The present invention relates to telecommunications in general, and, more particularly, to a cryptographic authentication system suitable for wireless local area networks.
IEEE 802.11 is a wireless local area network protocol standard that includes a security mechanism called Wireless Equivalent Privacy or “WEP.” The goal of the IEEE 802.11's Wireless Equivalent Privacy was to provide a degree of privacy and authentication for transmissions that is “equivalent” to that provided by physical wiring.
Unfortunately, the IEEE 802.11's Wireless Equivalent Privacy is flawed and an eavesdropper or spoofer can easily circumvent it. Therefore, the need exists for an improved security mechanism.
The present invention provides a secure telecommunications system that avoids some of the costs and disadvantages associated with secure telecommunications systems in the prior art. In particular, the illustrative embodiment of the present invention exhibits a reasonable trade-off between computation speed and resistance to attack. The illustrative embodiment can be implemented with operations that are quickly performed on most processors, and can, therefore, be reasonably implemented in software. The illustrative embodiment comprises modulo 2 additions, modulo 2B additions, bit rotations, and transpositions.
The illustrative embodiment comprises a method for transforming a first message integrity codeword, L, and a second message integrity codeword, R, said method comprising:
Host computer 121 is a computer system such as a desktop, notebook, or stylus-based machine, or even a network-based peripheral such as a printer, scanner, fax machine, or server. It will be clear to those skilled in the art how to make and use host computer 121.
Host computer 122 is a computer system such as a desktop, notebook, or stylus-based machine, or even a network-based peripheral such as a printer, scanner, fax machine, or server. It will be clear to those skilled in the art how to make and use host computer 122. Either or both of host computer 121 and host computer 122 can be a network access point.
Transmitter 101 receives an n byte message, m0, . . . , mn−1, a B-Bit authentication key, K0, a B-Bit authentication key, K1, a B-Bit privacy key, P0, and a B-Bit privacy key, P1, wherein B and n are positive integers. In accordance with the illustrative embodiment, B=32, but it will be clear to those skilled in the art how to make and use embodiments of the present invention that have different values for B.
From these, transmitter generates a ciphertext message, C, that can be transmitted over communications channel 110 to receiver 102. Receiver 102 receives the ciphertext message, C, the authentication keys K0 and K1, and the privacy keys P0 and P1, and from them recovers the message, m0, . . . , Mn−1, and a 1-bit authentication indication, AI. The authentication indication, AI, indicates whether receiver 102 was able to authenticate that the ciphertext message, C, did, in fact, originate with an entity that had access to the authentication keys K0 and K1. It will be clear to those skilled in the art how to make and use alternative embodiments of the present invention that have different length authentication keys and different length privacy keys.
The details of transmitter 101 are described in detail below and with respect to
At task 301, message padder 201 receives an n byte message, m0, . . . , mn−1, which represents the plaintext message to be transmitted securely to receiver 102.
At task 302, message padder 201 pads the message, m0, . . . , mn−1, at the end with a single byte with the value 0×5a and then between 4 and 7 zero bytes. The number of bytes is chosen so that the overall length of the message plus the padding is a multiple of 4. The message is then converted to a sequence of B-Bit words M0, . . . , MN−1 wherein N:=┌(n+5)/4┐. It will be clear to those skilled in the art, however, how to make and use alternative embodiments of the present invention that use different padding systems.
At task 303, message integrity code generator 202 receives the authentication keys K0 and K1, and encryptor 203 receives the privacy keys P0 and P1. It will be clear to those skilled in the art how to make and use alternative embodiments of the present invention in which tasks 301 and 302 and task 303 are performed concurrently or in a different order.
