WO2015133951A1 - Method, communication device, and computer program for improving communication privacy - Google Patents

Method, communication device, and computer program for improving communication privacy Download PDF

Info

Publication number
WO2015133951A1
WO2015133951A1 PCT/SE2014/050276 SE2014050276W WO2015133951A1 WO 2015133951 A1 WO2015133951 A1 WO 2015133951A1 SE 2014050276 W SE2014050276 W SE 2014050276W WO 2015133951 A1 WO2015133951 A1 WO 2015133951A1
Authority
WO
WIPO (PCT)
Prior art keywords
value
user
pin value
pin
version
Prior art date
Application number
PCT/SE2014/050276
Other languages
French (fr)
Inventor
Mats NÄSLUND
Makan Pourzandi
Original Assignee
Telefonaktiebolaget L M Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget L M Ericsson (Publ) filed Critical Telefonaktiebolaget L M Ericsson (Publ)
Priority to PCT/SE2014/050276 priority Critical patent/WO2015133951A1/en
Publication of WO2015133951A1 publication Critical patent/WO2015133951A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2133Verifying human interaction, e.g., Captcha

Definitions

  • This disclosure relates to methods, devices, computer programs, and computer programs products, for improving communication privacy.
  • This disclosure addresses this issue by making it more costly for an interloper to utilize an MITM attack. More specifically, this disclosure defines a mechanism that makes MITM attacks costly for whoever attempts it, in particular if the interloper attempts it at large scale.
  • the mechanism does not require secure/trusted network servers, but relies on a test (e.g., obscured information) that enables a first human user to determine whether the first user is communicating with a machine or a human. This implies that a potential interloper cannot use a machine (e.g., computer) to perform MITM attacks, implying difficulty to automate eavesdropping at large scale and making it costly, even at moderate scale.
  • the method includes the first CD using at least a first pin value and a first security parameter (Al) to generate a first authentication value (AVI).
  • the first CD initiates a communication session with a second CD. Initiating the communication session comprises the first CD transmitting first information to the second CD.
  • the first information includes: i) a first obscured version of the first pin value, ii) the first security parameter (Al), and iii) the first authentication value (AVI).
  • the first CD receives responsive information from the second CD.
  • the responsive information includes: i) an obscured version of a second pin value, ii) a second security parameter (A2), and iii) a second authentication value (AV2).
  • the first CD provides to a first user of the first CD the obscured version of the second pin value.
  • the first CD receives input from the first user after receiving the responsive information.
  • the first CD determines, based at least in part on the input, whether to continue with the communication session.
  • transmitting to the second CD the first obscured version of the first pin value serves as a challenge data
  • the receiving of the second authentication value (AV2) serves as a verification data, said challenge data together with said verification data being usable to determine whether the second CD is being used by a human.
  • transmitting to the second CD the first obscured version of the first pin value serves as a challenge data
  • the receiving of the obscured version of the third pin value serves as a verification data
  • said challenge data together with said verification data being usable to determine whether the second CD is being used by a human.
  • transmitting the first obscured version of the first pin value to the second CD comprises transmitting to the second CD a first image file containing a first distorted version of the first pin value or transmitting a reference to a storage of the first image file.
  • receiving the responsive information comprises a) receiving a second image file containing a distorted version of the second pin value or b) receiving a reference to a storage of the second image file.
  • the responsive information further comprises a distorted version of a third pin value (e.g., a distorted version of a pin value input by the second user), and receiving the responsive information comprises a) receiving a second image file containing i) the distorted version of the third pin value and ii) a distorted version of the second pin value or b) receiving a reference to a storage of the second image file.
  • the method may further comprise: the first CD prompting the user to input a response after providing to the first user the distorted version of the third pin value; the first CD receiving second user input in response to the prompting; and the first CD determining, based on the second user input, whether the third pin value is equal to the first pin value.
  • the first CD in response to determining that the third pin value is not equal to the first pin value, i) terminates the communication session, ii) retransmits to the second CD at least the first obscured version of the first pin value, iii) transmits to the second CD at least a new obscured version of the first pin value, iv) transmits to the second CD at least an obscured version of a new pin value and a new authentication value, or v) transmits to the second CD at least an error message.
  • receiving the first user input comprises receiving from the first user a pin value entered by the first user after the first CD provided to the first user the obscured version of the second pin value.
  • the method may further include: the first CD using at least the pin value input by the user, the first pin value, and A2 to generate an authentication value. The first CD determines whether the generated authentication value is in agreement with AV2.
  • the first CD in response to determining that the generated authentication value is not in agreement with AV2, i) terminates the communication session, ii) retransmits to the second CD at least the first obscured version of the first pin value, iii) transmits to the second CD at least a new obscured version of the first pin value, iv) transmits to the second CD at least an obscured version of a new pin value and a new authentication value, or v) transmits to the second CD at least an error message.
  • the method further includes the first CD generating a key using at least a value used to calculate the first security parameter (Al) and the second security parameter (A2).
  • the first CD uses the key to encrypt data, thereby generating encrypted data.
  • the first CD transmits the encrypted data to the second CD.
  • the second CD is configured to provide to a second user of the second CD the first obscured version of the first pin value; receive a value input by the second user in response to the second CD providing the first obscured version of the first pin value to the second user; use Al and the value input by the second user to generate an authentication value; and determine whether the generated authentication value is in agreement with the first authentication value (AVI) (e.g., identical to AVI).
  • AVI first authentication value
  • a method, in a system comprising a first CD and a second CD, for improving communication privacy comprises the second CD receiving a first security parameter (Al), a first obscured version of a first pin value (OV1), and a first authentication value (AVI).
  • the second CD provides to a user of the second CD the first obscured version of a first pin value (OV1).
  • the second CD receives a user input from the user of the second CD in response to the second CD providing the first obscured version of a first pin value (OV1) to the user.
  • the second CD using at least the user input and the first security parameter (Al) to generate an authentication value.
  • the second CD determining that the generated authentication value is in agreement with the first authentication value (AVI).
  • the second CD generating: i) a second security parameter (A2), ii) a second authentication value (AV2), and iii) an obscured version of a second pin value (OV3).
  • the second CD transmitting to the first CD i) the second security parameter (A2), ii) the second authentication value (AV2), and iii) the obscured version of the second pin value (OV3).
  • a communication device is disclosed. The
  • a computer program includes instructions for carrying out any of the methods described above.
  • FIG. 1 illustrates a communication system according to some embodiments.
  • Fig. 2 illustrates an exemplary sequence diagram according to some embodiments.
  • FIGs. 3(a) and 3(b) illustrate exemplary obscured diagrams according to some embodiments.
  • Figs. 4-7 illustrate exemplary flow charts according to some embodiments.
  • Fig. 8 illustrates an exemplary non-wireless communication device according to some embodiments.
  • Fig. 9 illustrates an exemplary wireless device according to some embodiments.
  • Embodiments are directed to methods, communication devices, computer and programs for improving communication privacy in a communication session between end users. As discussed above, a communication session between end user are vulnerable to MITM attacks. Such attacks may be automated by a computer with the potential of affecting a large number of communications sessions. Embodiments described herein utilize a Turing test to make it costly for an interloper to use an automated computer to perform a MITM attack.
