Method and system for managing application security keys for user and M2M devices in a wireless communication network environment
Pre Shared Keys (“PSK”) for application and data session security are generated using application authentication secret values stored in a SIM device/card. The SIM internally uses the secret values as inputs to a security algorithm engine, but the secret values are not accessible outside of the SIM. The application authentication secret values cannot be used to authenticate the SIM, or a device that includes the SIM, to a communication network. Rather, symmetric keys and keying material are generated for use by applications outside of the standard and conventional wireless networking uses of a SIM device. Updated PSKs are generated at different network endpoints such that the PSKs are generated individually and separately at the endpoints; the ‘preshared’ keys are not actually shared. Thus, a client endpoint and a server endpoint, or an endpoint associated with the server, independently generate the same PSK without the PSK being transmitted between the endpoints.
This application claims priority under 35 U.S.C. § 119(e) to U.S. provisional patent application No. 62/309,639 entitled “Method and system for managing security keys for user and M2M devices in an LTE and GSM environment,” which was filed Mar. 17, 2016. This application also claims priority under 35 U.S.C. § 120 to, and is a continuation of, U.S. patent application Ser. No. 15/206,210, which was filed Jul. 8, 2016, and which is a continuation-in-part of U.S. patent application Ser. No. 15/141,487 entitled “Method and system for managing security keys for user and M2M devices in a wireless communication network environment,” which was filed Apr. 28, 2016, and which claims priority to U.S. provisional patent application No. 62/309,639, all of which applications listed above are incorporated herein by reference in their entireties.
FIELDThe field relates, generally, to Internet of Things systems and devices and, more particularly, to a system and method for managing application connectivity security, application authorization, and/or application authentication keys for devices connecting to a Wireless Wide Area Network (“WWAN”).
BACKGROUNDThe Internet of Things (“IoT”) is a recent development in which everyday objects have connectivity to data networks allowing them to send and receive data to other devices or systems. The connectivity enables the devices to achieve greater value and service by exchanging data with other systems, servers and controllers. Sometimes this connectivity is used for remotely monitoring and remotely controlling the connected device. IOT systems generally refer to the integrated use of telecommunications devices in embedded systems for transmitting, receiving, controlling, remotely storing and processing information. More simply, IOT refers to smart devices sending, receiving and storing, information via telecommunication devices over the World Wide Web (“WWW”).
Other than the convergence of telecommunications and information processing, the term IOT may also refer to automation of various processes relating to the controlling and managing remote devices and systems. For example, an IOT system can report the inventory status of a remote vending machine, operate its e-payment systems, update its advertising display-content on the exterior of the machine and report its interior temperature to provide an enhanced experience for the customers. IOT systems can allow a homeowner to remotely monitor and control the heating and air conditioning systems utilizing a smart thermostat while it is also connecting to centralized servers to support intelligent energy efficiency and consolidated energy usage reports. It may also synchronize the energy usage with other nearby systems to smooth out localized energy usage peaks, lowering overall peak energy demand on public utilities such as electricity and natural gas. It may monitor weather conditions and synchronize water usage for non-essential activities such as landscape watering and fountain or pool water replenishment.
An IOT device may be connected to a larger network, usually the Internet, using an ever-expanding number of methods. Early connected devices were networked with each other using proprietary localized networks created using multi-drop serial networking techniques or simple non-standardized, proprietary wireless networks. Those devices generally communicated with local gateways or controllers and were rarely remotely operable. As wide area networks were established, creative ideas drove the concept of connecting and controlling devices beyond the reach of the local network. As new technologies drive the cost of embedded electronics, sensors, and connectivity lower the interconnection of devices and systems becomes more common.
Another major development that has contributed to the expansion of the IOT is the rollout of centralized “cloud computing” services. Cloud computing allows application software to be operated using centralized, sometimes virtualized, Internet connected services. The foundation of cloud computing is based on the broader concept of shared services and a converged infrastructure. Cloud computing or simply “the cloud” relies on the sharing of resources and the economies of scale to deliver services. Combining the capabilities of the low cost, emerging and connected smart devices with the expanse of connected cloud computing environments has created a technological opportunity to develop innovative solutions that will enhance automation in nearly every aspect of life.
Early Internet connected devices required complicated and expensive gateways to establish the Internet Protocol (“IP”) connectivity. In the early days of the IOT, Ethernet, the primary physical connectivity medium, required expensive and power hungry hardware. The software stacks to implement IP were large and complicated and not easily ported to hardware systems unless the hardware included significant processing power and memory. Many of those IP stacks required an advanced operating system that further drove the hardware complexity. Over the last few years, micro computing and memory technologies have advanced to the point where the full operating systems can be ported to very small and cost effective platforms. Some of the new single-chip micro computing platforms that have been introduced over the last five years are powerful enough to include an IP stack, real-time operating system and sensor management to support an advanced smart device.
Advances in the various physical layer communication devices and technologies have also encouraged the deployment of connected devices. For example, Wi-Fi is a wireless local area network (“WLAN”) computer networking technology that allows electronic devices to connect directly to the Internet thru a Wi-Fi wireless access point (“WAP”). Wi-Fi networks typically operate using low power transmitters on unlicensed spectrum at either 2.4 GHz or 5 GHz. The specifications for Wi-Fi networks are based upon IEEE 802.11 standards. Although the name “IOT” infers a connection to the Internet, in many cases the connection is using a medium and technology that may using “Internet Protocol” [IP] but may not have direct connection or access to the public Internet. The reasons for selecting a different connection type are many and may include the perceived security of an isolated network.
As the network of connected devices expands the critical nature of the information carried to and from these connected devices expands. Some of the information may be critical because it carries command and control messages that may create undesired affects on the users. Mismanagement of industrial control systems (“ICS”), which include supervisory control and data acquisition (“SCADA”) systems, distributed control systems (“DCS”) and smaller control systems including programmable logic controllers (“PLC”) in the industrial control sectors can lead to significant challenges. ICSs are typically used in industries such as electric, water, oil, gas and transportation, as well as manufacturing sectors such as chemical, pharmaceutical, pulp, paper, food and beverages. The threats and vulnerabilities to these systems are widely recognized. For example, errant control of wastewater management systems can lead to significant environmental damage. Another example might be a traffic signal control network in a metropolitan area. Mismanagement of the control and synchronization of stop lights on a roadway can increase travel times, increase fuel usage, add to air pollution and raise tempers. On a more simplistic level, mismanagement of a water sprinkler control system can wreck havoc with an individual's landscaping, but on a broader scale, it can cause massive water shortages in a region if a significant number of systems were activated simultaneously.
The above examples highlight industrial command and control systems, but equally important are simple domestic remote monitoring and control systems for home management that operate on the Internet. A thermostat that monitors household temperature and is controlled by human presence could publish the thermostat status to a “cloud” server. A home security alarm system could publish the armed/disarmed status to a “cloud” server. Both systems could lead to significant vulnerabilities if that information becomes available to local criminals.
Any time data travels from a machine-to-machine device, computer, smart phone, tablet or similar user operated device, over an accessible medium, whether it is wireless, wired or optical or any other usable and accessible medium, the data is subject to vulnerabilities and threats from unwanted parties. New security solutions must be able to secure the data, regardless of the source and the destination or the medium used to carry the data. Unencrypted data transmission using the wireless wide area networks (“WWAN”) using modern CDMA, HSPA or LTE networks is very secure over the air interface. However, some portion of the transmission also traverses a wired IP network where the unencrypted data is vulnerable.
