[go: up one dir, main page]

HK1119327A - Method and system for deriving an encryption key using joint randomness not shared by others - Google Patents

Method and system for deriving an encryption key using joint randomness not shared by others Download PDF

Info

Publication number
HK1119327A
HK1119327A HK08112953.2A HK08112953A HK1119327A HK 1119327 A HK1119327 A HK 1119327A HK 08112953 A HK08112953 A HK 08112953A HK 1119327 A HK1119327 A HK 1119327A
Authority
HK
Hong Kong
Prior art keywords
key
wtru
shared
node
master
Prior art date
Application number
HK08112953.2A
Other languages
Chinese (zh)
Inventor
马里恩‧鲁道夫
拉杰‧P‧穆克吉
Original Assignee
Interdigital Technology Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Interdigital Technology Corporation filed Critical Interdigital Technology Corporation
Publication of HK1119327A publication Critical patent/HK1119327A/en

Links

Abstract

The present invention is related to a method and system for deriving an encryption key using joint randomness not shared by others(JKNSO). Communicating entities generate JRNSO bits from a channel impulse response estimate and the JRNSO bits are used in generation of an encryption key. The authentication type may be IEEE 802.1x or a pre-shared key system. In an IEEE 802.1x system, a master key, a pairwise master key or a pairwise transient key may be generated using the JRNSO bits. The encryption key may be generated by using a Diffie-Hellman key derivation algorithm.