  • Such Turning tests (such as CAPCTHA: Completely Automated Public Turing test to tell Computers and Humans Apart) are known in the art but only to verify the presence of a human by a server. This is not sufficient for establishing a secure communication channel as it provides no binding between the solution to the CAPTCHA and a secured channel between the parties.
  • all prior art CAPTCHAs are "onesided": while only a human can solve the CAPTCHA, a machine (server) is still able to verify the solution. Again, this is not sufficient as secure communication requires mutual authentication.
  • end users may send obscured versions of information to each other, where this information is used by the end users to authenticate any received data, such as data used for establishing a shared key.
  • the obscured version of the information may be a distorted image or distorted audio.
  • FIG. 1 illustrates a communication system 100 according to some embodiments.
  • Communication system 100 includes communication devices, such as wireless devices 104A, 104B and land-line devices 106A, 106B, that may communicate with each other over network 110 (e.g., the Internet).
  • the communication devices 104A and 106A may be used by a first user 102A, and the communication devices 104B and 106B may be used by a second user 102B. Users 102A and 102B can use the
  • communication devices illustrated in Fig. 1 may use communication device 104A or 106A to initiate a communication session with either communication device 104B or 106B using well known access protocols, e.g. WCDMA, LTE or WLAN , and well-known Internet protocols, such as, for example, TCP/IP and the Session Initiation Protocol (SIP).
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • WLAN Wireless Local Area Network
  • users 102A and 102B may use any desired key exchange protocol such as a Diffie- Hellman key exchange protocol.
  • key exchange protocols are public key based and pre-shared key based protocols, e.g. as supported by MIKEY, TLS, PSK- TLS, IKE, .. etc. It will be apparent to one of skill in the art how to adapt the invention to such protocols by adding information elements encoding obscured information to the key exchange signaling, and, using at least the (unobscured) information as basis for cryptographic keys to authenticate the key exchange signaling.
  • Fig. 2 illustrates an embodiment for establishing a communication session between first and second users and creating a shared key, e.g. for encryption purposes, between the first and second users.
  • the first and second users illustrated in Fig. 2 may correspond to user 102A and user 102B.
  • the first user's communication device illustrated in Fig. 2 may correspond to communication device 104A or 106A.
  • the second user's communication device illustrated in Fig. 2 may correspond to communication device 104B or 106B.
  • a pin value is a set of displayable objects, including numerical digits, letters, punctuation marks, or other objects.
  • the pin value may be "6ne3".
  • a length of four characters merely serves as an example.
  • the first user may select "6ne3" from a predetermined set of pin values displayed on the first user's communication device or manually enter this pin value via a touchscreen or keypad on device 104A or a keyboard on device 106B.
  • the selected pin value is provided to the first user's communication device
  • Steps la and lb are optional steps as the pin value may be selected for the user by the user's communication device.
  • the first user's CD may select a pin value (e.g., the first user's CD may randomly select a pin value using, for example, a pseudo-random string generator) and then may display the selected pin value to the first user.
  • an obscured version (OV1) of the pin value is generated.
  • the obscured version of the pin value may be generated using a program on the first user's communication device.
  • the obscured version may be a distorted image of the pin value or an obscured audio file that includes the pin value.
  • An example of a distorted image is a Completely Automated Public Turing test to tell Computer and Humans Apart (CAPTCHA) diagram.
  • Fig. 3(a) illustrates an example of a distorted image of the pin value "6ne3".
  • An example of an obscured audio file is an audio file that includes the pin value with background noise such that the pin value is detectable by a human ear, but the background noise, and/or speech variations (e.g. in pitch), makes it difficult for a computer device to determine the pin value via speech recognition.
  • a security parameter (Al) is generated.
  • Al may be used for the purpose of exchanging keys between the first and second users.
  • Al may be the Diffie-Hellman value (g mod p), where a, g, and p are integers (p being a prime number), the values of p and g are predetermined by the first and second users (or their devices), and the value a is a secret integer known only to the first user or the first user's device.
  • an elliptic curve group may be used to define Al .
  • an authentication value (AVI) is generated. This authentication value may be generated using at least Al and the pin value "6ne3".
  • Al and pin value may be input into an authentication algorithm to generate the authentication value AVI .
  • the pin value would thus serve as key for this authentication algorithm while Al would serve as the data being authenticated.
  • Other information may also be input to authentication algorithm, e.g. identifiers of the users, session, time stamps, replay protection information, etc., which will then also be possible to authenticate.
  • step 2 Al, AVI, and an obscured version of the pin value (OV1) is transmitted to the second user's communication device.
  • the first user may initiate a communication session with the second user by sending to the second user's communication device an invitation message (e.g., a Session Initiation Protocol (SIP) Invite Message) for the purposes of inviting the second user to create a Session Initiation Protocol (SIP) Invite Message) for the purposes of inviting the second user to create a
  • SIP Session Initiation Protocol
  • the message includes Al, AVI and an explicit (binary or BASE64) encoding of OV1 or a reference (e.g., URL) to an image file that contains OV1.
  • step 3a the second user' s communication device provides the obscured version of the pin value (OV1) to the second user.
  • the CAPTCHA image of the pin value "6ne3" as illustrated in Fig. 3a is displayed on a screen of the second user's communication device.
  • step 3b the second user obtains the pin value.
  • the second user upon viewing the CAPTCHA image illustrated in Fig. 3(a), the second user sees the pin value "6ne3".
  • step 3c the second user submits the pin "6ne3" to the second user's communication device (e.g., the second user uses a touch screen interface or keyboard of the second user's communication device to enter the pin value into the device).
  • step 3d the second user's communication device authenticates Al using at least AVI and the pin value that the second user submitted in step 3c. For example, the second user's communication device enters the pin "6ne3" and Al into an
  • This authentication algorithm to generate an authentication value.
  • This authentication algorithm is the same authentication algorithm as the authentication algorithm used by the first user when the AVI was generated. If this newly generated authentication value matches the authentication value AVI, then Al is authenticated.
  • step 3e if the newly generated authentication value does not match AVI, then the communication session may be terminated.
  • the second user' s communication device may display a failure warning indicating the lack of authentication. In this situation, the second user's communication device may terminate the communication session automatically, or the second user may terminate the communication session manually. Alternatively, the second user can be given a another chance to input a new pin value (i.e., repeat step 3c).
  • step 4a the second user selects a new pin value (e.g., "jw62k").
  • step 4b the second user submits the new pin value to the second user's communication device.
  • steps 4a and 4b are optional because, in some
  • the second user' s communication device may generate or otherwise select the new pin value.
  • step 4c the second user' s communication device generates an obscured version of the new pin value (OV3). Also, the second user's communication device may generate a new obscured version of the pin value (OV2) submitted in step 3c, but this is optional in some embodiments. In embodiments in which the second user's
  • OV2 it is preferably that OV2 is different than OV1.
  • OV3 may be obscured in the same manners as the OV1, i.e. it may be an image or audio CAPTCHA.