Mobile applications on smart phones or tablets are a significant user of mobile data, and many, if not most use the public WWAN networks for data communications. In reality, the air interface of the WWAN turns out to be the most secure medium carrying the data traffic from the device to the application servers. The WWAN air interface is far more secure that Wi-Fi for carrying application traffic. Unfortunately, the “last mile” from the tower to the device is only a small part of the path carrying the data.
It is becoming customary to use Public Key Infrastructure (“PKI”) cryptography methods such as Transport Layer Security [TLS] to secure consumer data between consumer devices and the application servers. Unfortunately TLS using standard PKI methods only solves part of the security problem. The desire of modern data security systems is to insure confidentiality, authenticity, and integrity. Without going into all the possible system vulnerabilities, it should be obvious to most that security weaknesses are discovered almost every day with existing data security techniques.
SUMMARYThe following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview and is intended to neither identify key or critical elements nor delineate the scope of such embodiments. Its purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.
Aspects disclosed herein address, inter alia, WWAN devices connected using 4G Long Term Evolution (“LTE”), and 2G and 3G Global System for Mobile Communications (“GSM”) networks or other networks that use an identity module, such as a Subscriber Identity Module (“SIM”) card, for subscriber authentication and authorization of the communication channel. Discussion of an aspect relates to establishing, operating, and maintaining a secure end-to-end application data session on mobile wireless devices that rely on GSM/UMTS, LTE or CDMA for the wireless portion of the transmission, or other devices using similar operating methods, wired or wireless, which devices include a Subscriber Identity Module (“SIM”), Universal Subscriber Identity Module (“USIM”) or similar identity module with an integrated circuit chip that is intended to securely store an international mobile subscriber identity (“IMSI”) and its related security keys which are used to identify and authenticate subscribers on a mobile telephony device (such as mobile phones, smart phones, tablets, computers, wireless hotspots and IoT devices that connect thru the WWAN), where said identification and authentication is conventionally for identifying and authenticating the mobile devices to available wireless networks and the devices' home network operator(s) for the purpose of communication identity, access, billing management, and privileges. Generally, for purpose of discussing aspects disclosed herein, the terms identity module and SIM generally refers to 3G or 4G implementations of a SIM, typically known in the wireless device industry as a USIM. In addition, the terms identity module and SIM may refer to any physical or logical implementation of the aspects disclosed herein, whether the aspects use physically independent hardware (i.e., separate from an identity module) or are virtually or remotely (with respect to a given wireless communication device) implemented within another device, regardless of whether the aspects are referred to as SIM, eSIM, USIM, CSIM, or any other current, or future, designation.
This disclosure presents aspects that use a SIM card, SIM card technology, and SIM card techniques to operate an extremely secure end-to-end data session over-and-above authentication of a wireless device to a wireless network, using secondary security information (use of the term secondary here means in comparison to the primary securing of authentication operations between a wireless device's identity module and a wireless network for purposes of authenticating the device/identity module), over and above the existing WWAN air-interface encryption technology, but additionally adding confidentiality, authenticity, and integrity from the wireless device to an end device, regardless of whether the end device is a server or another user device. Aspects disclosed herein can provide data security between the single device containing the SIM card to multiple endpoints wherein security credentials are unique for each endpoint, and wherein no other endpoint has the capability of decrypting unintended communications.
Aspects disclosed herein use newly-added functionality and capability of a SIM card for TLS security (or similar symmetric encryption/decryption secure data session technology), thereby bypassing cumbersome PKI methods and related potential security flaws. The aspects disclosed herein use a wireless identity module, or SIM card, which typically has excess storage space, to store secret application-related information and to perform a SIM card security algorithm, to generate a set of data which is used as a “Pre-Shared Key” input to a TLS cryptographic protocol known as TLS-PSK (including TLS-PSK cipher suites that include Perfect Forward Secrecy (“PFS”).
Novel aspects disclosed herein preclude the need to share pre-shared keys for use in a data communication session, thus largely preventing pre-shared keys used for TLS, or similar, secure communication sessions from becoming known, thus preventing TLS communications from being compromised, and thus minimizing, or eliminating, the need to change the TLS key known by both ends of a communications circuit, which has heretofore been typically difficult with mobile wireless devices.
As a preliminary matter, it will be readily understood by those persons skilled in the art that the present invention is susceptible of broad utility and application. Many methods, aspects, embodiments, and adaptations of the present invention other than those herein described, as well as many variations, modifications, and equivalent arrangements, will be apparent from, or reasonably suggested by, the substance or scope of the present invention.
Accordingly, while the present invention has been described herein in detail in relation to preferred embodiments and aspects, it is to be understood that this disclosure is only illustrative and exemplary of the present invention and is made merely for the purposes of providing a full and enabling disclosure of the invention. The following disclosure is not intended nor is to be construed to limit the present invention or otherwise exclude any such other embodiments, adaptations, variations, modifications and equivalent arrangements, the present invention being limited only by the claims appended hereto and the equivalents thereof.
In the world of data communications, public-key cryptography (“PKI”) refers to a set of cryptographic algorithms that are based on mathematical equations that currently have no efficient solution—particularly those inherent in certain integer factorization, discrete logarithm, and elliptic curve relationships. Public-key cryptography more generally refers to a cryptographic method that uses asymmetric cryptography, an encryption and decryption set of algorithms that utilize a key-pair with one key used for encryption and an associated key used for decryption. The key pair allows one key to encrypt and only the complementary, associated key to decrypt. Specifically, the key used for encryption cannot be used for decryption, and vice-versa. Almost all algorithms allow either key to encrypt or decrypt, but the specific key that is used to encrypt cannot be the same used to decrypt. Most generally, one key is identified as the private key and remains a secret to all but the key pair owner/issuer, and the other key is the public key and may be know to everyone.
From a computational perspective, it is relatively easy to generate public and private key pairs since those need to be generated very rarely and as long as the private key remains secure the key pair can be reused for months or years. The strength of PKI cryptography lies in the computational impossibility, or impracticality, of determining the private key from knowledge of its corresponding public key. Thus the public key may be published without compromising the security of the communications. In operation, the holder of a public key may encrypt a message and broadcast that message, but only the holder of the associated private key may decrypt that message. Furthermore, the holder of a private key may use a special signing algorithm on a message using the private key to generate a signature. The public key can be used with a special signature-verifying algorithm to insure the authenticity of a signature. Although this appears useless since the public key is possibly known by everyone, any receiving party, or receiving device, can determine that the message is genuine if the associated public key does, in fact, confirm the authenticity of the message. This is known as signing the message. Message security depends on keeping the private-key private.
Asymmetric encryption, as described above is computationally intensive. Asymmetric encryption also requires long encryption keys to ensure security. Because of the computational complexity of asymmetric encryption, it is typically only used for short messages such as used for the transfer of a secondary encryption key, typically a symmetric key. Because of the computational complexity of asymmetric encryption, longer messages use a simpler and less computationally demanding symmetric encryption algorithm for actual payload of a data session. Symmetric encryption uses the same key for encryption and decryption.
In operation, PKI cryptography establishes a data session and uses the asymmetric key algorithms to secure the communications channel for the exchange of additional data to authenticate one or both ends and one or more secret symmetric keys between the parties to be used with symmetric key algorithms. To authenticate the identity of the first party, the private key is used to provide a digital signature to the second party. The public key of the first party is signed by a known and trusted certificate authority (“CA”) using the CA's own private key. The second party relies on the trust of the validity of the CA's public key, usually preloaded in his system. If the second party is able to successfully authenticate the first party's digital signature, then the first party must be authentic. The process will sometimes include the reverse process where the first party authenticates the second party. Once all authentications are complete, one or more secret keys are exchanged between the parties. Once the keys are exchanged, the security algorithm is switched at both ends simultaneously to a symmetric key algorithm and a secure encrypted data session is established.
