Search

US-20260129435-A1 - Shared Secret Key Architecture and Distribution

US20260129435A1US 20260129435 A1US20260129435 A1US 20260129435A1US-20260129435-A1

Abstract

Methods, apparatuses, computer-readable mediums for storing software, and systems for Shared Secret Key Architecture and Distribution (SSK-AD) are described. SSK-AD leverages an existing network or system that uses shared secret keys (SSKs) to securely distribute new keys based on that network's previously deployed SSKs, its existing SSK ecosystem and architecture, and integration with Trusted Third Party protocols. Examples of such existing network or system that uses SSKs is the 3GPP GSM network or 5G network.

Inventors

  • Elliot Eichen

Assignees

  • Elliot Eichen

Dates

Publication Date
20260507
Application Date
20241112

Claims (20)

  1. 1 . A method, comprising: generating, by a first computing device, new credentials comprising a new user identifier and a new key based on an existing shared secret key that is shared with a service provider; performing authentication, between the first computing device or a second computing device and a third party device, using the new credentials to obtain a response from the third party device, the response comprising a ticket; determining a session key based on the response; sending, by the first computing device or the second computing device to an application server, the ticket; and establishing, using the session key, a secure session between the first computing device or the second computing device and the application server.
  2. 2 . The method of claim 1 , wherein an algorithm is used to derive the new key from the existing shared secret key and the algorithm prevents the existing shared secret key from being obtained from the new key.
  3. 3 . The method of claim 1 , wherein the new key is computationally undiscoverable by quantum computers.
  4. 4 . The method of claim 1 , wherein the third party device and the application server each store a second shared secret key prior to the first computing device or the second computing device sending the ticket to the application server.
  5. 5 . The method of claim 1 , wherein the third party device has established a secure communication link with a service provider device of the service provider.
  6. 6 . The method of claim 1 , comprising: generating the new user identifier or the new key based on the existing shared secret key and data received from a server provider device of the service provider.
  7. 7 . The method of claim 1 , comprising: generating and storing a second new user identifier in association with the new key.
  8. 8 . The method of claim 1 , comprising: requesting the ticket; and receiving, from the third party device, the ticket, wherein the ticket enables authentication with the application server.
  9. 9 . The method of claim 1 , comprising: sending a registration request with a tag indicating that the first computing device is requesting a connection to the application server.
  10. 10 . The method of claim 1 , wherein the generating the new credentials is responsive to sending a registration request and receiving a registration response.
  11. 11 . The method of claim 1 , wherein the generating the new credentials is responsive to sending, to the third party device, a request for the secure session between the first computing device or the second computing device and the application server.
  12. 12 . The method of claim 1 , comprising: sending, to a subscriber identity module of the first computing device, a request, wherein the generating the new credentials is responsive to sending the request to the subscriber identity module.
  13. 13 . The method of claim 1 , comprising: sending, from the first computing device to the second computing device, the new credentials.
  14. 14 . The method of claim 1 , comprising: creating and storing second new credentials for use by the first computing device or the second computing device in communicating with the application server after the secure session ends.
  15. 15 . The method of claim 1 , wherein the sending the ticket comprises sending the ticket through a path that bypasses a network of the service provider.
  16. 16 . An apparatus comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the apparatus to: generate new credentials comprising a new user identifier and a new key based on an existing shared secret key that is shared with a service provider; perform authentication, between the apparatus and a third party device, using the new credentials to obtain a response from the third party device, the response comprising a ticket; determine a session key based on the response; send, to an application server, the ticket; and establish, using the session key, a secure session between the apparatus and the application server.
  17. 17 . The apparatus of claim 16 , wherein generation of the new credentials is responsive to the apparatus sending a registration request and receiving a registration response.
  18. 18 . A system comprising: a computing device configured to: generate new credentials comprising a new user identifier and a new key based on an existing shared secret key that is shared with a service provider; perform authentication, between the computing device and a third party device, using the new credentials to obtain a response from the third party device, the response comprising a ticket; determine a session key based on the response; send, to an application server, the ticket; and establish, using the session key, a secure session between the computing device and the application server; and the third party device configured to communicate with the service provider, wherein the third party device is outside of a domain of the service provider.