At task 304, message integrity code generator 202 generates the first message integrity codeword, L, and the second message integrity codeword, R, based on the message words M0, . . . , MN−1, and the authentication keys K0 and K1. The procedure that message integrity code generator 202 uses to generate the first message integrity codeword, L, and the second message integrity codeword, R, is described in detail below and with respect to
At task 305, encryptor 203 encrypts, in well-known fashion, the message words M0, . . . , MN−1, and the first message integrity codeword, L, and the second message integrity codeword, R, with the privacy keys P0 and P1, as the key in accordance with RC4 symmetric cryptosystem to produce the ciphertext message C. It will be clear to those skilled in the art how to make and use embodiments of the present invention that use other cryptosystems.
At task 306, transmitter 101 transmits the ciphertext message C onto communications channel 110 in well-known fashion.
At subtask 401, message integrity codeword generator 202 initializes the first message integrity codeword, L, and the second message integrity codeword, R, by setting the first message integrity codeword, L, equal to the first authentication key, K0, and by setting the second message integrity codeword, R, equal to the second key, K1.
At subtask 402, message integrity codeword generator 202 sets a placeholder variable i equal to zero, wherein i is a non-negative integer, as shown in Equation 1.
i:=0 (Eq. 1)
At subtask 403, message integrity codeword generator 202 sets the first message integrity codeword, L, equal to the modulo 2 sum of the first message integrity codeword, L, plus message word Mi, as shown in Equation 2.
L:=L⊕Mi (Eq. 2)
At subtask 404, message integrity codeword generator 202 sets the first message integrity codeword, L, and the second message integrity codeword, R, equal to a block transformation of the first message integrity codeword, L, and the second message integrity codeword, R, as shown in Equation 3.
(L, R):=b(L, R) (Eq. 3)
This transformation is described in detail below and with respect to
At subtask 405, message integrity codeword generator 202 increments the value of the variable i.
At subtask 406, message integrity codeword generator 202 checks whether the value of the variable i is equal to N. If it is, then task 304 ends and control proceeds to task 305; otherwise control returns to subtask 403.
At subtask 501, message integrity codeword generator 202 sets the first message integrity codeword, L, and the second message integrity codeword, R, by setting the second message integrity codeword, R, equal to the modulo 2 sum of the second message integrity codeword, R, plus the first message integrity codeword, L, after being rotated left 17 bits. This is shown in Equation 4.
R:=R⊕(L17) (Eq. 4)
wherein the symbol represents the rotate left operator. It will be clear to those skilled in the art how to make and use alternative embodiments of the present invention in which the first message integrity codeword, L, is rotated a different number of bits or is rotated right.
At subtask 502, message integrity codeword generator 202 sets the first message integrity codeword, L, equal to the modulo 2B sum of the first message integrity codeword, L, plus the second message integrity codeword, R, as shown in Equation 5.
L:=(L+R)mod2B (Eq. 5)
wherein the symbol + represents the summation operator.
At subtask 503, message integrity codeword generator 202 sets the second message integrity codeword, R, equal to the modulo 2 sum of the second message integrity codeword, R, plus a transposition of the first message integrity codeword, L, as shown in Equation 6.
R:=R⊕XSWAP(L) (Eq. 6)
wherein the transposition XSWAP(L) swaps the position of the two least significant bytes of L with each other and swaps the position of the two most significant bytes of L with each other.
At subtask 504, message integrity codeword generator 202 sets the first message integrity codeword, L, equal to the modulo 2B sum of the first message integrity codeword, L, plus the second message integrity codeword, R, as shown in Equation 7.
L:=(L+R)mod2B (Eq. 7)
At subtask 505, message integrity codeword generator 202 sets the second message integrity codeword, R, equal to the modulo 2 sum of the second message integrity codeword, R, plus the first message integrity codeword, L, after being rotated left 3 bits, as shown in Equation 8.
R:=R⊕(L3) (Eq. 8)
It will be clear to those skilled in the art how to make and use alternative embodiments of the present invention in which the first message integrity codeword, L, is rotated a different number of bits or is rotated right.