The methods of PKI cryptography are slow and very computationally intensive for both ends of the communication channel. Although the methods provide a reasonable level of security, there are many missing pieces. For example, typically TLS using PKI cryptography is used to secure a connection between a well-known first party (for example a bank) and a second party that is unknown to the first party (for example a new customer). Because server (or first party) certificates usually expire after a few years, a human user is expected to authorize the session to continue the first time, or the first time after a renewal. Usually the user (or second party) does not have a certificate certifying his own identification for a site/server (or first party) and would likely not have his own certificates for all sites. Certificates are generally large and with today's devices, are manually loaded for each site.
For devices that are part of the machine-to-machine (“M2M”) world, PKI cryptography has another challenge. Unless the device has a powerful processor with ample program execution and temporary storage, the PKI algorithms are a significant burden. Getting certificates loaded into permanent storage on each device is an additional challenge that adds a burden to the PKI system requirements. Many of the M2M devices don't have significant user interfaces or human operators that allow certificates to be managed. The low computing power and memory limited processors used by M2M devices are referred to as constrained devices and because of the storage and processing limitations, constrained devices don't operate well in a PKI world. Most M2M devices use custom protocols at the application level and they operate as a system with a specific server designed to handle the custom protocol and services of the device. Since most M2M devices operate in this “closed” environment, it is not necessary to connect an anonymous device to an anonymous and unknown server. It is generally the case for the system operators on the server side of M2M systems (i.e., a private IP network, such as an enterprise network, or such as a vehicle telematics environment that includes devices in vehicles that communicate with a back end telematics server) to have prior knowledge of devices that will operate on their system.
Fortunately for the constrained device world (i.e., wireless device world), with the above noted considerations, TLS supports a technology that offers solutions to most of the challenges of encryption, authentication, and integrity. TLS has a ciphersuite mode called Pre-Shared Key, or (“PSK”) for short. PSK uses a pre-shared key with symmetric cryptography methods along with existing cipher and message authentication code algorithms to secure a data communications channel. By using aspects disclosed herein, it is not necessary for a secure application data session to start with another data session using an asymmetric key to exchange the symmetric key to be used during the actual application data session. The pre-shared key, known to both the first party (server) and the second party (client) allow for a very secure session without the processor intensive mathematical computations and possible insecurities of the PKI session setup.
At 1230, the client receives the messages sent by the server and forwards the client “PSK identity” to the server. Lastly, the message sequence at 1230 includes a ChangeCipherSpec and that the TLS handshake is authenticated by including a Finished message. At 1240, if the server accepts the PSK identity, it too sends a ChangeCipherSpec and a Finished message. At 1250 and 1260 Application Data is passed between the client and the server.
TLS-PSK, by itself, has a few weaknesses and for normal computer data sessions, one of the major weaknesses is that of “forward secrecy”. Forward secrecy is an issue and challenge only if the pre-shared key is later compromised. If communications are recorded and a pre-shared key becomes known, it is possible to decrypt all previous communications that used that specific pre-shared key. This may not be a significant problem for many IoT device applications because the access to repetitive, control and “current status” data may be useless if it become visible weeks or months after the fact. The IoT device remains secure for practical purposes as long as the current accessibility and visibility is blocked.
The lack of forward secrecy also plagues some of the other TLS methods and some of the predecessor Secure Socket Layer (“SSL”) methods as well. The industry standards bodies and researchers have been hard at work developing solutions to this problem (and others) and as a result, they've standardized PSK ciphersuites that eliminate the forward secrecy problem and deliver Perfect Forward Secrecy or (“PFS”). Essentially PFS is a characteristic, which can be summarized as: actual encryption is done with a key that does not remain (i.e., it's ephemeral: lasting for a very short time) and is thus immune to ulterior theft. These advanced PSK ciphersuites use a Diffie-Hellman algorithm or an Elliptic Curve Cryptography key exchange method to generate a transient key pair. Unfortunately these ciphersuites are more computationally demanding and will significantly tax constrained processors (such as may be found in wireless, IoT devices). The advantages of all the PSK ciphersuites over methods not including a PSK are that they provide a simple, mutual authentication solution to the application.
Diffie-Hellman key exchange, Elliptic Curve Cryptography key exchange, and Rivest/Shamir/Adleman (“RSA”) key exchange are all specific methods of securely exchanging cryptographic keys over public channels. Diffie-Hellman key exchange (“DHKE”) sometimes referred to as EDH or DHE is used to provide forward secrecy in TLS's ephemeral modes. The original DHKE method does not provide authentication of the communicating parties and by itself is thus vulnerable to man-in-the-middle attacks. U.S. Pat. No. 4,200,770 describes the original DHKE as a cryptographic system that transmits a computationally secure cryptogram over an insecure communication channel without prearrangement of a cipher key. Essentially DHKE provides enciphered communication between arbitrary pairs of systems without the necessity of the systems agreeing on an enciphering key beforehand.
RSA involves a public key and a private key. The public key can be known by everyone or every device and is used for encrypting messages. The intention is that messages encrypted with the public key can only be decrypted in a reasonable amount of time using the private key. To enable a second party to send encrypted messages, a public key must be sent reliably (but not necessarily secretly) from the first party to the second party. In a public-key cryptosystem, each user (or perhaps only the first party) places an enciphering key in a public file. The user secures and protects the deciphering key as a secret. Once distributed, the public key can be reused over and over by many parties to secure communication channels with the first party. Public key cryptography can reliably verify the identify of a user (or first party) via the digital signatures that are created from the digital certificates that are stored in the public as long as the root of trust traces back to the aforementioned trusted certificate authority. No transactions similar to the above DHKE to exchange secret key are required to initiate private communication. The only setup is that each user who wishes to receive private communications must place his enciphering key in a public file. The RSA communication methods are described in U.S. Pat. No. 4,405,829.
An additional special relationship between encryption and decryption keys exists with RSA. PKI solutions operate when the following relationships exist:
-
- 1) Decrypting message M′ that was encrypted using Encryption key A requires Decryption key A and the result is message M
- 2) Decrypting message M′ that was encrypted using Decryption key A requires Encryption key A and the result is message M.
- 3) Decrypting message M′ that was encrypted using Encryption key B requires Decryption key B and the result is message M
- 4) Decrypting message M′ that was encrypted using Decryption key B requires Encryption key B and the result is message M
The encryption key and the decryption key can be used interchangeably to encrypt a message and if the encryption key is used to encrypt a message; only the decryption key can decrypt the message. If the decryption key is used to encrypt a message, only the encryption key can decrypt the message.
Although each of the above methods used for key exchange may facilitate relatively secure key exchange each has been shown to have certain vulnerabilities, especially with shorter key lengths or flawed random number generators with RSA, or with shorter primes used by DHKE. Various algorithm attacks have demonstrated that some of the popular choices for the above data lengths may be cracked by someone with sufficient budget and resources. To avoid these vulnerabilities, experts today recommend the use of elliptic curve cryptography (“ECC”), which has no known instances of cracking. Supposed benefits of ECC include smaller key size, reduced storage and transmission requirements, which are especially critical in IoT and constrained processor implementations. For example a 256-bit ECC public key should provide comparable security to a 3072-bit RSA public key for asymmetric encryption operations. However, some are skeptical of the security robustness of ECC.