  • the method for generating OV3 may be different or the same as the method of generating OV1 and/or OV2, e.g, one may be audio and the other(s) an image.
  • OV2 and OV3 may be combined in the same CAPTCHA (e.g. in the same image as illustrated in Fig. 3(b) or in the same audio clip). In such case, generation OV2 (i.e. step 3e) takes place as part of this step by integrating it with the generation of OV3.
  • obscured versions OV2 and OV3 may be separate CAPTCHA images/audio clips.
  • a second security parameter (A2) is generated.
  • A2 may be g b mod p, where "g" and "p" are the same integers used by the first user, and "b" is a secret integer known only to the second user or the second user' s device.
  • an elliptic curve group may be used to define A2.
  • step 4e an authentication value (AV2) is generated.
  • AV2 authentication value
  • AV2 is generated using at least A2, the new pin value "jw62k", and the first pin value "6ne3".
  • A2 and one or more of pin values "jw62k” and “6ne3" may be entered into the authentication algorithm to generate AV2.
  • AV2 is generated using at least A2 and the new pin value "jw62k.”
  • other information may also be input to authentication algorithm, e.g.
  • step 5a the second user' s communication device transmits to the first user's communication device A2, AV2, and OV3.
  • OV2 may be transmitted along with A2, AV2, and OV3.
  • the second user's communication device transmits to the first user's
  • a response message (e.g., a SIP response message), wherein the message includes A2, AV2, and a reference to an image file that contains OV2 and OV3 or an explicit (binary or BASE64) encoding of the image file(s).
  • step 5b OV3 (and possibly OV2) is provided to the first user.
  • the user may be provided with the CAPTCHA image illustrated in Fig. 3(b), which includes distorted versions of the pin values "6ne3" and "jw62k.”
  • step 6 the first user extracts the pin value included in OV3 (and also OV2 if its present) and submits the pin value included in OV3 to the first user's communication device (assuming, if OV2 is present, that the pin value in OV2 matches the pin selected by the first user (e.g., "6ne3")). If OV2 is present, however, and the pin value in OV2 does not match the pin selected by the first user, then the first user may either terminate the communication session as this is an indication of a possible MITM attack, or start the process again with a new pin value.
  • the first user's communication device authenticates A2 using at least the input pin value (e.g., "jw62k") and possibly also the first pin value.
  • the value "jw62k” i.e., the second pin value
  • the value "6ne3" i.e., the first pin value
  • the value A2 are all entered into the authentication algorithm to generate a new authentication value. If this new authentication value is in agreement with (e.g., matches) authentication value (AV2), then A2 is authenticated. If A2 is not authenticated, the communication session may be terminated in a similar fashion as described above in step 3e, or the process may be restarted from the beginning.
  • first and second user devices derive a shared key that can be assumed to be known only to first and second users.
  • the first user may derive a shared key using at least the second security parameter received from the second user's communication device, and the second user may derive the same shared key using at least the first security parameter received from the first user's communication device.
  • si is equal to s2.
  • the first and second users may start exchanging data, e.g.
  • this key may be included in the derivation of shared keys for the current communication session. This provides so called key-continuity and has the advantage that even if a man-in-the-middle by some means manage to obtain the shared key sl/s2, this is still of no use to decrypt the current communication session unless the man-in-the-middle also managed to obtain the prior shared key sO.
  • such a prior shared key sO may be included in the generation authentication values (AVI and/or AV2). That is, besides using at least the first and/or second pin as a key input to the authentication algorithm, such a key sO may be also used as key input by combining (e.g. hashing or concatenating) it with the pin(s),
  • both the first and second pin values e.g. both "jw62k” and “6ne3"
  • AV2 authentication value
  • both the first and second pin values e.g. both "jw62k” and "6ne3”
  • OV2 obscured version
  • OV3 obscured version
  • the second user did not manage to correctly "solve” the obscured version (OV1) then an incorrect value (a value different from "6ne3”) will be input to the authentication algorithm when generating the authentication value (AV2) and thus authentication will fail at the first user's device in step 6c.
  • si will be different from s2.
  • si will be shared between the first user and the MITM and s2 will be shared between the second user and the MITM.
  • this can be detected by configuring the first and second device to display some fingerprint of sl/s2 which enables the first and second user to compare the displayed values, e.g. using verbal communication over the established connection. Users may opt to terminate communication if si and s2 are found to not match.
  • Fig. 4 illustrates an embodiment of a process 400 performed by a first communication device (e.g., 104A, 106A).
  • the process may generally start at step 402 where the first communication device uses a first pin value (e.g., a pin value selected by the first user of the first communication device or by the communication device itself) and a first security parameter (Al) to generate a first authentication value (AVI).
  • a first pin value e.g., a pin value selected by the first user of the first communication device or by the communication device itself
  • a first security parameter (Al) to generate a first authentication value (AVI).
  • the first pin value may be "6ne3”
  • the first security parameter (Al) may be g mod p, where the first pin value and the first security parameter (Al) are entered into an authentication algorithm to generate the first authentication value (AVI).
  • step 404 the first communication device initiates a communication session with a second communication device (e.g., transmit an invite message
  • the first communication device may initiate the communication session by transmitting first information to the second communication device, with the first information comprising: i) a first obscured version of the first pin value (OVl), wherein OVl is such that it is more difficult for a machine to determine the first pin value than it is for a human to determine the first pin value, ii) the first security parameter (Al), and iii) the first authentication value (AVI).
  • transmitting OVl to the second communication device comprises transmitting to the second communication device a first image file containing a first distorted version of the first pin value.
  • transmitting OVl to the second communication device comprises transmitting to the second communication device a reference to a first image file containing a first distorted version of the first pin value.
  • the first communication device receives from the second communication device responsive information, the responsive information comprising: i) an obscured version of a second pin value (OV3), ii) a second security parameter (A2), and iii) a second authentication value (AV2).
  • the responsive information further includes a second obscured version of the first pin value (OV2), where OV2 is different than OVl .
  • AV2, OV2, and OV3 may be generated by the second communication device as described above with respect to Fig. 2.
  • receiving the responsive information comprises receiving a second image file containing a distorted version of the second pin value.
  • the second image file may further include a second distorted version of the first pin value.
  • receiving the responsive information comprises receiving i) a second image file containing a second distorted version of the first pin value and ii) a third image file containing a distorted version of the second pin value.
  • the first communication device provides to the first user of the first communication device OV3.
  • the first communication device may prompt the first user to input the pin value the user obtains from OV3. In some embodiments this occurs only if the first user also sees the first pin value on the display. In such embodiments, if the user does not see the first pin value on the display the first user may activate a "cancel" button.
  • the first communication device receives a value input by the first user.
  • the first communication device determines, based at least in part on the received value input by the first user, whether to continue with the
  • the value input by the user, the first pin value, and the value A2 may all be entered into an authentication algorithm to generate a new authentication value. If this new authentication value is in agreement with (e.g., matches) AV2, then A2 is authenticated and the communication may continue.
  • the first communication device may determine to terminate the communication session in response to determining that the new authentication value is not in agreement with AV2. In some embodiments, the first communication may automatically restart the process in response to determining that the new authentication value is not in agreement with AV2 (i.e., the process 400 may go back to step 402).