Description

Method and system for deriving keys using joint random derivation without sharing by others
Technical Field
The present invention relates to wireless communication security. More particularly, the present invention relates to methods and systems for using Joint Random (JRNSO) derived keys that are not shared by others.
Background
IEEE802.11i is used to ensure that Wireless Local Area Networks (WLANs) operating under the IEEE802.11 standard can securely communicate data using the encryption barriers of a counter mode (CTR) and a message authentication code (CBC-MAC) protocol (CCMP) summary technology link that in turn uses the Advanced Encryption Standard (AES) algorithm. To achieve this, ieee802.11i provides two schemes that enable a pair of communication nodes to derive a key that can be used to encrypt the exchanged packets.
The first scheme is based on IEEE802.1x authentication techniques that require a remote authentication server (e.g., RADIUS server). In IEEE802.1x, an Access Point (AP) may act as a router between a wireless transmit/receive unit (WTRU) to which the AP is attached and an authentication server. The authentication server may provide a public key to the wtru via the access point. The wtru may authenticate the public key by checking it with a digital certificate provided by the authentication server. The wtru then derives a random secret (i.e., the master secret) and transmits the master secret to the authentication server encrypted thereto with the provided public key. Thus, only the authentication server can decrypt the master secret using the corresponding private key. The authentication server and the wtru may use this master secret to derive a Master Key (MK). The authentication server and the wtru then derive a Pairwise Master Key (PMK) from the master key. The authentication server provides the paired master key to the access point. The ap and the wtru then derive a Paired Transient Key (PTK) using the paired master key. Some of the paired transient keys are Transient Keys (TKs) that are used as physical keys in the authentication code protocol technique for encapsulating packets. This scheme is typically implemented in enterprise wireless local area networks because it uses a remote authentication server and digital certificates, which are currently expensive.
A second scheme, better suited for home or small enterprise networks, uses a shared-first key (PSK). In this scheme, a 256-bit user configurable key is stored at the communication node. Just as in IEEE802.1x systems, when a wtru wants to associate with the ap, the wtru may use the pre-shared key as a paired master key (without deriving a master secret and a master key), derive a paired transient key and use a portion of the paired transient key as a transient key.
There are at least two problems associated with IEEE802.11i systems. First, the final temporary key is only as secure as the master secret exchanged in the ieee802.1x network case, or as the first-to-share key in the home or small enterprise network case. In the ieee802.11x system, an intruder can decrypt the master secret by stealing the private key of the authentication server. In home networks, first-share keys can be derived using brute-force intruders (first-share keys at home are changed aperiodically or result from "weak" cryptographic operations) or by stealing the key. Knowledge of the master secret or pre-shared key system allows the intruder to arrive at the same value of the paired master key and derive the same paired transient key value in the same manner as two legitimate communication nodes. Thus, knowing the authentication is sufficient to know the derived key. Furthermore, when the key is updated later than during the session, the master key and the paired master key are typically left unchanged, only the paired master key and the information exchanged in the purge are used to derive the new paired transient key (which is assumed to be secret). When the paired master key is not changed, the paired transient key is not new and therefore not a new key.
Furthermore, the key derivation process is very complicated and has many stages (e.g., master key, paired transient key, and temporal key). This consumes time and resources.
A key can be considered a sequence of bits. The N-bit length full random key is an N-bit sequence, S, shared by the entities. Assuming that all information is available in the system, any estimate of what the key sequence can be distributed with roughly equal probability over all possible 2NN bit sequences.
Prior art cryptographic systems rely on the fact that it is extremely difficult to guess the cryptographic key from a computational resource perspective. However, in most of these systems, once the correct guess is generated, it is very easy to verify that this is indeed the correct guess. In fact, the prior art means that this can be applied to any public key system (i.e. where the key is public and the decryption key remains secret).
For example, assuming that p and q are two prime numbers and s ═ pq, it is well known that the problem of finding the product factor of the two prime numbers is extremely difficult to calculate. If a party secretly selects p and q and obtains its product s publicly, which is then used as the key for an encryption system, it cannot be easily decrypted unless p and q are known. An eavesdropper wishing to intercept encrypted information may begin by trying a factor s that is known to be difficult to compute. However, if the eavesdropper guesses p, it is fairly easy to verify that it has the correct answer. The ability to know the correct answer is obtained by differentiating between calculable secrets and complete secret guesses. A complete secret means that even if the intruder guesses the key correctly, it has no ability to determine that it does.
Thus, it is contemplated that encryption is generated by a key that is not limited to the prior art.
Disclosure of Invention
The present invention relates to a method and system for using a federated random derived key that is not shared by others. The communication entity estimates from the Channel Impulse Response (CIR) that the un-shared joint random bits are generated by others and used to generate the key. The authentication type may be IEEE802.1x or a shared-key-first system. In IEEE802.1x systems, master keys, pairwise master keys and/or pairwise transient keys may be generated using the unshared joint random bits. The key may be generated using a Diffie-Hellman key derivation algorithm.
Drawings
Fig. 1 is a block diagram of a system including two communicating entities from which keys may be derived in accordance with the present invention.
Fig. 2 illustrates the channel impulse response estimate difference problem due to different starting points at the first node and the second node.
Fig. 3 is a flow chart of a process for deriving a key according to the present invention.