Considering the possible weaknesses associated with the various asymmetric encryption methods used for the key exchange algorithm, the symmetric encryption methods used for bulk encryption of data are significantly stronger when used with an AES quality of algorithm. Even if a symmetric cipher is currently unbreakable by exploiting structural weaknesses in its algorithm, it is possible to run through the entire space of keys in what is known as a brute force attack. With a key length of n bits, there are 2n possible keys. This number grows significantly as n increases. The large number of operations for a 128 bit key is 2128 operations, which is widely considered out of reach of brute force attacks by conventional digital computing techniques for the near term. In the future, quantum computing may bring the attacks down to a more manageable time and the need for more bits could accelerate. Encryption experts generally agree that when using symmetric encryption with an AES-quality algorithm, 128 bits of security offers adequate security thru about 2030; 192 bits offers long term protection and 256 bit of security should be secure for the foreseeable future.
Almost all recently-discovered security vulnerabilities are a result of cracking the asymmetric key encryption used for the symmetric key exchange process (i.e., authentication and session set-up), while the symmetric key algorithms used for encryption of actual data communications remain secure. Exploiting the structural weaknesses in the encryption algorithm used for the “symmetric key exchange” has been the root cause of almost all, if not all, known past TLS security vulnerabilities.
Inventing a data security system and method is not typically undertaken by the faint-of-heart, or by any one individual. It typically takes a community to develop, to refine, and to fully vet a new data security method and system. For an organization to design a security algorithm and hold the details secret won't garner trust among a community of potential users. A data security solution must be fully vetted and accepted by the data security research community. Security by obscurity is not actually security at all. The exact method and algorithm details must be fully published, challenged by the security research community and mathematicians, and the best solutions will have full source code implementations published for all to examine. However, aspects disclosed herein circumvent these challenges.
Transport Layer Security pre-shared key ciphersuites (i.e., TLS/PSK) are a set of cryptographic protocols that provide secure communication between endpoints based on PSKs. These pre-shared keys are symmetric keys shared in advance among the communicating parties. Using pre-shared keys can, depending on the ciphersuite, avoid the need for public key operations. This is especially useful if TLS is used in performance-constrained devices where processing power and memory might be limited. There are fundamentally three different ciphersuites; the first uses symmetric key operations for encryption and authentication. The second set uses the aforementioned Diffie-Hellman key exchange authenticated with a pre-shared key. The third set combines public key authentication of the server using RSA and certificates along with mutual authentication of the client using a PSK. The second ciphersuite creates a solution that provides Perfect Forward Secrecy. As previously mentioned, these ciphersuites have advantages but also bring the burden of the requirement for significant processing resources both on the server side as well as the client side, which burden is a limiting factor for constrained devices.
Part of all TLS cipher suite implementations is a stream or block cipher that depends upon the previously mentioned symmetric key. It is this stream or block cipher that ultimately carries data securely between the endpoints. As previously mentioned, there are symmetric key ciphers that have been thoroughly vetted thru years of testing, mathematical analysis, and academic research. Although there have been new implementations, some of the algorithms have aged very well where the same cannot be said for the Handshake Protocol that is used to set up the secure communication channel of the Record Protocol, and specifically the process used to exchange the symmetric key.
The most used symmetric key algorithm at the time of this disclosure is the Advanced Encryption Standard (“AES”) otherwise know as Rijndael. This standard is a specification for the encryption of electronic data established by the United States National Institute of Standards (“NIST”) and Technology in 2001. It is based on the Rijndael cipher developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen. The Rijndael cipher is actually a family of ciphers with different key and block sizes. NIST actually selected three different members of the Rijndael family, with block sizes of 128 bits and key lengths of 128, 192 and 256 bits.
AES has been adopted by the U.S. Government and is now used worldwide. It supersedes the Data Encryption Standard (“DES”), which was published in 1977. The announcement to adopt by the United States followed a five-year standardization process where fifteen competing designs were presented and evaluated. AES became the first publicly accessible and open cipher approved by the National Security Agency (“NSA”) for top-secret information.
As soon as the standard was released, researchers began working to develop a practical attack. For cryptographers, a practical attack is anything faster than a brute force attack. A brute force attack is the process of performing one trial decryption for each possible key. Although AES has been extensively studied for nearly sixteen years, at the time of preparing this disclosure, no publicly revealed successful attacks on AES have been performed and noted. The most successful attack yielded a small gain, the equivalent of using a 126-bit key instead of 128-bits and it would still take billions of years of brute force calculations based on current and foreseeable future hardware. At the time of this disclosure, there are no known practical attacks that would allow anyone to read and understand correctly implemented AES encrypted data.
In view of the foregoing, a secure data security solution can easily integrate with existing TLS standard ciphersuites if it avoids using public key operations. At the time of this disclosure, TLS/PSK ciphersuites are significantly secure when used with AES or a similarly secure block or stream cipher. A risk, as previously discussed, is that without PFS, once a PSK has been discovered, all previous communications, if recorded may now be decrypted. Additionally, without secondary key operations of DHKE, or ECC or similar, there is no way to securely transfer a new AES PSK to a remote client if the PSK has been compromised. It should be clearly understood that in PSK operations, security is dependent upon a secure side channel to deliver (i.e., share) the PSK with endpoints that are to become endpoints of a secure data session. If the secure side channel remains secure, the main channel will remain secure. If the main channel is compromised, without PFS techniques, it is impossible to update the PSK over the main channel without the risk that the new PSK will become compromised. Accordingly, this disclosure describes novel aspects of a system and method to, without sharing a preshared key (PSK) to, or between, endpoints, securely update a PSK used at endpoints of a session to securely transport data communication systems that use pre-shared keys as the primary method of securing the communication channel.
Identity modules, such as SIM cards, are integrated circuit cards or chips that are actually special purpose, portable memory and processor chips. The SIM card is intended to securely store the international mobile subscriber identity (“IMSI”) and its related key, which is used to identify and authenticate subscribers on wireless networks. From a physical perspective, SIM cards are sometimes removable and sometimes permanently affixed to their associated wireless device platform. In the case of consumer devices, having a removable SIM allows a user's ‘personality’ and additional SIM contents to be easily transferred between devices, such as smart phones, tablets, handsets, and similar devices. Besides storing a user's personality, SIM cards have been used to store customer contacts lists. Although SIM cards identify and authenticate the subscriber to a wireless network, they only provide identification and authentication of a device they are associated with to a wireless network. Functionality of the SIM includes the capability to generate encryption keys, but these encryption keys are used solely to encrypt the “air interface,” that is the communication link between the wireless device and the cell tower. Encryption, and thus security, facilitated by a conventional SIM, does not extend between the cell tower and any other network element or device, whether it is between subscribers or between a subscriber (the device) and a network based application server. Additionally, the SIM card does not validate that the specific network to which the device is communicating is a specific network. A current SIM card only validates, thru associated side communication channels, that the card is authorized to communicate on the network by virtue of the fundamentals of inter-network roaming standards.
