce the computational requirements on the pager
thereby reducing the power required to encrypt a message M, each of
the pagers 102 has a certificate registered for it at the home
terminal 104. The certificate, cert.sub.ca, validates the public
key Q.sub.p, and identity ID. Each of the home terminals maintains
a table for the pagers and their associated certificate. Rather
than having the pager sign the certificate and send the message to
the home terminal, the certificate cert.sub.ca is signed by the
pager's home terminal. The transmission process used to implement
such a protocol is described in detail below.
[0030] Referring once again to FIG. 1 and FIG. 3, the first pager
P.sub.1 wishes to send a message M to a recipient, e.g. a second
pager P.sub.2 having a public key Q.sub.P.sub.1. The sender P.sub.1
initially obtains an authentic copy of a recipient's public key
Q.sub.P.sub.2. The first pager P.sub.1 calculates ciphertext with
of a signed message M such that W=EQ.sub.P.sub.2(S.sub.P.sub.1(M)),
where EQ.sub.P.sub.1 is encryption under the public key
Q.sub.P.sub.1 and S.sub.P.sub.1 is the signature of the first pager
on message M using the private key dp.
[0031] The first pager also calculates a signature
m.sub.a=S.sub.P.sub.1(h(w)||CN||ID.sub.P.sub.1) where h(w) is a
hash of W, such as SHA-1. CN is a timestamp or some other nonce,
ID.sub.P.sub.1 is the unique identifier of the first pager, and ||
represents concatenation. The first pager then transmits the
signature, m.sub.a, and the signed, encrypted message, W, to the
first home terminal.
[0032] The signature, m.sub.a, is used by the home terminal 104
associated with pager P.sub.1 to verify that P.sub.1 is a
legitimate user. In order to avoid a challenge-response
authentication to save time and bandwidth, the message W and a
nonce CN, which is unique for each transmission, are coupled with
the ID of P.sub.1 and signed. The nonce is used to prevent replay
of the transmission, W is a signed, encrypted form of the message
M. Signing then encrypting is preferred over encrypting then
signing.
[0033] The first home terminal receives m.sub.a and W from P.sub.1
and uses m.sub.a to verify that P.sub.1 is a legitimate user. ID
.sub.P.sub.1 is recovered from m.sub.a, and the first home terminal
retrieves the certificate, cert.sub.ca for P.sub.1 from the
corresponding table and attaches it to W. Cert.sub.ca is a full
certificate such as X.509 and consists of 1 bytes. There is no loss
of security in storing the cert.sub.ca certificates at the first
home terminal.
[0034] In addition to saving computational power on the pager, the
bandwidth requirement of the transmission from the pager to the
base are reduced since the pager does not have to transmit a
certificate.
[0035] The first home terminal 104 stores a pre-computed table of
values which allows it to increase the speed of verifying P.sub.1's
signature. Alternately, if verification is fast enough, as would be
the case with a hardware implementation, the table of values is not
required.
[0036] The first home terminal then removes the signature component
M.sub.a and transmits the signed, encrypted message W and the
certificate Cert.sub.ca to the recipient. Since the recipient in
this example is the second pager 110, W and Cert.sub.ca are sent to
the second home terminal 106 that has public and private keys
Q.sub.P3 d.sub.P3 respectively.
[0037] The second home terminal, 106 receives the transmission and
verifies Q.sub.P.sub.1 using Cert.sub.ca(Q.sub.P.sub.1,
ID.sub.P.sub.1). To save bandwidth, the second home terminal 106
signs Q.sub.P.sub.1 according to the signature function
S.sub.dp.sub.1(W||Q.sub.P.sub.1||ID.sub.P.sub.1) and sends it along
with W to P.sub.2. A time stamp CN.sub.l may be included to prevent
replay attacks. P.sub.2 trusts the second home terminal to do this
honestly. The pager P.sub.2 can then verify W and recover the
message M using its private key d.sub.P2 and the senders public key
Q.sub.P1. Q.sub.P1 has been validated by the signature of the home
terminal 104 and therefore communicating between the second home
terminal 106 and the second pager 110 in this manner keeps the
certificates off the transmission channel and reduces bandwidth
requirements.
[0038] An example of the bandwidth requirements for such a method
is described as follows. Suppose M consists of t bytes. If the
Nyberg-Rueppel protocol is used for signing the message, t+20 bytes
are required for S.sub.P.sub.1(M). A further 20 bytes a used to
encrypt S.sub.P.sub.1(M), therefore W is t+40 bytes in length.
Hashing h(W) uses 20 bytes if SHA-1 is used. The nonce CN uses 4
bytes and the identification ID.sub.P.sub.1 uses 4 bytes. Once
again, if Nyberg-Rueppel is We for signing, 20 additional bytes are
used. Hence m.sub.a will be 48 bytes. Therefore, the transmission
between the first pager and the first home terminal uses t+92
bytes.
[0039] For the transmission from the first home terminal to the
second home terminal, W uses t+40 bytes, Cert.sub.ca uses l bytes,
and therefor the bandwidth required is t+l+40 bytes.
[0040] For the transmission from the second home terminal, W uses
t+40 bytes, Q.sub.P.sub.1 uses 20 bytes, ID.sub.P.sub.1 uses 4
bytes, and CN.sub.1 uses 4 bytes. Therefore, using Nyberg-Rueppel
for signing, the bandwidth used in sending W and
S.sub.dp.sub.3(W||Q.sub.P.sub.1||ID.sub.P.sub.1) and the nonce
CN.sub.1 is a total of 25+(t+40)+20+4+4=t+93 bytes.
[0041] In the above example, the transmission is from pager to
pager. However, the protocol may be used from the input devices,
for example, a DTMF telephone as illustrated in FIG. 4. In this
case, the transmission T, would be With and Cert.sub.ca(Q.sub.d;
ID.sub.D) where Q.sub.D and ID.sub.D are the public key and
identity of the telephone.
[0042] The transmission T2 would be W and cert.sub.ca(Q.sub.d;
ID.sub.D) and the transmission T3 to the pager, after verification
of Cert.sub.ca would be Q.sub.D, With ID.sub.D and CN all signed by
the home terminal.
* * * * *