FIG. 4 is a flowchart of a process for deriving a key using a joint random bit that is not shared by others according to one embodiment of the present invention.
FIG. 5 is a flowchart of a process for deriving a key using a joint random bit that is not shared by others according to another embodiment of the present invention.
FIG. 6 is a flow chart illustrating a process for deriving a key using a joint random bit that is not shared by others according to yet another embodiment of the present invention.
FIG. 7 is a flowchart of a process for deriving a key using a joint random bit that is not shared by others according to yet another embodiment of the present invention.
FIG. 8 is a flow diagram of a process for deriving a key using the Diffie-Hellman key derivation algorithm in accordance with the present invention.
Detailed Description
Hereinafter, the term "wtru" includes, but is not limited to, a user equipment, a Station (STA), a fixed or mobile subscriber unit, a pager, or any other type of device capable of operating in a wireless environment. When referred to hereafter, the terminology "Access Point (AP)" includes but is not limited to a node B, a base station, a site controller, or any other interfacing device in a wireless environment.
The features of the present invention may be incorporated into an Integrated Circuit (IC) or be configured in a circuit comprising a plurality of interconnected components. The present invention may be implemented as a Digital Signal Processor (DSP), software, middleware, hardware, application, or future system architecture. The elements may be subcomponents of a larger communication system or Application Specific Integrated Circuit (ASIC), while several or all of the processing elements may be shared by other elements.
In a wireless communication system, the radio channel provides channel impulse response type random resources, although the associated random resources are not a priori generated by prior communications. Specifically, in a particular communication system, two parties (e.g., Alice and Bob) communicating will measure very similar channel impulse response estimates. Wideband Code Division Multiple Access (WCDMA) Time Division Duplex (TDD) systems have this feature. On the other hand, anyone not physically co-located with Alice and Bob may observe channel impulse responses that are associated with Alice and Bob very infrequently. This difference can be exploited to generate a full key. The channel is not shared by others with joint random resources and the channel impulse response estimate is the samples taken from the channel.
The Diffie-Hellman key derivation procedure is explained as follows. Alice and Bob agree to use prime p and base g. Alice selects the secret integer a and then passes ga modulo p to Bob. Bob selects the secret integer b and then transmits gb modulo p to Alice. Alice calculates (gb modulo p) a modulo p. Bob calculates (ga modulo p) b modulo p. The (gb modulo p) a modulo p and (ga modulo p) b modulo p are the same. For example, Alice and Bob agree to use prime p-23 and base g-3. Alice selects the secret integer a 6 and then sends ga modulo p 36 modulo 23 16 to Bob. Bob selects the secret integer b-15 and then transmits gb-mod p-315-mod 23-12 to Alice. Alice calculates (gb modulo p) a modulo p 126 modulo 23 modulo 9. Bob calculates (ga modulo p) b modulo p 1615 modulo 23 modulo 9.
Making this scheme secure requires many larger numbers. If p is a prime number greater than 300 digits and a and b are greater than 100 digits, then intrusion is virtually impossible (even by legitimate parties) because the computation is too resource intensive. This prevents the protocol from being implemented on mobile devices that are battery-limited.
This facilitates the two communication nodes to achieve considerable security using smaller numbers for a, b, p and/or q if one (or both) of the numbers p and q is secret agreed upon using joint randomness not shared by others. The Diffie-Hellman shared key may be used as a key or used to encrypt and transmit the actual key. The smaller number used may make the key derivation process less resource intensive, allowing it to be used on mobile devices.
Fig. 1 is a block diagram of a system 100 including two communicating entities (a first node 110 and a second node 150) that can be derived to share joint random bits and keys without others according to the present invention. One of the entities may be a wtru and the other may be an ap. For simplicity, a peer-to-peer communication system with only two communicating entities 110, 150 is illustrated in fig. 1. However, the present invention may be applied to point-to-multipoint communication systems involving more than two entities. It should also be noted that the first node and the second node are essentially the same entity comprising the same elements, but for simplicity fig. 1 depicts only the relevant elements of the first node and the second node, the first node being assumed to have first generated joint random bits and keys that are not shared by others, as will be explained in detail below.
According to the invention, one of the communicating entities takes precedence. Assume that the first node 110 takes precedence. The first node 110 includes a channel estimator 112, a post-processor 114 (optional), an error correction encoder 118, a synchronization code generator 120 (optional), a secret key generator 116, and a multiplexer 122.
The channel estimator 112 at the first node generates a channel impulse response estimate 113 based on the signal 111 received from the second node 150. The channel estimator 152 in the second node 150 also generates a channel impulse response estimate 153 based on the transmissions sent by the first node 110. The channel estimator 112, 152 is a digitized representation of the channel impulse response estimate. Any prior art method may be used to generate the cir estimate. For example, the entities 110, 150 may send special signals or preamble sequences to other nodes to assist in generating the cir estimate. The channel impulse response estimate may include, but is not limited to, the time domain, the frequency domain, or may be generated or stored using any manner of abstract vector space representation or the like. The method by which the cir estimation and representation scheme can be generated should be the same in the first node 110 and the second node 150.
Depending on the implementation, only a portion of the information of the cir estimate may be reciprocal and suitable for generating the common key. For example, the entities 110, 150 may choose to use only the amplitude/power profile information estimated from the channel impulse response and may ignore the phase information.