  • the responsive information transmitted to the first communication device further includes OV2.
  • OV2 may be displayed to the first user.
  • the first user himself can determine whether the pin value encoded in OV2 is in agreement with the first pin value (on the other hand the first user could simply enter the pin value the user perceives in OV2 so that the first communication device can determine whether the perceived pin value is in agreement with the first pin value). If they are not in agreement, then this indicates a possible MITM attach and the first user may activate a "cancel session" button (i.e., input a "negative” response) to terminate the communication session or the first communication device may automatically terminate the communication session.
  • a "cancel session” button i.e., input a "negative” response
  • FIG. 5 illustrates a process 500, according to some embodiments, that is performed by the first communication device to perform step 412.
  • Process 500 may begin in step 502, where the first communication device receives a pin value entered by the first user in response to the first communication device outputting OV3 to the first user. [0060] In step 504, the first communication device uses the pin value input by the user, the first pin value, and A2 to generate an authentication value.
  • step 506 the first communication device determines whether the generated authentication value is in agreement with AV2. For example, in step 506 the communication device may determine whether the generated authentication value is identical to AV2.
  • step 508 in response to determining that the generated authentication value is not in agreement with AV2, the first communication device i) terminates the communication session, ii) retransmits to the second CD at least the first obscured version of the first pin value, iii) transmits to the second CD at least a new obscured version of the first pin value, iv) transmits to the second CD at least an obscured version of a new pin value and a new authentication value, or v) transmits to the second CD at least an error message.
  • Fig. 6 illustrates another process performed by the first communication device.
  • the process may generally start at step 602, where the first communication device generates a key using at least a value used to calculate the first security parameter (Al) and the second security parameter (A2). This same key may be generated by the second user of the second communication device.
  • the first communication device uses the key (e.g., other key(s) derived from the key) to encrypt data, thereby generating the encrypted data.
  • the first communication device can use the key to encrypt data by inputting the data and the key into an encryption process that encrypts the data using the input key.
  • the first communication device can use the key to encrypt data by inputting the data and another key derived from the key into the encryption process. Ensuring that the first and second communication device use the same security configuration (e.g. the same encryption algorithm and key derivation functions, etc) is outside the scope of the invention but may be provided by means of pre-configuration or signaling.
  • the first communication device transmits the encrypted data to the second communication device. Since the first and second users have the same key (i.e., shared secret key), the second communication device can decrypt the encrypted data received from the first communication device using at least the same key (or further derived key(s)) used to encrypt the data.
  • Fig. 7 is a flow chart illustrating a process performed by the second communication device (CD).
  • the process may generally start at step 702, where the second CD receives a first security parameter (Al), a first authentication value (AVI), and an obscured version of a first pin value (OV1).
  • Al a first security parameter
  • AVI a first authentication value
  • OV1 an obscured version of a first pin value
  • step 704 the second CD provides to a user of the second CD OV1.
  • step 706 the second CD receives a user input from the user in response to the second CD providing OV1 to the user.
  • step 708 the second CD uses at least the user input and Al to generate an authentication value.
  • step 710 the second CD determines whether the generated
  • the authentication value is in agreement with AVI (e.g., identical to AVI, which will occur when Al was not modified during transmission, the user input and first pin are equal, and the second CD uses the same authentication algorithm that the first CD used in generating AVI). If the generated authentication value is not in agreement with AVI, the communication session may be terminated by the second communication device transmitting to the first communication device session termination message.
  • the process can go back to step 704 to give the user another chance to input another user input.
  • the second CD generates: i) a second security parameter (A2), ii) a second authentication value (AV2), and iv) an obscured version of a second pin value (OV3).
  • A2 a second security parameter
  • AV2 a second authentication value
  • OV3 an obscured version of a second pin value
  • the second CD generates AV2 using at least A2, the second pin value, and the user input received in step 706. Additionally, in some embodiments, the second CD generates an obscured version of the user input received in step 706.
  • the second CD transmits to the first CD: A2, AV2, and OV3.
  • the second CD further transmits an obscured version of the user input received in step 706 (i.e., OV2).
  • the second CD transmits OV2 and OV3 by transmitting a message containing a reference (e.g., URL) for an image file containing a distorted version of the user input received in step 706 and a distorted version of the second pin value.
  • the processes illustrated in Figs. 2-7 may be implemented purely in software, such as an internet application ("app"), that is downloaded by anyone of the communication devices illustrated in Fig. 1.
  • This app may include predetermined pin values that are selectable by users or an algorithm for generating such pin values, the algorithms for generating obscured versions of the pin value, and the algorithms for authenticating data.
  • Fig. 8 is a block diagram of an embodiment of communication device 106A and 106B. Fig. 8 is described with respect to communication device 106A.
  • the communication device 106 A may include or consist of: a computer system (CS) 802, which may include one or more processors 855 (e.g., a general purpose microprocessor) and/or one or more circuits, such as an application specific integrated circuit (ASIC), field-programmable gate arrays (FPGAs), a logic circuit, and the like; a network interface 803 for use in connecting the communication device 106A to a network 110; and a data storage system 806, which may include one or more non- volatile storage devices and/or one or more volatile storage devices (e.g., random access memory (RAM)).
  • CS computer system
  • processors 855 e.g., a general purpose microprocessor
  • ASIC application specific integrated circuit
  • FPGAs field-programmable gate arrays
  • a logic circuit e.g., a logic circuit, and the like
  • a network interface 803 for use in connecting the communication device 106A to a network 110
  • a data storage system 806 which may include one or more non-
  • CPP 833 includes or is a computer readable medium (CRM) 882 storing a computer program (CP) 883 comprising computer readable instructions (CRI) 888.
  • CRM 882 is a non-transitory computer readable medium, such as, but not limited, to magnetic media (e.g., a hard disk), optical media (e.g., a DVD), solid state devices (e.g., random access memory (RAM), flash memory), and the like.
  • the CRI 888 of computer program 883 is configured such that when executed by computer system 802, the CRI causes the communication device 106A to perform steps described above (e.g., steps described above with reference to the flow charts and message flows shown in the drawings).
  • communication device 106A may be configured to perform steps described herein without the need for a computer program. That is, for example, computer system 802 may consist merely of one or more ASICs. Hence, the features of the embodiments described herein may be implemented in hardware and/or software.
  • Fig. 9 is a block diagram of an embodiment of communication devices 104A and 104B. Fig. 9 is described with respect to communication device 104A.
  • the communication device 104 A may include or consist of: a computer system (CS) 902, which may include one or more processors 955 (e.g., a general purpose microprocessor) and/or one or more circuits, such as an application specific integrated circuit (ASIC), field-programmable gate arrays (FPGAs), a logic circuit, and the like; a transceiver 903 connected to an antenna 922 for use in communicating with a base station (e.g., Wi-Fi router or other base station); and a data storage system 906, which may include one or more no n- volatile storage devices and/or one or more volatile storage devices (e.g., random access memory (RAM)).