At subtask 506, message integrity codeword generator 202 sets the first message integrity codeword, L, equal to the modulo 2B sum of the first message integrity codeword, L, plus the second message integrity codeword, R, as shown in Equation 9.
L:=(L+R)mod2B (Eq. 9)
It will be clear to those skilled in the art how to make and use alternative embodiments of the present invention in which the first message integrity codeword, L, is rotated a different number of bits or is rotated right.
At subtask 507, message integrity codeword generator 202 sets the second message integrity-codeword, R, equal to the modulo 2 sum of the second message integrity codeword, R, plus the first message integrity codeword, L, after being rotated right 2 bits, as shown in Equation 10.
R:=R⊕(L2) (Eq. 10)
wherein the symbol represents the rotate right operator. It will be clear to those skilled in the art how to make and use alternative embodiments of the present invention in which the first message integrity codeword, L, is rotated a different number of bits or is rotated left.
At subtask 508, message integrity codeword generator 202 sets the first message integrity codeword, L, equal to the modulo 2B sum of the first message integrity codeword, L, plus the second message integrity codeword, R, as shown in Equation 11.
L:=(L+R)mod2B (Eq. 11)
At task 701, decryptor 601 receives the ciphertext message C from communications channel 110, in well-known fashion.
At task 702, decryptor 601 and message integrity code generator 602 receive the first authentication key, K0, and the second key, K1. It will be clear to those skilled in the art that tasks 701 and 702 can be performed concurrently or in a different order in some alternative embodiments of the present invention.
At task 703, decryptor 601 decrypts the ciphertext message C with the privacy keys P0 and P1, as the key to recover the candidate message words M0, . . . , MN−1, the candidate message integrity codewords LC and RC. The recovered message words and message integrity codewords are called “candidate” words and codewords at this point because they might have been fabricated by a spoofer and have not yet been authenticated by receiver 102. As part of task 703, decryptor 601 feeds the candidate message words M0, . . . , MN−1 to message integrity codeword generator 602 and feeds the candidate message integrity codewords LC and RC to message integrity codeword comparator 603.
At task 704, message integrity codeword generator 602 generates the first benchmark message integrity codeword, LB, and the second benchmark message integrity codeword, RB, based on the candidate message words M0, . . . , MN−1, and the authentication keys K0 and K1. The function of message integrity codeword generator 602 is identical to the function performed by message integrity codeword generator 202, and task 704 is identical to task 304. The generated message integrity codewords LB and RB are called “benchmark” codewords because they are the touchstone against which receiver 102 will judge the authenticity of the candidate codewords LC and RC recovered in task 703.
At task 705, decryptor 601:
At task 706, message integrity codeword comparator 603 authenticates the candidate message words M0, . . , MN−1 when and only when:
It is to be understood that the above-described embodiments are merely illustrative of the present invention and that many variations of the above-described embodiments can be devised by those skilled in the art without departing from the scope of the invention. It is therefore intended that such variations be included within the scope of the following claims and their equivalents.
This application claims the benefit of U.S. Provisional Patent Application 60/396,286 filed Jul. 15, 2002, which is incorporated by reference.
Number | Name | Date | Kind |
---|---|---|---|
5727064 | Reeds | Mar 1998 | A |
5966450 | Hosford et al. | Oct 1999 | A |
6075860 | Ketcham | Jun 2000 | A |
RE36946 | Diffie et al. | Nov 2000 | E |
6201871 | Bostley, III et al. | Mar 2001 | B1 |
6304657 | Yokota et al. | Oct 2001 | B1 |
6304658 | Kocher et al. | Oct 2001 | B1 |
6314186 | Lee et al. | Nov 2001 | B1 |
6415032 | Doland | Jul 2002 | B1 |
Number | Date | Country | |
---|---|---|---|
20040008840 A1 | Jan 2004 | US |
Number | Date | Country | |
---|---|---|---|
60396286 | Jul 2002 | US |