The post-processor 114 may optionally process the cir estimate using prior art methods. The post-processor 114, such as a low pass filter or interpolation filter, removes noise signals and redundancy. The post-processor 114 is also required in the case of a physical multi-antenna implementation for multiple-input multiple-output (MIM0), and thus the number of antennas and antenna pattern differences may result in different channel impulse response estimates. In this case, entities 110, 150 may have to exchange information about their antenna configurations.
Because the channels are reciprocal, the channel impulse response estimates generated by the first node 110 and the second node 150 are expected to be very similar. However, there are three major sources of error that introduce differences in the estimated cir. First, the channel reciprocity assumes that the channels at both entities are estimated simultaneously. The simultaneous differences result in some differences in channel estimation. Second, the digitized cir estimate may have to be synchronized with the starting point. For example, if the cir estimate is digitized in the time domain, the start of the meaningful portion of the cir estimate may occur at different locations at the reference time zero in the two entities 110, 150. This problem is depicted in fig. 2. For another example, if the cir estimate is stored using a frequency domain representation, different start frequencies/reference phases may be assumed in determining the stored parameters. Third, the cir estimate also varies due to errors caused by interference inherent in wireless communications.
With respect to the first error source, to ensure channel estimation simultaneity, the channel estimation timing may be linked to a particular system time, such as a radio frame or slot boundary. Alternatively, the synchronization signal may be embedded in a signal (e.g., a preamble) transmitted by the entity 110, 150 to support channel estimation. Synchronization is obtained from the preamble signal without embedding a special signal. Alternatively, the channel estimation may be performed with reference to an absolute time reference, such as a Global Positioning System (GPS). Alternatively, the round-trip delay may be measured and synchronization may be achieved based on this round-trip delay.
With respect to the second error source, the cir estimate starting point may be recorded at the first node 110 and may be transmitted to the second node 150. Alternatively, special synchronization nodes (e.g., comma-free ciphers) may be used. Because the synchronization problem is typically limited to only a few samples, the cipher only needs limited power. A special synchronization signal associated with the common timing source may be generated by the terminal and a channel impulse response measurement may be made for that signal. The synchronization problem can be handled by processing the channel impulse response in a domain that is not subject to the discussion. For example, the synchronization problem does not occur in the frequency domain, assuming that the phase information can be neglected.
Depending on the level of channel interference, the loss of secret ratio may be large or minimal. For example, in very noisy channels, the phase information may be highly unreliable, so ignoring it will result in minimal secret rate loss.
Referring again to fig. 1, the post-processing cir estimate 115 is fed to a key generator 116, an error correction encoder 118 and a synchronization code generator 120. The key generator 116 may generate a key 117 from the cir estimate 115 that is not shared by others.
The synchronization code generator 120 may generate a synchronization signal/code 121 for synchronization and synchronization of the "starting point". The error correction encoder 118 performs error correction encoding on the cir estimate 115 and generates the parity bits 119. The error correction coding may be block coding or convolutional coding. The present invention uses systematic error correction coding such that the original information (i.e., the encoder input to the channel impulse response estimate 115) is also output from the error correction encoder 118. According to the present invention, only the parity bits 119 are transmitted to the second node 150 after being multiplexed with the synchronization signal/code 121 by the multiplexer 122. The multiplexed stream 123 is transmitted to the second node 150.
The second node 150 includes a channel estimator 152, a synchronization bit demodulator 154, a synchronization bit demodulator 156, a post-processor 158 (optional), a synchronization unit 160, an error correction decoder 162, and a secret key generator 164. The channel estimator 152 may generate an estimate of the channel impulse response from the received signal 151 transmitted by the first node 110. The cir estimate 153 is optionally processed by the synchronization bit demodulator 156. The synchronization bit demodulator 154 demodulates the received signal 151 to recover the synchronization signal/code 155. A parity bit demodulator 156 demodulates the received signal 151 to recover parity bits 157. The synchronization signal/code 155 is fed to a synchronization unit 160 and the parity bit 157 is fed to an error correction decoder 162. The post-processing cir estimate 159 is processed by the synchronization unit 160. The synchronization unit 160 corrects the cir estimate difference due to lack of simultaneity and/or starting point misalignment based on the synchronization signal/code 155.
The error correction decoder 162 performs error correction decoding with the cir estimate 159 processed by the synchronization unit 160 as part of the codeword information, which may contain errors, and uses the received parity bits 157 to correct the errors. If the block coding is well selected, the output 163 of the error correction decoder 162 is the same as the channel impulse response estimate generated by the first node 110 at a very high probability. Thus, the first node 110 and the second node 150 successfully obtain the same data sequence, but only disclose some of it (i.e., parity bits) publicly and can derive the same joint random bits that are not shared by others.
The error correction decoder 162 may be used to support synchronization of the estimated starting point of the digitized cir. The second node 150 generates a set of cir estimates and decodes each possible cir estimate with the parity bit 157. The error correction decoder 162 counts the number of errors in the estimation of the impulse response of each channel. Because of the very high probability, only the revisers will produce very high revision numbers; and the modifier produces a very low modifier count. In this way, the error correction decoding process can support the start point synchronization.
Once the cir estimate has been aligned between the first node 110 and the second node 150, the key generator 164 may generate a key 165 that is identical to the key 117 generated by the first node 110.