  19. 19 . The system of claim 18 , further comprising: the application server configured to store a second shared secret key that is shared with the third party device.
  20. 20 . The system of claim 18 , wherein the third party device is configured to: generate a second new user identifier matching the new user identifier; generate a second new key matching the new key; and generate the ticket.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a non-provisional of and claims priority to U.S. Provisional Patent Application No. 63/548,267, filed Nov. 13, 2023, which is hereby incorporated by reference in its entirety. BACKGROUND It is well known that quantum computers with a sufficient number of qubits kept in a coherent state for a sufficient time can break the asymmetric algorithms that form the basis for existing public key cryptography. Even though such quantum computers may not exist today, the threat from quantum computers is immediate because digital communications authenticated and encrypted using existing asymmetric algorithms could be recorded and decrypted in the future, thus providing a wealth of sensitive data. The response to the threat posed by quantum computers from the cryptographic community has primarily been to create new asymmetric algorithms that are not vulnerable to quantum computing (i.e., algorithms that do not have a periodicity that can be detected by a quantum computer across a coherent quantum state vector made up of the combination of all possible states). Although these Post Quantum Cryptography (PQC) algorithms may turn out to be the best methods to ensure data security over public networks, confidence that they are immune to compromise by quantum computers will take time as PQC algorithms cannot be proved to be secure although they can be proved insecure. Indeed, of the four algorithms chosen by the National Institute of Standards (NIST) in 2022 as a potential PQC standards, one (SIKE) was broken and discarded in 2023, and a successful attack against another of the four algorithms (SPHINCS+) that targeted NIST category V for that algorithm was published in 2022. An alternative to PQC-particularly for Enterprises or Governments with extremely sensitive data, or IoT devices without the compute power to implement the more complex PQC algorithms (such as low power medical implanted medical devices)—is to use algorithms based on Shared Symmetric Keys (SSKs) such as AES. These algorithms are considered to be immune to compromise by quantum computers although they may need longer key lengths than are currently used. However, a major practical problem limiting the use of Shared Symmetric Keys (SSKs) is how to securely distribute them across a network (e.g., without resorting to some form of physical or out-of-band transfer). SUMMARY This section provides a short summary of certain features discussed in the detailed description. This summary is not an extensive overview and is not intended to identify key or critical elements. First, the following listing of terms is provided: Third Generation Partnership Project (3GPP): The standards body that manages the process of creating standards for wireless networks. 5G Authentication and Key Agreement (5G AKA): Protocol used to authenticate endpoint to network and separately to establish keys. 5G also supports EAP (RFC 4187). 5G Core Network (5GC): The core network for a 5G compliant network. AKMA Anchor Function (AAnF): The 3GPP logical network element that manages the AKMA process. It sits between the UDM/AUSF and the AS. Authentication and Key Management for Applications (AKMA): The protocol used to extend the 5G AKA protocol to application servers that can be inside or outside of the service provider's domain. Application Server (AS): server for performing various services or providing various applications. Authentication Server Function (AUSF): A 3GPP logical network entity that supports the authentication function. When a UE is not roaming, the AUSF communicates directly with a UE. When a UE is roaming, the SEAF sits between the AUSF and the UE. Network Function (NF): A 3GPP logical entity and that enables web-based APIs for connecting applications to 5GCs. Global System for Mobile Communications (GSM): The global trade organization made up of wireless carriers, equipment vendors, etc. that represent the “wireless industry”. Key Distribution Center (KDC): A trusted third party (TTP) system that implements a protocol to distribute keys that allow two entities with a trust relationship to the TTP to mutually authenticate. International Mobile Subscriber Identity (IMSI): Unique number assigned to each endpoint. Each private key is associated with an IMSI. Pursuant to the 3GPP standard, it contains a network operator, country code, and MDN (mobile device number). National Institute of Standards (NIST) Open Authorization (OAuth): Secure trusted third party open source authentication protocol. Public Key Infrastructure (PKI): a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Post Quantum Cryptography (PQC): The field of cryptography as it relates to quantum computers. In particular, it often stands for the algorithms (ciphers) that cannot be “broken” using a quantum computer. Physically Unclonable Fu