The wireless authentication methods are used principally for access to the operator Radio Access Network (“RAN”) but they have been adapted to generate the access credentials for Wi-Fi wireless access. Those methods are discussed in two different documents published and generally available. They are “Request For Comment 4186” (“RFC4186”), titled “Extensible Authentication Protocol for Global System for Mobile Communications (“GSM”) Subscriber Identity Module (“EAP-SIM”) and “Request For Comment 4187” (“RFC4187”) titled “Extensible Authentication Protocol Method for 3′ Generation Authentication and Key Agreement” (“EAP-AKA”). These documents discuss methods to ‘credentialize’ devices that already have SIM cards but have a need to access additional transport resources (specifically Wi-Fi) without having an additional credential storage and management system outside of the SIM card and the operator's Authentication Center (“AuC”). The methods described in EAP-SIM and EAP-AKA specifically use secret information that has been stored by, or on behalf of, the wireless operator specifically for wireless network access, authentication, and encryption. Sharing those credentials could present a weakness to the wireless operator's security methods and, the methods described by EAP-SIM and EAP-AKA require specific network equipment tie-in to access information stored in the authentication center, while requiring access to the operator's control plane signaling environment.
There have been attempts, such as “ETSI TS 133 220” “Generic Authentication Architecture; Generic Bootstrapping Architecture” (“GAA/GBA”), to use standardized and existing secret information and SIM card capabilities, but each of these attempts has focused on using the specific data already stored in a wireless network authentication algorithm input memory portion of a SIM card by or on behalf of a wireless network operator for storing network authentication inputs, and the functionality relied solely on a connection to the network operator's Authentication Center and invasive connections to the wireless operator's network by third parties. In contrast, aspects disclosed herein are operationally different, use new and different secret material stored in an application authentication algorithm input memory portion for storing inputs for application security, which are unrelated to the wireless operator's secret material, process the new application security inputs using different mechanisms, and specifically are designed for regular and ongoing PSK generation for applications unrelated to basic wireless transport. It is important to note that the GAA/GBA methods rely on a secret that is created and shared in advance specifically for the purpose of mobile network access credentialization, authentication, and security, whereas aspects disclosed herein use secret data created and adapted specifically for the purpose of application credentialization, authentication, and security and use a different security architecture designed specifically for application security without compromising wireless network security.
IOT devices don't necessarily need removable “personality” modules. In many cases, having a removable SIM could be a security vulnerability by itself. IOT devices also don't necessarily need the additional storage used for phone books and contact lists. As a result, SIM cards in IOT devices contain excess memory storage capacity that may go unused in typical IOT applications.
A typical SIM card contains methods that protect data within the device in which it is installed. Although technicians sometimes “de-cap” integrated circuit chips to evaluate chip failures, it is also possible to reverse engineer an integrated circuit by taking a photomicrograph of a chip with the plastic encapsulation removed. A photomicrograph is a photograph or digital image taken through a microscope or similar device to show a magnified image of an item, in this case, the integrated circuit silicon die. One skilled in the art of integrated circuit design, technology, and manufacturing processes used in the field of integrated circuits can reverse engineer and recover firmware bits or other soft configuration values stored in integrated circuits. Sometimes it requires a scanning electron microscope or transmission electron microscope. The state of the art in IC reverse engineering can be best understood through a white paper published on the Internet by Randy Torrance and Dick James of Chipworks Inc. This paper, “The State-of-the-Art in IC Reverse Engineering” explains techniques that can be used to reverse engineer an integrated circuit. See, www.iacr.org/archive/ches2009/57470361/57470361.pdf.
A SIM card is a special integrated circuit constructed using unique manufacturing techniques that cannot be easily reverse engineered by the traditional “de-cap” reverse engineering techniques. Eliminating the possibility of this method of reverse engineering could eliminate one level of security risk, but as mentioned above, security by obscurity isn't security at all. SIM cards are constructed using technologies such that data stored on them is destroyed during an attempted “de-cap” process.
Notwithstanding the physical methods used to protect SIM cards, additional methods are used to offer the necessary security for subscriber identification and authentication. With modern SIM operation techniques, successfully compromising a specific SIM only yields enough to compromise one wireless subscriber account. While it may become evident to the attackers what information, including unique subscriber keys, was present in the SIM prior to the attack, current techniques destroy the device in the process, rendering the process nearly useless for system level attacks.
From a software perspective, SIM cards have methods that protect the secure contents from direct examination. Although certain information is directly readable from the outside of the SIM by manipulating control signals on SIM cards, certain information is protected thru internal hardware and software mechanisms to prevent direct data extraction. For example, a SIM card usually contains an ICCID and/or IMSI. These values are usually either directly readable or they are only protected using simple personal identification number (“PIN”). Similarly, only a PIN may protect phone books and contact lists. However, security encryption algorithm portions and memory portions that store inputs to the algorithm portion are typically not accessible from outside the SIM, and are not changeable—the algorithm inputs are stored when the SIM is manufactured.
The mathematical security of cryptographic algorithms used by cellular networks as well as the detailed methods of managing them has changed as GSM has evolved from 2G to 4G networks. In the 2G SIMs, network operators could use a standard algorithm such as COMP-128 (also know as the A3/A5/A8 algorithms), or a completely custom algorithm, to authenticate GSM, generate session keys, and to encrypt the data transmitted over the radio air interface between the mobile station and the base station. Over the years flaws were discovered in the COMP-128 series of algorithms and eventually operators adapted COMP-128 or developed different custom algorithms in attempts to eliminate the weaknesses. As a result of these issues and the shorter key lengths of COMP-128, and the move towards a UMTS/LTE (3G/4G) standard, a new standardized security algorithm was developed. At the time of this disclosure, the standardized 3G/4G algorithm is an AES based MILENAGE algorithm. Another algorithm, TUAK, has been developed and standardized, and is an industry approved alternative to Milenage for security operations. Although Milenage is the subject of the discussion herein, it should be recognized by those skilled in the art that Milenage is but an example security algorithm and any algorithm, whether it is one of the older weaker algorithms, or any new or different algorithm, including TUAK can be utilized as an authentication algorithm processing engine as disclosed herein. It should be recognized that as time goes on, wireless industry algorithms like TUAK deliver progressively more keying material on a single pass and may be utilized without the dual pass shown and described in this disclosure infra.
Each SIM contains subscription details known only to the subscriber's home network. This information is well guarded by the network operator and the information is securely stored in the operator network so that it becomes nearly impossible to extract the secret information directly. On the SIM card, one SIM specific (subscriber specific) value is known as the Authentication key, or the subscriber key, or simply K. Older SIM documents have referred to this value as Ki. At the time of this disclosure, K is a unique 128-bit value that is stored on the SIM and which is also securely stored in the subscriber's home network Authentication Center AuC. Another value usually stored in newer SIMs, but not necessarily unique per subscriber, is the 128-bit Operator Variant Algorithm Configuration Field (“OP”).
Mobile network authentication and mobile device authentication methods can be modified for generating components for PSK-determination used for a TLS-PSK cryptographic session and validating the new key assignment (i.e., handshaking) for an application's session with a remote client, thus providing a complete, end-to-end, data security environment. Newer Milenage computations generate multiple keys, some of which are 128-bits. One key is the Integrity key IK and another key is the Confidentiality key CK.
For AES, a 128-bit high entropy key, for example, generated from truly random bits, is adequate and acceptable for encryption, but may not be optimal given most TLS implementations support up to 256-bit AES encryption. As mentioned previously, a brute force attack is one attack method and performing one trial decryption for each possible key would take billions of years of calculations based on current and foreseeable future hardware. The most successful attack on AES encryption yielded a small gain the equivalent of using a 254-bit key instead of the original 256 bits. As a point of reference a perfect encryption key is one that is merely a bit sequence of given length, each bit of which has been chosen at random uniformly and independently.