Fig. 3 is a flow diagram of a process 300 for deriving a joint random bit and key for a wireless system without others sharing the joint random bit and key in accordance with the present invention. The first node may generate a channel impulse response estimate from a transmission transmitted by the second node, and the second node may generate a channel impulse response estimate from a transmission transmitted by the first node (step 302). To correct for differences between the cir estimate generated by the first node and the cir estimate generated by the second node (and optionally to support synchronization of the cir estimate), the first node may transmit a parity bit (and optionally a synchronization signal/code) to the second node (step 304). The parity bits are generated by error correction coding on an estimate of the cir generated by the first node. The second node may synchronize the cir estimate generated by the second node with the cir estimate generated by the first node using the synchronization signal/code transmitted by the first node or using some other scheme described above (step 306). The second node then performs error correction decoding on the synchronized cir estimate with the synchronization bit to correct for differences between the synchronized cir estimate and the cir estimate generated by the first node (step 308). Step 302-308 may be repeated several times. In this way, the first node and the second node can obtain the same channel impulse response estimate (without sharing the joint random bits by others). The first node and the second node may then generate a key from the same cir estimate (step 310).
Fig. 4 is a flow diagram of a process 400 for deriving a key using a joint random bit that is not shared by others, according to an embodiment of the invention. Once the wtru is associated with the ap in step 402, it may determine whether the authentication type supported by the wireless network is ieee802.1x or a pre-shared key (step 404). If IEEE802.1x is supported, the authentication, authorization and accounting (AAA) server and the WTRU may authenticate each other using digital credentials (step 406). When a partial authentication signal is sent, the wireless transmit/receive unit transmits a secret encrypted with the public key of the authentication, authorization and accounting server to the authentication, authorization and accounting server so that only the authentication, authorization and accounting server can decrypt it using the corresponding private key. The secret is used as a seed for deriving the key. The authentication, authorization and accounting server then transmits the secret to the access point (step 408). If the supported authentication type is first-share key, then the first-share key is set to the default secret (step 410).
The ap and the wtru may generate non-shared joint random bits by others using the above-described process (step 412). It should be noted that the joint random bits that are not shared by others are not only generated after the secret is transferred, but also at any step prior to the generation of the key. The ap and the wtru may derive a key using the secret and the joint random bits that are not shared by others (step 414). The ap and the wtru then exchange a portion of the key to identify the key and identity (step 416). The group key may be derived and transmitted to the wtru using the key as a paired transient key (step 418), as is currently done by IEEE802.1 i.
In the event that the key is not ready to be derived and does not generate enough bits to share the joint random bits by others, processing according to the ieee802.11i standard may be followed. It should be noted that the initial derivation requires step 402-410, and the key update or renewal can only be performed by deriving new bits that are not shared by others.
To update the key, in the 802.1x case, a new secret may be exchanged and new un-shared federated random bits may be generated, or alternatively, new un-shared federated random bits with the old secret may be used. Only the second portion may be used for the first share key case. The history data can be used to verify that the joint random bit is not shared by others. Both parties can cache some of the early key preassigned portions. An intruder cannot use only the stolen private key and must guess the derived previous key to decrypt the master secret.
This process explicitly separates authentication and key generation roles in the system. The authentication, authorization and accounting server only processes the authenticated client, while the access point processes key generation. This is different from IEEE802.1x, where authentication, authorization and accounting servers are involved in key derivation and authentication. Not sharing joint randomness by others may cause new and up-to-date keys to be dynamically derived every few hundredths of a second (depending on the channel). This is different from the prior art, where the key update is preprogrammed and not a new password, and a new secret must be exchanged where a new key is generated. There is no master key or pairwise master key in the inventive process 400. Therefore, the process is simpler than the prior art.
In the existing 802.11i agreement, an intruder who knows the authentication credentials (in the 802.1x case) or the first-to-share key (in the first-to-share key authentication case) only has to overhear the signaling exchange to know the key. In contrast, when using the method of the present invention, an intruder handling authentication credentials (e.g., digital certificate or shared key authentication) cannot share the same channel shared by the wtru and the ap, and cannot derive the key and therefore cannot make the same channel without being shared by others.
Under current IEEE802 standards, key updates are not truly password-safe, as only the pairwise transient key changes while the master key and the pairwise master key remain the same. If the intruder guesses the pairwise master key, the renewed key does not serve any cryptographic purpose when the pairwise transient key is exactly the pairwise master key plus the random information exchanged in the purge. The master secret used to derive the master key and the paired master key is very long (e.g., 48 bytes) for service cryptographic purposes. Thus, for a new key in IEEE802.11i, a long 48-bit group number (which is resource intensive) that has been truly randomly derived must be exchanged. However, according to the present invention, the exchanged secret may be verified as derived from a key that is not shared by others with the federated random bits, but only long enough to deter brute-force intruders (e.g., about 16 bytes). This allows it to be regenerated each time the key must be updated randomly with a joint that is not shared by others. The present invention provides a simpler key derivation method that only exchanges a short secret and a set of derived keys, rather than an exchanged long key and 3 sets of derived keys (i.e., master key, pairwise master key and pairwise transient key). This saves power for the mobile device.