  • CS computer system
  • processors 955 e.g., a general purpose microprocessor
  • ASIC application specific integrated circuit
  • FPGAs field-programmable gate arrays
  • a logic circuit e.g., a logic circuit, and the like
  • transceiver 903 connected to an antenna 922 for use in communicating with a base
  • CPP computer program product
  • CPP 933 includes or is a computer readable medium (CRM) 992 storing a computer program (CP) 993 comprising computer readable instructions (CRI)
  • CRM 992 is a non-transitory computer readable medium, such as, but not limited, to magnetic media (e.g., a hard disk), optical media (e.g., a DVD), solid state devices (e.g., random access memory (RAM), flash memory), and the like.
  • the CRI 999 of computer program 993 is configured such that when executed by computer system 902, the CRI causes the communication device 104A to perform steps described above (e.g., steps described above with reference to the flow charts and message flows shown in the drawings).
  • communication device 104A may be configured to perform steps described herein without the need for a computer program. That is, for example, computer system 902 may consist merely of one or more ASICs.
  • the features of the embodiments described herein may be implemented in hardware and/or software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A communication method for making computer implemented man-in-the-middle (MITM) costly to succeed. Advantageously, the method does not require secure/trusted network servers. The method utilizes a test (e.g., an obscured pin value) to enable a first human user of a communication device to have a level of confidence that the first user is communicating directly with a second human user, as opposed to communicating with a machine that is pretending to be the second user.

Description

METHOD, COMMUNICATION DEVICE, AND COMPUTER PROGRAM FOR IMPROVING COMMUNICATION PRIVACY
TECHNICAL FIELD
[001] This disclosure relates to methods, devices, computer programs, and computer programs products, for improving communication privacy.
BACKGROUND
[002 ] It has recently come to the public's attention that it is possible for a resourceful organization to monitor huge amounts of communication traffic (e.g. traffic flowing over the Internet). The public is, therefore, rightly concerned about
communication privacy. At a recent Internet Engineering Task Force (IETF) meeting there were several discussions around how to strengthen the Internet by introducing means to mitigate the surveillance. See e.g., Jari Arkko, Stephen Farrell and Sean Turner, "Strengthening the Internet," IETF Chair's Blog,
www.ietf.org/blog/2013/11/strengthening-the-internet/, November 2013 (last visited February 24, 2014).
[003] The common way to prevent eavesdropping in the internet is to use data encryption. There are many protocols available that can be used by a user to provide protection against a third party monitoring the user's traffic, e.g. S/MITME, SRTP, SSH, TLS, IPsec, etc. Until recently it was assumed that this offered adequate protection.
[004 ] Unfortunately, to be effective, encryption requires that communication parties can agree on, or otherwise obtain, trustworthy encryption key(s). Trustworthy here means that the parties are assured that the key(s) are really authentic, e.g. that the key belongs to and/or is shared with the other party and nobody else. This is problematic since there does not exist a global (or even national) trust frameworks (e.g. Public Key
Infrastructures or trusted Key Servers) that can be used. In such situation, one has to resort to opportunistic security, meaning that security is obtained if no 3 party is present to (actively) interfere with key management data transferred between the parties. For a very powerful interceptor, however, it may be possible to circumvent (or reduce effectiveness) of such protocols by performing an active man-in-the-middle (MITM) attack. Note as an aside point that a global trust framework mentioned earlier above can be also itself infiltrated or put in place by an interceptor making such global trusted framework even more difficult to put in place.
[ 005 ] What is desired, therefore, is a mechanism that would, at a minimum, make such monitoring difficult and costly for whoever attempts it, in particular if the eavesdropper attempts it at large scale.
SUMMARY
[ 006 ] This disclosure addresses this issue by making it more costly for an interloper to utilize an MITM attack. More specifically, this disclosure defines a mechanism that makes MITM attacks costly for whoever attempts it, in particular if the interloper attempts it at large scale. Advantageously, the mechanism does not require secure/trusted network servers, but relies on a test (e.g., obscured information) that enables a first human user to determine whether the first user is communicating with a machine or a human. This implies that a potential interloper cannot use a machine (e.g., computer) to perform MITM attacks, implying difficulty to automate eavesdropping at large scale and making it costly, even at moderate scale.
[ 007 ] In one aspect, therefore, there is provided a method performed by a first communication device (CD) for improving communication privacy. In one embodiment, the method includes the first CD using at least a first pin value and a first security parameter (Al) to generate a first authentication value (AVI). The first CD initiates a communication session with a second CD. Initiating the communication session comprises the first CD transmitting first information to the second CD. The first information includes: i) a first obscured version of the first pin value, ii) the first security parameter (Al), and iii) the first authentication value (AVI). The first CD receives responsive information from the second CD. The responsive information includes: i) an obscured version of a second pin value, ii) a second security parameter (A2), and iii) a second authentication value (AV2). The first CD provides to a first user of the first CD the obscured version of the second pin value. The first CD receives input from the first user after receiving the responsive information. The first CD determines, based at least in part on the input, whether to continue with the communication session. [008] In some embodiments, transmitting to the second CD the first obscured version of the first pin value serves as a challenge data, and the receiving of the second authentication value (AV2) serves as a verification data, said challenge data together with said verification data being usable to determine whether the second CD is being used by a human. In some embodiments, transmitting to the second CD the first obscured version of the first pin value serves as a challenge data, and the receiving of the obscured version of the third pin value serves as a verification data, said challenge data together with said verification data being usable to determine whether the second CD is being used by a human.
[009] In some embodiments, transmitting the first obscured version of the first pin value to the second CD comprises transmitting to the second CD a first image file containing a first distorted version of the first pin value or transmitting a reference to a storage of the first image file.
[0010] In some embodiments, receiving the responsive information comprises a) receiving a second image file containing a distorted version of the second pin value or b) receiving a reference to a storage of the second image file.
[0011] In some embodiments, the responsive information further comprises a distorted version of a third pin value (e.g., a distorted version of a pin value input by the second user), and receiving the responsive information comprises a) receiving a second image file containing i) the distorted version of the third pin value and ii) a distorted version of the second pin value or b) receiving a reference to a storage of the second image file. In such embodiments, the method may further comprise: the first CD prompting the user to input a response after providing to the first user the distorted version of the third pin value; the first CD receiving second user input in response to the prompting; and the first CD determining, based on the second user input, whether the third pin value is equal to the first pin value. In some embodiments, the first CD, in response to determining that the third pin value is not equal to the first pin value, i) terminates the communication session, ii) retransmits to the second CD at least the first obscured version of the first pin value, iii) transmits to the second CD at least a new obscured version of the first pin value, iv) transmits to the second CD at least an obscured version of a new pin value and a new authentication value, or v) transmits to the second CD at least an error message.
[0012 ] In some embodiments, receiving the first user input comprises receiving from the first user a pin value entered by the first user after the first CD provided to the first user the obscured version of the second pin value. In such embodiments, the method may further include: the first CD using at least the pin value input by the user, the first pin value, and A2 to generate an authentication value. The first CD determines whether the generated authentication value is in agreement with AV2. The first CD, in response to determining that the generated authentication value is not in agreement with AV2, i) terminates the communication session, ii) retransmits to the second CD at least the first obscured version of the first pin value, iii) transmits to the second CD at least a new obscured version of the first pin value, iv) transmits to the second CD at least an obscured version of a new pin value and a new authentication value, or v) transmits to the second CD at least an error message.