TLS typically uses two values, called ‘secrets’, one called a pre master secret (“PMS”) and the other and another called the “master secret”. The point of the pre master secret is to have a uniform format to generate the master secret. From the point where the master secret has been generated, TLS is generic. All keying material (i.e., material, or information, used to create a key for symmetric encryption/decryption) is generated from a uniform master secret. TLS supports several kinds of key exchange algorithms and in particular RSA asymmetric encryption, PSK, and various Diffie-Hellman variants all of which yield “shared secrets” (more specifically the components of a pre master secret) of varying size and format. After the master secret is generated, a standard and uniform method is used to generate the encryption key used for the symmetric encryption of the record protocol. It should be noted that while AES is the preferred encryption algorithm because of the time-proven robustness, it is likely that other encryption algorithms will be adopted in the future and this encryption key generated using the disclosed technology would work as well with those encryption algorithms.
With TLS 1.2, for all key exchange methods, the algorithm used to convert the pre master secret into the master secret is specified by the cipher suite. The master secret is typically 48 bytes in length. The length of the pre master secret typically varies depending on a given key exchange method and in the case of PSK, the length of the PSK itself.
The entire keyblock is derived as follows:
Once enough material is generated and stored in the key_block, the key_block is split into the encryption/decryption keys. Encryption or decryption depends on the direction. The key_block is sequentially split into the arrays:
where PRF is a Pseudorandom function and IV is initialization vector.
For TLS-PSK, the pre master secret is typically formed as follows. If PSK is N bytes long, the pre master secret consists of the 2-byte representation of the integer value of N, N zero bytes, the 2-byte representation of N once again and the PSK itself. (PMS=N∥0 . . . 0∥N∥PSK.) Essentially the pre master secret is typically two times the length of the PSK plus 4 additional bytes. Because the first half of the pre master secret is constant, the entire security of the secret relies on the second half, the PSK itself.
If using a ciphersuite that includes Diffie-Hellman with PSK, the pre master secret is typically formed as follows. First, perform the Diffie-Hellman computation in the same way as for other Diffie-Hellman-based ciphersuites in TLS. Let Z be the value produced by this computation (with leading zero bytes stripped as in other Diffie-Hellman-based ciphersuites). Concatenate the length of Z (in octets), Z itself, the length of the PSK (in octets), and the PSK itself [PMS=LENz∥Z∥LENpsk∥PSK].
If using a ciphersuite that includes RSA w/PSK, the pre master secret field sent from the client to the server contains a 2-byte constant C=48, a 2-byte version number V and a 46-byte random value R encrypted with the server's RSA public key, the length of the PSK (in octets), and the PSK itself. (PMS=C∥V∥R∥LENpsk∥PSK′) The pre master secret is thus 52 octets longer than the PSK.
According to the standards, TLS implementations supporting these ciphersuites MUST support arbitrary PSKs up to 64 octets in length. It is therefore desirable to generate a 64 octet (i.e., 512 bit) PSK using the SIM card for maximum effective key size and to minimize the opportunity for a brute force attacks.
If the maximum TLS PSK implementation is desired, there are a number of methods to reasonably deliver the number of unique and mathematically unrelated bits to be used as the PSK. Since a typical requirement of any security algorithm is to be fully published and vetted, varying the organization of the bits of the PSK is not useful for further obscuring the PSK. The effective key size is equal to K plus OP (or OP_C) as long as OP remains a secret. OP can be unique per device for a given SIM card causing the effective key size to be 256 bits. The options are many for generating unique outputs to CK and IK. It is possible to vary the two 128-bit constants c3 and c4 as well as the integers r3 and r4 on a second pass of Milenage to generate a different set of CK and IK. A better solution might be to create a second K and OP and run the Milenage “f3” and “f4” functions a second time with either the same RAND or a completely different RAND sent from the network, generating only the new CK and IK. Additionally, as described above, by creating unique CK and IK values by using non-zero c3 and c4 and different, but carefully chosen, r3 and r4, one can create 512-bit results by concatenating CK and IK from two different runs of Milenage. Each of CK and IK are significantly different and would result in a larger PSK to be used by the standard TLS function. As with K and OP, the values selected for c3 and c4 and r3 and r4 must be kept secret and may also be either constant across all SIMs or they may be selected on a per device basis as long as the peer server supports the storage of the unique values for each client device.
Perfect Forward Secrecy: The PSK and RSA_PSK ciphersuites do not provide Perfect Forward Secrecy. That is, if the shared secret key (in PSK ciphersuites), or both the shared secret key and the RSA private key (in RSA_PSK ciphersuites), is somehow compromised, an attacker can decrypt old conversations.
The DHE_PSK, ECDHE_PSK, or similar ciphersuites provide Perfect Forward Secrecy if a fresh Diffie-Hellman or ECC private key is generated for each handshake.
An environment in which novel aspects disclosed herein may be used is shown in
Preferably, device 110 uses a standard TLS-PSK or a similar TLS-PSK ciphersuite that may include other cipher functions as required, including, but not limited to, ECDHE and/or RSA or similar to identify, authenticate, insure message integrity, and encrypt the communications between device 110 and gateway 170. A PSK-ID is used to identify device 110 to Gateway 170. During establishment of a data session, a decision may be made by gateway 170, device 110, or any other server within the private cloud 175 to update the “working security credentials” of device 110 and of Gateway 170. The parameters that may be used to update the working security credentials (which may be referred to elsewhere herein as a WORKING PSK), and the criteria that may be used to trigger an update, are discussed infra. Once the decision is made to update the credentials, the PSK Generator 180 begins the update process by retrieving the current secret credentials contained in database 190 by using the PSK-ID as the identifier of device 110. A decision to update security credentials for use in securely communicating with a given device 110, or an application running thereon, may be made at each new connection request made by either wireless device 110 or an application server that seeks to query the wireless device.
Continuing with discussion of
Continuing with the discussion of method 700, which continues on
Turning now to
If the SQN is within an acceptable error range, the process moves into a resynchronization process at 930. Causes of an SQN error include an error in the PSKKeyGen database requiring a database restoration or a power failure during a write of the SQN in the SIM card in the wireless device. The resynchronization process automatically recovers the SQN synchronization on both ends. At step 930, the wireless device forwards an authentication failed and resynchronization notice to the PSKKeyGen along with AUT_CLIENT that includes the SQN that is currently present in the SIM card. At step 940, the PSKKeyGen extracts the SQN_Client from the AUT_CLIENT and subsequently calculates the expected MAC at step 950, using the stored credentials, and compares XMAC-C to the MAC-C at decision block 960. If again there is a failure, specifically the XMAC-C and the MAC-C fail to match, an authentication failure message is sent at 970 to the wireless device and method 700 ends, or perhaps returns to START shown in
Turning now to
At step 1010, the SIM card performs a second pass of Milenage and generates a second set of keying material/information CK-2 and IK-2 using the second random number RAND-2. At step 1020, the SIM card/wireless device forwards RES, calculated at step 810 on
These methods and systems described in the previous paragraphs describe a solution for pre-shared key generation and management for application level security in a wireless wide area network where a SIM card is present for the purposes of identification, authentication, and certification of the credentials for accessing wireless services. These methods use a new type of SIM card with storage portions that store application secret data used for authenticating applications and calculating a new pre-shared key for the purposes of application security. The secret security keys are securely stored and cannot be accessed by means outside of the SIM card. A second important aspect is that the security keys used for application security are easily updatable thru the system disclosed. Although this disclosure highlights the key creation of symmetric keys for use in TLS-PSK, it should be recognized that the methods and systems disclosed herein are applicable for any application security solution requiring symmetric keys.