Fig. 5 is a flow diagram of a process 500 for deriving a key using a joint random bit that is not shared by others according to another embodiment of the invention. Process 500 is similar to process 400. Steps 502-512 are the same as steps 402-412 and will not be explained again for the sake of simplicity. After the secret is forwarded to the ap and no shared joint random bits are generated by others, the ap and the wtru may derive a pairwise master key using the secret and the shared joint random bits (step 514). The group key may then be derived and transmitted to the wtru as is currently done in IEEE802.11i (step 516).
Fig. 6 is a flow diagram of a process 600 for deriving a key using a joint random bit that is not shared by others, according to yet another embodiment of the invention. Once the wtru is associated with the ap in step 602, it may determine whether the authentication type supported by the wireless network is ieee802.1x or a pre-shared key (step 604). If IEEE802.1x is supported, the authentication, authorization and accounting server and the WTRU may use digital certificates to authenticate each other and exchange master secrets (step 606). The authentication, authorization and accounting server and the wtru then derive a master key using the master secret (step 608). The authentication, authorization and accounting server and the wtru then derive a paired master key from the master key, and the authentication, authorization and accounting server transmits the paired master key to the access point (step 610). If the supported authentication type is first shared key, then the first shared key is set as the paired master key (step 611).
The ap and the wtru use the above described processing to generate joint random bits that are not shared by others (step 612). It should be noted that the joint random bits that are not shared by others are not generated only after the master key pair is forwarded, but also at any stage prior to the generation of the key. Which may be performed (in 802.1x case) prior to deriving the master key to accelerate the key derivation process. May also be implemented during the 4-way handshake process to derive a paired transient key. This allows the system to be compatible with shared-first key authentication. The parity check may also be performed at any time prior to deriving the paired transient key.
The ap and the wtru derive a paired transient key using the paired master key and the joint random bits not shared by others (step 614). The paired transient key may be derived as follows:
PTK-PRF (pairwise master key, information in erasure, no joint random bits shared by others).
The group key may then be derived and exchanged (step 616), as is currently done with IEEE802.11 i.
Fig. 7 is a flow diagram of a process 700 for deriving a key using a joint random bit that is not shared by others, according to yet another embodiment of the invention. Once the wtru is associated with the ap in step 702, it may determine whether the authentication type supported by the wireless network is ieee802.1x or a pre-shared key (step 704). In this embodiment, the shared key is not supported but only ieee802.1x is supported. If the first shared key is of a type supported by the network, the process ends. If IEEE802.1x is supported, the authentication, authorization and accounting server and the WTRU may exchange a master secret and the authentication, authorization and accounting server transmits the master secret to the access point (step 706).
The authentication, authorization and accounting server and access point derive a master key using the pre-master secret (step 710). The wtru and ap then derive a paired master key using the master key and the associated random bits not shared by others (step 712). The ap and the wtru use the paired master key to derive a paired transient key (step 714). The group key may then be derived and exchanged (step 716), as is currently done with IEEE802.11 i.
Fig. 8 is a flow diagram of a process 800 for deriving a key using a Diffie-Hellman agreement in accordance with the present invention. The wtru 802 and the ap 804 agree to use the unshared joint random to drive the key to the ap by exchanging the unshared joint random start message and the unshared joint random start confirmation (steps 812, 814). The wtru 802 and the ap 804 generate joint random bits from transmissions between each other that are not shared by others based on channel impulse response estimates (steps 816, 818). The wtru 802 (first) generates the parity bits by performing error correction coding on the generated cir estimate and transmits the parity bits to the ap 804 (step 820). The ap 804 uses the received parity bits to perform error correction decoding and optionally transmits an acknowledgement (step 822). Step 816-822 may be repeated several times.
The wtru 802 and the ap 804 have predetermined look-up tables (LUTs) that store secret numbers p and q (prime numbers) that map non-shared joint random bits to p and q values by others. For example, if no joint random measurements are shared by others to generate 5-bit secret data, the wtru 802 and the ap 804 may select one of the possible unique values of 16 for the prime number p and another 16 for the base number g. It should be noted that other schemes as would be apparent to a skilled artisan may be used instead of the lookup table. Because of the additional layer of security with p and g secrets according to the present invention, the stored prime numbers should be large, but not necessarily as large as the conventional Diffie-Hellman protocol. Preferably, the prime order should also be different so that it is difficult for an intruder to guess the range of modulus values. Although it is publicly known that no other person shares the mapping of the joint random bits to the lookup table values, it is unknown to which value is actually selected because the intruder cannot eavesdrop on not sharing the joint random measurement by another person.
The wtru 802 and the ap 804 select the secret integers a and b, respectively, and transmit the ga modulo p and the gb modulo q, respectively, to the other, driving b and a, respectively (steps 824, 826). The wtru 802 and the ap 804 use this to derive the shared secret (step 828). The wtru 802 and the ap 804 use the shared secret to transmit encrypted federated random keys that are not shared by others or to treat the shared secret as a federated random key that is not shared by others (step 830).
Although the features and elements of the present invention are described in the preferred embodiments in particular combinations, each feature or element can be used alone without the other features and elements of the preferred embodiments or in various combinations with or without other features and elements of the present invention.