[0013] In some embodiments, the method further includes the first CD generating a key using at least a value used to calculate the first security parameter (Al) and the second security parameter (A2). The first CD uses the key to encrypt data, thereby generating encrypted data. The first CD transmits the encrypted data to the second CD.
[0014 ] In some embodiments, the second CD is configured to provide to a second user of the second CD the first obscured version of the first pin value; receive a value input by the second user in response to the second CD providing the first obscured version of the first pin value to the second user; use Al and the value input by the second user to generate an authentication value; and determine whether the generated authentication value is in agreement with the first authentication value (AVI) (e.g., identical to AVI).
[0015 ] In another aspect, a method, in a system comprising a first CD and a second CD, for improving communication privacy is disclosed. The method comprises the second CD receiving a first security parameter (Al), a first obscured version of a first pin value (OV1), and a first authentication value (AVI). The second CD provides to a user of the second CD the first obscured version of a first pin value (OV1). The second CD receives a user input from the user of the second CD in response to the second CD providing the first obscured version of a first pin value (OV1) to the user. The second CD using at least the user input and the first security parameter (Al) to generate an authentication value. The second CD determining that the generated authentication value is in agreement with the first authentication value (AVI). The second CD generating: i) a second security parameter (A2), ii) a second authentication value (AV2), and iii) an obscured version of a second pin value (OV3). The second CD transmitting to the first CD i) the second security parameter (A2), ii) the second authentication value (AV2), and iii) the obscured version of the second pin value (OV3).
[0016] In another aspect, a communication device is disclosed. The
communication device is adapted to carry out any of the methods described above.
[0017 ] In another aspect, a computer program is provided. The computer program includes instructions for carrying out any of the methods described above.
[0018] Further features and embodiments are discussed below.
BRIEF DESCRIPTION OF THE DRAWINGS
[0019] The accompanying drawings, which are incorporated herein and form part of the specification, illustrate various embodiments.
[0020] Fig. 1 illustrates a communication system according to some
embodiments.
[0021] Fig. 2 illustrates an exemplary sequence diagram according to some embodiments.
[0022] Figs. 3(a) and 3(b) illustrate exemplary obscured diagrams according to some embodiments.
[0023] Figs. 4-7 illustrate exemplary flow charts according to some embodiments.
[0024] Fig. 8 illustrates an exemplary non-wireless communication device according to some embodiments.
[0025] Fig. 9 illustrates an exemplary wireless device according to some embodiments.
DETAILED DESCRIPTION [ 0026 ] Embodiments are directed to methods, communication devices, computer and programs for improving communication privacy in a communication session between end users. As discussed above, a communication session between end user are vulnerable to MITM attacks. Such attacks may be automated by a computer with the potential of affecting a large number of communications sessions. Embodiments described herein utilize a Turing test to make it costly for an interloper to use an automated computer to perform a MITM attack.
[ 0027 ] Such Turning tests (such as CAPCTHA: Completely Automated Public Turing test to tell Computers and Humans Apart) are known in the art but only to verify the presence of a human by a server. This is not sufficient for establishing a secure communication channel as it provides no binding between the solution to the CAPTCHA and a secured channel between the parties. Moreover, all prior art CAPTCHAs are "onesided": while only a human can solve the CAPTCHA, a machine (server) is still able to verify the solution. Again, this is not sufficient as secure communication requires mutual authentication. As an example, in some embodiments, end users may send obscured versions of information to each other, where this information is used by the end users to authenticate any received data, such as data used for establishing a shared key. The obscured version of the information may be a distorted image or distorted audio. By providing an obscured version of the information that is useable to determine whether or not a user at the other end of a connection is human (e.g., a CAPTCHA), instead of the information itself, using an automated computer device to perform a MITM attack is not feasible. By the way the obscured version is generated and exchanged, it is also difficult for a computer device to verify a solution, e.g. if an undistorted pre-image corresponds to the obscured version, and/or if two different obscured images corresponds to one and the same undistorted pre-image.
[ 0028 ] Fig. 1 illustrates a communication system 100 according to some embodiments. Communication system 100 includes communication devices, such as wireless devices 104A, 104B and land-line devices 106A, 106B, that may communicate with each other over network 110 (e.g., the Internet). The communication devices 104A and 106A may be used by a first user 102A, and the communication devices 104B and 106B may be used by a second user 102B. Users 102A and 102B can use the
communication devices illustrated in Fig. 1 to initiate a communication session. For example, user 102A may use communication device 104A or 106A to initiate a communication session with either communication device 104B or 106B using well known access protocols, e.g. WCDMA, LTE or WLAN , and well-known Internet protocols, such as, for example, TCP/IP and the Session Initiation Protocol (SIP).
[0029] In some embodiments, when establishing the communication session, users 102A and 102B may use any desired key exchange protocol such as a Diffie- Hellman key exchange protocol. Examples of such key exchange protocols are public key based and pre-shared key based protocols, e.g. as supported by MIKEY, TLS, PSK- TLS, IKE, .. etc. It will be apparent to one of skill in the art how to adapt the invention to such protocols by adding information elements encoding obscured information to the key exchange signaling, and, using at least the (unobscured) information as basis for cryptographic keys to authenticate the key exchange signaling. Note in particular that while the embodiments shown herein assume a one-round trip exchange, some other predefined key management protocols may require more than one round-trip. The invention could then for example be integrated by adding the exchange of the obscured information into suitable messages between the two users. However, as Diffie-Hellman has the advantage of providing perfect forward secrecy, mainly such embodiments will be discussed herein. (Note that the exemplary protocols MIKEY,TLS and IKE comprise both Diffie-Hellman variants as well as public key and pre-shared key variants).
[0030] Fig. 2 illustrates an embodiment for establishing a communication session between first and second users and creating a shared key, e.g. for encryption purposes, between the first and second users. The first and second users illustrated in Fig. 2 may correspond to user 102A and user 102B. The first user's communication device illustrated in Fig. 2 may correspond to communication device 104A or 106A. The second user's communication device illustrated in Fig. 2 may correspond to communication device 104B or 106B.
[0031] In step la, the first user selects a pin value. According to some embodiments, a pin value is a set of displayable objects, including numerical digits, letters, punctuation marks, or other objects. For example, the pin value may be "6ne3". A length of four characters merely serves as an example. As an example, the first user may select "6ne3" from a predetermined set of pin values displayed on the first user's communication device or manually enter this pin value via a touchscreen or keypad on device 104A or a keyboard on device 106B. In step lb, the selected pin value is provided to the first user's communication device
[ 0032 ] Steps la and lb are optional steps as the pin value may be selected for the user by the user's communication device. For example, in response to receiving an input from the first user that the first user desires to initiate a communication session with a second user, the first user's CD may select a pin value (e.g., the first user's CD may randomly select a pin value using, for example, a pseudo-random string generator) and then may display the selected pin value to the first user.