The methods and systems described herein may be implemented in various ways. In an example, standardized APIs and methods may provide access to various resources of the SIM, which may also be referred to as a Universal Integrated Circuit Card (“UICC”). Some commands of those APIs permit direct reading or updating of SIM content and some of those commands manage aspects of the on-board computing assets of the UICC/SIM.
The APIs and Commands fit within a mobile device's wireless communication engine (which may be generically referred to herein as just a wireless engine (“WE”)), which is a subset of the Mobile Equipment (“ME”), for example an LTE user equipment device such as a smart phone, a telematics device in a vehicle, machine-to-machine devices such as vending machines, wearable devices, home appliances, home security systems, home entertainment systems, etc, as represented by device 110 shown in
“Java Card” Applets, or Applets written using any other programming language or methods, are used in a SIM to create security and authentication to an application server. In an exemplary implementation, an IMS SIM (“ISIM”) applet, or applet structure, can be copied and associated with one or more Application Dedicated Files (“ADF”) and appropriately named so that they, or instructions stored in them, may be selected, or invoked instead of a wireless network operator's applet and associated secret stored cryptographic information. A new PSK-generating-process is triggered by an external trigger event. The external trigger event may be a timer expiration, such as the expiration of security credentials for an application communication channel that indicates that new security credentials are needed for a secure communication session. After the trigger event occurs, a processor of the ME generates a message for the WE to perform a first SELECT command to select SECUR1. After the SECUR1 ADF has been selected by performing the first SELECT command, a first AUTHENTICATE command is performed. Performance of the first AUTHENTICATE command results in a first set of CK-1 and IK-1, which may be stored in an EFGBABP associated with the SECUR1 ADF. Next, a second SELECT command selecting SECUR2 may be generated and performed, which may result in performance of a second AUTHENTICATE command, and the subsequent storing of a second set of CK-2 and IK-2 into an EFGBABP associated with SECUR2 ADF.
An example of such a process is further shown in, and described below in reference to
It will be appreciated that an application referred to herein, running on an IoT device or a user's smart phone, as examples, may include applications on a device such as an e-mail application that needs to authenticate to an e-mail server. Other application client/server scenarios may include a fleet of vending machines wherein each vending machine has an application that communicates via the internet with a vendor/operator server to report vending machine health, network/connectivity health, sales statistics, inventory levels, and the like, or the vending machine may communicate similar information with a manufacturer whose goods are stocked within the vending machine. Other examples of applications may be an application running on a vehicle telematics device that communicates with a telematics server, applications running on home burglar alarm equipment that communicates with a alarm monitoring central station, applications running on personal wearable devices, such as fitness tracking devices, and other devices that may communicate personal information via an application to a secure application server.
In an aspect, authentication may be based on the 3GPP AKA protocol. When several applications are present on the AKA-capable UICC, then the WE may choose one of the UICC applications for performing the SELECT procedures described below and referenced to ETSI TS 102_221 herein. The WE may select an application based on a “Label” of the UICC security applet(s).
If a Security ADF different than an ISIM application(s) that is currently active is indicated to the WE security support function, which may be controlled by a different application, then the WE may not terminate the currently active ISIM application(s) but instead the WE may follow the procedure below when activating the Security ADF application indicated by the “Label”, as the WE may have several ISIM's (ADF's) active simultaneously.
Following UICC/SIM activation and corresponding “Answer To Reset” (“ATR”) messaging, the Master File (“MF”) in the UICC/SIM is automatically selected by default and becomes the current directory. Other ADFs may then be selected by using the SELECT function by entering, choosing, accepting, or otherwise using a SELECT command followed by File Identifier, which is described in European Telecommunications Standards Institute (“ETSI”) Technical Specification 102_221 v 11.0.0 section 8.4.1. Such entering, choosing, accepting, or otherwise using a SELECT command may be triggered by the need for updating security credentials as determined, for example, by the expiration of a timer as discussed above. Such updated credentials may be required before a secure communication channel may be established or a subsequent secure communication channel may be established after the current secure session terminates, for secure communication by an application running on user equipment 110, or by a machine-to-machine device that needs to authenticate to an application server according to a predetermined schedule or upon the detecting of a condition, such as low inventory in a vending machine, loss-of-power, health alert from a wearable device, an alarm condition in an industrial facility such as a manufacturing plant or a power generation plant, an intrusion alarm as part of a burglar alarm, or upon an event in a vehicle, such as a crash, a user operating a certain control or equipment, selecting a particular entertainment channel, program, or communications session, or upon the vehicle detecting a maintenance or safety condition. Selecting a dedicated file (“DF”), an ADF, or the MF sets the current operative directory of the UICC/SIM. After such a selection there is usually no currently selected Elementary File (“EF”). Selecting an EF sets the selected EF as a current EF; the current directory remains the DF, ADF, or MF, which may be (typically will be) the hierarchical parent of the selected EF.
Although a single pass of the AKA algorithm using secret and secure information corresponding to, or pointed to by, a selected file or directory may adequately authenticate the UICC/SIM and its corresponding ME to a given application server, two passes of the AKA with different inputs and/or keys (called K, or Subscriber Key as described above) or both are preferred. Using different RANDs and different Subscriber Keys results in even more secure keying material to be used for application security. Since the design of a SIM card, or other similar UICC, allows each applet (which may be selected by the ME and invoked by a triggering event such as a timer expiration) to securely reference its own specific corresponding cryptographic input data to the security algorithm (for Milenage) such as K, OP_C, C1-C5, R1-R5 and SQN discussed and described above, a preferred implementation isolates each of two different copies of ISIM, having a similar structure as the USIM, ISIM1 or ISIM2 referenced in
In an example, a response to a first AUTHENTICATE command may contain results that could indicate a failure at various levels, or the response could indicate a successful authentication process step by providing a result that includes confidentiality key CK-1 and integrity key IK-1 for the first pass as well as a result RES-1. These values should be stored at the ME as they are used for the generation of a PSK in the ME and for confirming with a working key manager (“WKM”), which may be gateway 170 as shown in
The ME subsequently forwards the RES-1 and RES-2 to the WKM, where the WKM compares the XRES-1 and XRES-2 received from the PSKKeyGen 180 as shown in
To facilitate the first secure connection between a ME containing a given SIM/UICC (typically a new SIM scenario), it is desirable to have the ME query the WE's UICC/SIM to retrieve an initial PSK. This may occur when a clerk loads a UICC/SIM into a smartphone at initial retail sale, when a salesperson inserts a UICC/SIM into a vehicle telematics device at vehicle delivery, by a vehicle manufacturing plant at manufacture of a vehicle with a telematics device installed, or at any other time when a mobile equipment device may be initialized for connection, or reinitialized for connection, to a communication network or for use over the communication network with an application server. As described above, it is desirable to pre-write the UICC/SIM card at the SIM factory with an initial value into elementary files EFGBABP in each of the corresponding SECUR1 and SECUR2 ADFs, as shown in
An aspect may use existing certified Java Applets replicated from an existing ISIM that uses an AKA already existing on the UICC/SIM, which typically uses a Milenage or a TUAK computation engine, but other algorithmic engines may be used. An aspect performs two discrete passes of the AKA algorithm, with the keying material CK-1, IK-1, CK-2, and IK-2, from the passes being merged externally to the SIM to yield a single PSK. This is what is shown in block 1330 of
For inputs to the AKA process, the ME device separates the RAND-1/AUT-GATEWAY-1 values from the RAND-2/AUT-GATEWAY-2 values and sends the values separately into each of the AKA AUTHENTICATION passes. Additionally, because of the desire to use Java Applets and ADF EF file structures that current UICC/SIMs may already contain for purposes of operator-controlled device-to-network connectivity, many of the EFs contained within each of the SECUR1 and SECUR2 ADFs may be empty and may not be used.