Claims (38)

1. A method for deriving a key to secure wireless communications between a first node and a second node, the method comprising:
(a) the first node generating a first cir estimate based on transmissions sent by the second node;
(b) the second node generating a second cir estimate based on the transmission sent by the first node;
(c) the first node and the second node correcting a difference between the first cir estimate and the second cir estimate; and
(d) the first node and the second node generate a key based on the first cir estimate and the second cir estimate, respectively.
2. The method of claim 1, further comprising:
post-processing the first cir estimate by the first node; and
the second node post-processes the second cir estimate.
3. The method of claim 1, wherein step (c) comprises:
(c1) the first node transmitting a parity bit to the second node, the parity bit being generated by error correction coding of the first CIR estimate;
(c2) the second node synchronizing the second cir estimate and the first cir estimate; and
(c3) the second node performs error correction decoding on the synchronized second cir estimate via the synchronization bit to correct a difference between the synchronized second cir estimate and the first cir estimate.
4. The method of claim 3 wherein the synchronization bits are generated by applying block coding to the first cir estimate.
5. The method of claim 3 wherein the synchronization bits are generated by applying systematic convolutional coding to the first cir estimate.
6. The method of claim 3 wherein the first node sends a synchronization code to the second node, whereby the second node synchronizes the second cir estimate and the first cir estimate using the synchronization code.
7. The method of claim 1 wherein the key is generated using a Diffie-Hellman key derivation algorithm.
8. The method of claim 7 wherein the first node and the second node select at least one of p and q values for the Diffie-Hellman key derivation algorithm by mapping the first and second cir estimates to at least one of p and q values, respectively.
9. A method of deriving a key in a wireless communication network including a wtru, an ap and an authentication server to secure wireless communications between the wtru and the ap, the method comprising:
the wtru obtaining a connection with the ap;
determining a type of authentication supported by the network;
if the authentication support type is IEEE802.1x, the authentication server and the WTRU authenticate each other and exchange a secret;
the authentication server forwarding the secret to the access point;
the wtru and the ap generating joint random bits that are not shared by others based on a channel impulse response between the wtru and the ap; and
the wtru and the ap derive a key using the secret and the joint random bits not shared by others.
10. The method of claim 9, further comprising:
the ap deriving a set of keys from the key; and
the ap provides the set of keys to the wtru.
11. The method of claim 9 further comprising setting a first-share key to the secret if the support authentication type is first-share key.
12. The method of claim 9 further comprising generating additional non-shared, joint random bits that update the key, whereby a new key is generated by using the new non-shared, joint random bits.
13. The method of claim 9 further comprising the wtru and the ap exchanging a portion of the key to validate the key.
14. The method of claim 9 wherein the key is a pairwise master key.
15. A method of deriving a key in a wireless communication network including a wtru, an ap and an authentication server to secure wireless communications between the wtru and the ap, the method comprising:
the wtru obtaining a connection with the ap;
determining a type of authentication supported by the network;
if the supported authentication type is IEEE802.1x, the authentication server and the WTRU authenticate each other and exchange a master secret;
the authentication server forwarding the master secret to the access point;
the wtru and the ap deriving a pairing master key from the master secret;
the wtru and the ap generating joint random bits from channel impulse responses between the wtru and the ap that are not shared by others; and
the WTRU and the AP derive a pair of transient keys using the pair of master keys and the joint random bits not shared by others.
16. The method of claim 15, further comprising:
the access point deriving a set of keys from the pair of transient keys; and
the ap provides the set of keys to the wtru.
17. The method of claim 15 further comprising using a first-share key as the pair of master keys if the support authentication type is first-share key.
18. The method of claim 15 further comprising generating additional non-shared joint random bits that update the transient key pair, whereby a new transient key pair is generated by using the new non-shared joint random bits.
19. A method for deriving a key to secure wireless communications between a wtru and an ap in a wireless communications network including the wtru, the ap and an authentication server, the method comprising:
the wtru obtaining an association with the ap;
determining an authentication type supported by the network;
if the supported authentication type is IEEE802.1x, the authentication server and the WTRU authenticate each other and exchange a pre-master secret;
the authentication server forwarding the pre-master secret to the access point;
the wtru and the ap generating joint random bits from channel impulse responses between the wtru and the ap that are not shared by others;
the wtru and the ap deriving a master key using the pre-master secret and the joint random bits not shared by others;
the wtru and the ap deriving a paired master key using the master key and the non-shared associated random bits by others; and
the WTRU and the AP derive a pair of transient keys using the pair of master keys and the joint random bits not shared by others.
20. The method of claim 19, further comprising:
the access point deriving a set of keys from the pair of transient keys; and
the access point provides the set of keys to the wtru.
21. A system for deriving a key for securing wireless communications between a first node and a second node, the system comprising:
the first node includes:
a first channel estimator for generating a first channel impulse response estimate from transmissions sent by the second node;
an error correction encoder for generating a parity bit by performing error correction encoding on the first cir estimate;
a synchronization code generator for generating a synchronization code; and
a secret key generator for generating a secret key from the first CIR estimate; and
the second node includes:
a second channel estimator for generating a second channel impulse response estimate from transmissions sent by the first node;
a parity bit demodulator for recovering the parity bits;
a synchronization bit demodulator for recovering the synchronization code;
a synchronization unit for synchronizing the first and second cir estimates;
an error correction decoder for performing error correction decoding on the synchronized second cir estimate with the parity bit to remove a difference between the first cir estimate and the synchronized second cir estimate; and
a secret key generator for generating a secret key from the second cir estimate after removing the difference.
22. The system of claim 21 wherein the first node further comprises a first post-processor for post-processing the first cir estimate and the second node further comprises a second post-processor for post-processing the second cir estimate.
23. The system of claim 21 wherein the error correction encoder is a block encoder for applying a block encoding to the first cir estimate.
24. The system of claim 21 wherein the error correction encoder is a systematic convolutional encoder for applying a systematic convolutional encoding to the first cir estimate.
25. The system of claim 21 wherein the key is generated using a Diffie-Hellman key derivation algorithm.
26. The system of claim 25 wherein the first node and the second node map the first cir estimate and the second cir estimate to at least one of p and q values, respectively, after removing differences to select at least one of p and q values for the Diffie-Hellman key derivation algorithm.
27. A system for deriving a key for securing wireless communications, the system comprising:
a wireless transmit/receive unit configured to exchange a secret with an authentication server and to generate joint random bits not shared by others based on a channel impulse response estimate between the wireless transmit/receive unit and an access point;
the authentication server configured to exchange the secret with the wtru and transmit the secret to the ap; and
the ap configured to generate non-shared joint random bits based on an estimate of a channel impulse response between the wtru and the ap, and derive the key using the secret and the non-shared joint random bits.
28. The system of claim 27 wherein the ap is configured to derive a set of keys from the key and provide the set of keys to the wtru.
29. The system of claim 27, wherein a type of authentication invoked is ieee802.1 x.
30. The system of claim 27 wherein a supported authentication type is first shared key, whereby the first shared key is set to the secret.
31. The system of claim 27 wherein the wtru and the ap are further configured to exchange a portion of the key to validate the key.
32. The system of claim 27, wherein the key is a pairwise master key.
33. A system for deriving a key for securing wireless communications, the system comprising:
a wireless transmit/receive unit configured to exchange a master secret with an authentication server, and to generate non-shared joint random bits based on a channel impulse response estimate between the wireless transmit/receive unit and an access point, and to derive a pairwise master key from the master secret and the non-shared joint random bits, and to derive a pairwise transient key using the pairwise master key and the non-shared joint random bits;
the authentication server configured to exchange the master secret with the wtru and transmit the master secret to the ap; and
the ap configured to generate non-shared joint random bits based on an estimate of channel impulse response between the wtru and the ap, and derive the paired master key using the master secret and the non-shared joint random bits, and derive the paired transient key using the paired master key and the non-shared joint random bits.
34. The system of claim 33 wherein the ap is configured to derive a set of keys from the pair of transient keys and provide the set of keys to the wtru.
35. The system of claim 33 wherein a supported authentication type is ieee802.1 x.
36. The system of claim 33, wherein one supported authentication type is first-share key, whereby the first-share key is set to the pair of master keys.
37. A system for deriving a key for securing wireless communications, the system comprising:
a wireless transmit/receive unit configured to exchange a master secret with an authentication server, and to generate non-shared federated random bits from the master secret and the non-shared federated random bits based on an estimation of a channel impulse response between the wireless transmit/receive unit and an access point, and to derive a master key from the master secret and the non-shared federated random bits, to derive a pairwise master key from the master key, and to derive a pairwise transient key using the pairwise master key and the non-shared federated random bits;
the authentication server configured to exchange the pre-master secret with the wtru and to transmit the pre-master secret to the ap; and
the ap configured to generate non-shared joint random bits based on an estimate of channel impulse response between the wtru and the ap, and derive the master key using the pre-master secret and the non-shared joint random bits, derive the pairwise master key using the master key and the non-shared joint random bits, and derive the pairwise transient key using the pairwise master key and the non-shared joint random bits.
38. The system of claim 37 wherein the ap is configured to derive a set of keys from the pair of transient keys and provide the set of keys to the wtru.
HK08112953.2A 2005-01-27 2006-01-19 Method and system for deriving an encryption key using joint randomness not shared by others HK1119327A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US60/647,482 2005-01-27
US60/716,177 2005-09-12
US60/734,331 2005-11-07
US11/318,381 2005-12-23