[ 0033 ] In step lc, an obscured version (OV1) of the pin value is generated. The obscured version of the pin value may be generated using a program on the first user's communication device. According to some embodiments, the obscured version may be a distorted image of the pin value or an obscured audio file that includes the pin value. An example of a distorted image is a Completely Automated Public Turing test to tell Computer and Humans Apart (CAPTCHA) diagram. Fig. 3(a) illustrates an example of a distorted image of the pin value "6ne3". An example of an obscured audio file is an audio file that includes the pin value with background noise such that the pin value is detectable by a human ear, but the background noise, and/or speech variations (e.g. in pitch), makes it difficult for a computer device to determine the pin value via speech recognition.
[ 0034 ] In step Id, a security parameter (Al) is generated. Al may be used for the purpose of exchanging keys between the first and second users. As an example, Al may be the Diffie-Hellman value (g mod p), where a, g, and p are integers (p being a prime number), the values of p and g are predetermined by the first and second users (or their devices), and the value a is a secret integer known only to the first user or the first user's device. As another example, an elliptic curve group may be used to define Al . [ 0035 ] In step le, an authentication value (AVI) is generated. This authentication value may be generated using at least Al and the pin value "6ne3". As an example, Al and pin value may be input into an authentication algorithm to generate the authentication value AVI . For example, HMAC-SHA1, AES-CMAC or some other suitable
cryptographic function may be used. The pin value would thus serve as key for this authentication algorithm while Al would serve as the data being authenticated. Other information may also be input to authentication algorithm, e.g. identifiers of the users, session, time stamps, replay protection information, etc., which will then also be possible to authenticate.
[ 0036 ] In step 2, Al, AVI, and an obscured version of the pin value (OV1) is transmitted to the second user's communication device. As an example, the first user may initiate a communication session with the second user by sending to the second user's communication device an invitation message (e.g., a Session Initiation Protocol (SIP) Invite Message) for the purposes of inviting the second user to create a
communication session with the first user, wherein the message includes Al, AVI and an explicit (binary or BASE64) encoding of OV1 or a reference (e.g., URL) to an image file that contains OV1.
[ 0037 ] In step 3a, the second user' s communication device provides the obscured version of the pin value (OV1) to the second user. As an example, the CAPTCHA image of the pin value "6ne3" as illustrated in Fig. 3a is displayed on a screen of the second user's communication device. In step 3b, the second user obtains the pin value. As an example, upon viewing the CAPTCHA image illustrated in Fig. 3(a), the second user sees the pin value "6ne3". In step 3c, the second user submits the pin "6ne3" to the second user's communication device (e.g., the second user uses a touch screen interface or keyboard of the second user's communication device to enter the pin value into the device).
[ 0038 ] In step 3d, the second user's communication device authenticates Al using at least AVI and the pin value that the second user submitted in step 3c. For example, the second user's communication device enters the pin "6ne3" and Al into an
authentication algorithm to generate an authentication value. This authentication algorithm is the same authentication algorithm as the authentication algorithm used by the first user when the AVI was generated. If this newly generated authentication value matches the authentication value AVI, then Al is authenticated.
[0039] In step 3e, if the newly generated authentication value does not match AVI, then the communication session may be terminated. As an example, if Al cannot be authenticated (i.e., the newly generated authentication value does not match AVI), the second user' s communication device may display a failure warning indicating the lack of authentication. In this situation, the second user's communication device may terminate the communication session automatically, or the second user may terminate the communication session manually. Alternatively, the second user can be given a another chance to input a new pin value (i.e., repeat step 3c).
[0040] In step 4a, the second user selects a new pin value (e.g., "jw62k"). In step 4b, the second user submits the new pin value to the second user's communication device. Like steps la and lb, steps 4a and 4b are optional because, in some
embodiments, the second user' s communication device may generate or otherwise select the new pin value.
[0041] In step 4c, the second user' s communication device generates an obscured version of the new pin value (OV3). Also, the second user's communication device may generate a new obscured version of the pin value (OV2) submitted in step 3c, but this is optional in some embodiments. In embodiments in which the second user's
communication device generates OV2, it is preferably that OV2 is different than OV1. OV3 may be obscured in the same manners as the OV1, i.e. it may be an image or audio CAPTCHA. The method for generating OV3 may be different or the same as the method of generating OV1 and/or OV2, e.g, one may be audio and the other(s) an image. In embodiments in which OV2 is generated, OV2 and OV3 may be combined in the same CAPTCHA (e.g. in the same image as illustrated in Fig. 3(b) or in the same audio clip). In such case, generation OV2 (i.e. step 3e) takes place as part of this step by integrating it with the generation of OV3. In other embodiments, obscured versions OV2 and OV3 may be separate CAPTCHA images/audio clips. [ 0042 ] In step 4d, a second security parameter (A2) is generated. As an example, A2 may be gb mod p, where "g" and "p" are the same integers used by the first user, and "b" is a secret integer known only to the second user or the second user' s device. As another example, an elliptic curve group may be used to define A2.
[ 0043 ] In step 4e, an authentication value (AV2) is generated. In one
embodiment, AV2 is generated using at least A2, the new pin value "jw62k", and the first pin value "6ne3". For example, A2 and one or more of pin values "jw62k" and "6ne3" may be entered into the authentication algorithm to generate AV2. In another
embodiment, AV2 is generated using at least A2 and the new pin value "jw62k." As mentioned, other information may also be input to authentication algorithm, e.g.
identifiers of the users, session, time stamps, replay protection information, etc.
[ 0044 ] In step 5a, the second user' s communication device transmits to the first user's communication device A2, AV2, and OV3. In the embodiments in which OV2 is generated, then OV2 may be transmitted along with A2, AV2, and OV3. For example, in step 5a, the second user's communication device transmits to the first user's
communication device a response message (e.g., a SIP response message), wherein the message includes A2, AV2, and a reference to an image file that contains OV2 and OV3 or an explicit (binary or BASE64) encoding of the image file(s).
[ 0045 ] In step 5b, OV3 (and possibly OV2) is provided to the first user. As an example, the user may be provided with the CAPTCHA image illustrated in Fig. 3(b), which includes distorted versions of the pin values "6ne3" and "jw62k."
[ 0046 ] In step 6, the first user extracts the pin value included in OV3 (and also OV2 if its present) and submits the pin value included in OV3 to the first user's communication device (assuming, if OV2 is present, that the pin value in OV2 matches the pin selected by the first user (e.g., "6ne3")). If OV2 is present, however, and the pin value in OV2 does not match the pin selected by the first user, then the first user may either terminate the communication session as this is an indication of a possible MITM attack, or start the process again with a new pin value.
[ 0047 ] After the first user inputs into the first communication device the pin value included in OV3, the first user's communication device authenticates A2 using at least the input pin value (e.g., "jw62k") and possibly also the first pin value. As an example, the value "jw62k" (i.e., the second pin value), the value "6ne3" (i.e., the first pin value), and the value A2 are all entered into the authentication algorithm to generate a new authentication value. If this new authentication value is in agreement with (e.g., matches) authentication value (AV2), then A2 is authenticated. If A2 is not authenticated, the communication session may be terminated in a similar fashion as described above in step 3e, or the process may be restarted from the beginning.