In the preferred implementation, each of the sets of cryptographic input and control values (i.e., K, OP_C, C1, C2, C3, C4, C5, R1, R2, R3, R4, R5 and SQN_MS) are used for cryptographically pure outputs. In an alternative implementation, however, it is possible that ONLY K and SQN_MS may be maintained uniquely in areas that securely store information corresponding to SECUR1 and SECUR2 ADFs, but not actually in the ADFs themselves, while OP_C, C1, C2, C3, C4, C5, R1, R2, R3, R4 and R5 may be shared between each pass of AKA (i.e., between a pass that uses keying material retrieved from SECUR1 and a pass that uses keying material that is retrieved from SECUR2). Furthermore, the values OP_C, C1, C2, C3, C4, C5, R1, R2, R3, R4 and R5 should not be shared with the operator's cryptographic inputs and controls.
Another important aspect is that although the solution is intended for wireless devices that are connected to a WWAN network where a SIM card is already present, for example a 2G GSM, 3G HSPA, or 4G LTE network, the SIM card methods could be applied to other devices where a SIM or SIM like device is installed and that are connected to the internet, whether wireless or wired. Although Milenage is highlighted as the preferred algorithm embodiment, newer SIM card algorithms like TUAK and future SIM card algorithms may also be substituted for Milenage and with similar storage of parameters combined and processed to generate an external PSK for short-term or long-term application security. Algorithms other than Milenage generally generate similar parameters, such as RES, XRES, MAC, and XMAC and use them in a similar manner as Milenage, but those skilled in the art may refer to the parameters differently. These different parameters that are used in similar ways as the ways disclosed and claimed herein are within the scope of the claims. In addition, instead of a SIM card, the methods disclosed herein may be embodied in hardware built into a wireless device (i.e., a chip dedicated to performing the methods disclosed herein) such that a SIM need not be part of the wireless device, or device connected via a wireless network, on which an application is running that carries out data transfer with an application server via a secure network session. Also, instead of a single identity module (i.e., a SIM card) that includes both a wireless network authentication algorithm input memory portion for storing network authentication inputs used to authenticate a wireless device that uses the identity module for communication over a wireless communication network, and an application authentication algorithm input memory portion for storing application authentication inputs used to authenticate one or more applications executed by the wireless device to a remote application server or used to generate a new preshared key, the wireless network authentication algorithm input memory portion and the application authentication algorithm input memory portion may be contained by separate identity modules, or similar circuitry, within a given device.
These and many other objects and advantages will be readily apparent to one skilled in the art from the foregoing specification when read in conjunction with the appended drawings. It is to be understood that the embodiments herein illustrated are examples only, and that the scope of the invention is to be defined solely by the claims when accorded a full range of equivalents. Disclosure of particular hardware is given for purposes of example. Some steps recited in the method claims below may be performed in a different order than presented in the claims and still be with the scope of the recited claims.
Claims
1-20. (canceled)
21. A device, comprising:
- a processor to: conduct a secure data communication session with a second device using a symmetric key encryption/decryption algorithm; wherein the processor does not use an asymmetric key to exchange a symmetric key that is to be used for the secure data session; and
- an application authentication algorithm input memory portion for storing network authentication input values that correspond uniquely to the communication device and that are used in the generation of a pre-shared key, which is used in the generation of the symmetric key.
22. The device of claim 21 wherein the application authentication algorithm input memory portion is included in an identity module.
23. The device of claim 21 wherein one or more of the network authentication input values are stored in elementary files.
24. The device of claim 21 wherein the communication device is a machine-to-machine device and the application authentication algorithm input memory portion is a portion of a SIM.
25. The device of claim 21 wherein the processor causes the performing of more than one pass of a portion of a symmetric-key-generating algorithm to increase the size of the pre-shared key in generation of the pre-shared key.
26. The device of claim 21 wherein the pre-shared key is not shared with second device with which the first device conducts the data communication session.
27. A method, comprising:
- conducting a data communication session with a communication device using a symmetric key encryption/decryption algorithm without conducting another data communication session that uses an asymmetric key to exchange a symmetric key that is to be used for the secure data session, wherein the communication device includes an application authentication algorithm input memory portion for storing network authentication inputs that correspond uniquely to the communication device and that are used in the generation of a pre-shared key, which is used in the generation of the symmetric key.
28. The method of claim 27 wherein the application authentication algorithm input memory portion is included in an identity module.
29. The method of claim 27 wherein the generation of the pre-shared key and the generating of the symmetric key are performed according to a Milenage symmetric-key-generating algorithm.
30. The method of claim 27 wherein one or more of the network authentication inputs are stored in elementary files.
31. The method of claim 27 wherein the communication device is a machine-to-machine device and the application authentication algorithm input memory portion is a portion of a SIM.
32. The method of claim 27 wherein the generation of the pre-shared key includes performing more than one pass of a portion of a symmetric-key-generating algorithm to increase the size of the pre-shared key.
33. The method of claim 27 wherein the pre-shared key is not shared with another communication device with which the communication device conducts the data communication session.
34. A method, comprising:
- receiving at a first network endpoint from a second network endpoint a message requesting that the first endpoint update an existing pre-shared key that is unique to the first endpoint for use for a secure communication session;
- transmitting a pre-shared key identifier (PSK-ID) from the first endpoint to the second network endpoint;
- receiving at the first endpoint a remote endpoint authentication value from the second network endpoint, wherein the remote endpoint authentication value is based on secret data that is accessible only by the second endpoint and that is associated with the pre-shared key identifier (PSK-ID) and wherein the remote endpoint authentication value includes a network authentication code (MAC);
- generating a result value (RES) by processing secret data that is associated in an identity module corresponding to the first endpoint if the received network authentication code (MAC) equals the expected network authentication code (XMAC),
- transmitting the result value RES from the first endpoint to the second endpoint; and
- generating at the first endpoint a new pre-shared key to replace the existing pre-shared key when the first endpoint receives a message from the second endpoint that the second endpoint has successfully generated a new pre-shared key for use for secure communication to the first endpoint.
35. The method of claim 34 wherein the first endpoint is a SIM card of a wireless communication device.
36. The method of claim 34 wherein the second endpoint is a pre-shared key generator.
37. The method of claim 36 wherein the pre-shared key generator is part of a communication network that includes an application server with which the first endpoint seeks to establish the secure session.
38. The method of claim 35 wherein the SIM card contains an application authentication algorithm input memory portion for storing application authentication inputs, including the secret data, used by an authentication algorithm processing engine that is to generate the pre-shared key that matches the new pre-shared key generated by the second endpoint, and wherein the SIM card contains an application dedicated file that is different from an application dedicated file that is used to store information used by a network operator and that points to the application authentication algorithm input memory portion to be used by the authentication algorithm processing engine to generate the PSK.
39. The method of claim 38 wherein the pre-shared key includes outputs generated from more than one execution of a portion of a symmetric-key-generating algorithm to increase the size of the pre-shared key in generation of the pre-shared key.
40. The method of claim 39 wherein each of the more than one execution of the portion of a symmetric-key-generating algorithm uses a different set of authentication algorithm inputs stored in the application authentication algorithm input memory portion.
Type: Application
Filed: Nov 12, 2018
Publication Date: Sep 17, 2020
Inventor: Charles M. Link, II (Atlanta, GA)
Application Number: 16/186,943