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
HK11107543.4A Division HK1153586B (en) 2005-09-12 2008-11-26 Method and system for deriving an encryption key using joint randomness not shared by others

Related Child Applications (1)

Application Number Title Priority Date Filing Date
HK11107543.4A Addition HK1153586B (en) 2005-09-12 2008-11-26 Method and system for deriving an encryption key using joint randomness not shared by others

Publications (1)

Publication Number Publication Date
HK1119327A true HK1119327A (en) 2009-02-27

Family

ID=

Similar Documents

Publication Publication Date Title
US8280046B2 (en) Method and system for deriving an encryption key using joint randomness not shared by others
CA2596067C (en) Method and system for deriving an encryption key using joint randomness not shared by others
CN101288260A (en) Method and system for deriving keys using joint random derivation without sharing by others
CN101433010B (en) Method and system for securing wireless communications
US20070036353A1 (en) Authentication and encryption methods using shared secret randomness in a joint channel
KR20090098997A (en) Method and apparatus for base station self-configuration
US20100146289A1 (en) Radio scene encryption and authentication process
CN119654889A (en) Wireless communication system
de Ree et al. Grain-128PLE: generic physical-layer encryption for IoT networks
HK1119327A (en) Method and system for deriving an encryption key using joint randomness not shared by others
HK1153586B (en) Method and system for deriving an encryption key using joint randomness not shared by others
HK1153586A (en) Method and system for deriving an encryption key using joint randomness not shared by others
AU2010100115A4 (en) Secured key exchange in WiFi networks using quantum key distribution
JP2008177815A (en) Broadcast encryption method and broadcast encryption device
Wan et al. Access control protocols with two-layer architecture for wireless networks
KR20250138171A (en) How to provision credentials to user devices in a private communications network
Patrick Wireless LAN Security
HK1131285A (en) Generation of perfectly secret keys in wireless communication networks