[ 0048 ] If A2 is authenticated, first and second user devices derive a shared key that can be assumed to be known only to first and second users. The first user may derive a shared key using at least the second security parameter received from the second user's communication device, and the second user may derive the same shared key using at least the first security parameter received from the first user's communication device. For example, the first user may derive the shared key s i = (A2) mod p, and the second user may generate shared key s2 = (Al)b mod p, where Al = g mod p, A2 = g mod p. In this scenario, si is equal to s2. After step 7, the first and second users may start exchanging data, e.g. encrypted, using at least the shared key (sl/s2) or shared keys derived therefrom. Other information may be included when deriving such shared keys, for example the first and second pin, user identities, etc. If the first and second user have previously communicated and derived some prior shared key, sO, this key may be included in the derivation of shared keys for the current communication session. This provides so called key-continuity and has the advantage that even if a man-in-the-middle by some means manage to obtain the shared key sl/s2, this is still of no use to decrypt the current communication session unless the man-in-the-middle also managed to obtain the prior shared key sO. Alternatively, or in addition, such a prior shared key sO may be included in the generation authentication values (AVI and/or AV2). That is, besides using at least the first and/or second pin as a key input to the authentication algorithm, such a key sO may be also used as key input by combining (e.g. hashing or concatenating) it with the pin(s),
[ 0049 ] Note that in embodiments in which both the first and second pin values, e.g. both "jw62k" and "6ne3", are used as input to the authentication algorithm when generating the authentication value (AV2) at the second user's device, it is not strictly necessary to also generate a new obscured version (OV2) or to transmit it back to the first user. Only the obscured version (OV3) then needs to be generated and transmitted. This holds because if the second user did not manage to correctly "solve" the obscured version (OV1) then an incorrect value (a value different from "6ne3") will be input to the authentication algorithm when generating the authentication value (AV2) and thus authentication will fail at the first user's device in step 6c. Moreover the first user (or the first user's device) already has the first pin value and can input it (together with the second pin value) when authenticating A2.
[0050] As described, there is actually no guarantee that only the first and second user share the key sl/s2 if a human man-in-the-middle (MITM) has been present.
However, if this is the case, then si will be different from s2. Moreover, si will be shared between the first user and the MITM and s2 will be shared between the second user and the MITM. Thus, this can be detected by configuring the first and second device to display some fingerprint of sl/s2 which enables the first and second user to compare the displayed values, e.g. using verbal communication over the established connection. Users may opt to terminate communication if si and s2 are found to not match.
[0051 ] Fig. 4 illustrates an embodiment of a process 400 performed by a first communication device (e.g., 104A, 106A). The process may generally start at step 402 where the first communication device uses a first pin value (e.g., a pin value selected by the first user of the first communication device or by the communication device itself) and a first security parameter (Al) to generate a first authentication value (AVI). As an example, the first pin value may be "6ne3", and the first security parameter (Al) may be g mod p, where the first pin value and the first security parameter (Al) are entered into an authentication algorithm to generate the first authentication value (AVI).
[0052 ] In step 404, the first communication device initiates a communication session with a second communication device (e.g., transmit an invite message
comprising: Al, AVI, and a reference to an image file containing OV1, where OV1 is an obscured version of the first pin). As an example, the first communication device may initiate the communication session by transmitting first information to the second communication device, with the first information comprising: i) a first obscured version of the first pin value (OVl), wherein OVl is such that it is more difficult for a machine to determine the first pin value than it is for a human to determine the first pin value, ii) the first security parameter (Al), and iii) the first authentication value (AVI). In some embodiments, transmitting OVl to the second communication device comprises transmitting to the second communication device a first image file containing a first distorted version of the first pin value. In other embodiments, transmitting OVl to the second communication device comprises transmitting to the second communication device a reference to a first image file containing a first distorted version of the first pin value.
[ 0053 ] In step 406, the first communication device receives from the second communication device responsive information, the responsive information comprising: i) an obscured version of a second pin value (OV3), ii) a second security parameter (A2), and iii) a second authentication value (AV2). In some embodiments, the responsive information further includes a second obscured version of the first pin value (OV2), where OV2 is different than OVl . AV2, OV2, and OV3 may be generated by the second communication device as described above with respect to Fig. 2. In some embodiments, receiving the responsive information comprises receiving a second image file containing a distorted version of the second pin value. In some embodiments, the second image file may further include a second distorted version of the first pin value. In further embodiments, receiving the responsive information comprises receiving i) a second image file containing a second distorted version of the first pin value and ii) a third image file containing a distorted version of the second pin value.
[ 0054 ] In step 408, the first communication device provides to the first user of the first communication device OV3. For example, the first communication device may prompt the first user to input the pin value the user obtains from OV3. In some embodiments this occurs only if the first user also sees the first pin value on the display. In such embodiments, if the user does not see the first pin value on the display the first user may activate a "cancel" button. [ 0055 ] In step 410, after providing to the first user OV3, the first communication device receives a value input by the first user.
[ 0056 ] In step 412, the first communication device determines, based at least in part on the received value input by the first user, whether to continue with the
communication session. For example, the value input by the user, the first pin value, and the value A2 may all be entered into an authentication algorithm to generate a new authentication value. If this new authentication value is in agreement with (e.g., matches) AV2, then A2 is authenticated and the communication may continue. On the other hand, the first communication device may determine to terminate the communication session in response to determining that the new authentication value is not in agreement with AV2. In some embodiments, the first communication may automatically restart the process in response to determining that the new authentication value is not in agreement with AV2 (i.e., the process 400 may go back to step 402).
[ 0057 ] As discussed above, in some embodiments, the responsive information transmitted to the first communication device further includes OV2. In such
embodiments, OV2 may be displayed to the first user. In such embodiment, the first user himself can determine whether the pin value encoded in OV2 is in agreement with the first pin value (on the other hand the first user could simply enter the pin value the user perceives in OV2 so that the first communication device can determine whether the perceived pin value is in agreement with the first pin value). If they are not in agreement, then this indicates a possible MITM attach and the first user may activate a "cancel session" button (i.e., input a "negative" response) to terminate the communication session or the first communication device may automatically terminate the communication session.
[ 0058 ] Fig. 5 illustrates a process 500, according to some embodiments, that is performed by the first communication device to perform step 412.
[ 0059 ] Process 500 may begin in step 502, where the first communication device receives a pin value entered by the first user in response to the first communication device outputting OV3 to the first user. [0060] In step 504, the first communication device uses the pin value input by the user, the first pin value, and A2 to generate an authentication value.
[0061] In step 506, the first communication device determines whether the generated authentication value is in agreement with AV2. For example, in step 506 the communication device may determine whether the generated authentication value is identical to AV2.
[0062] In step 508, in response to determining that the generated authentication value is not in agreement with AV2, the first communication device i) terminates the communication session, ii) retransmits to the second CD at least the first obscured version of the first pin value, iii) transmits to the second CD at least a new obscured version of the first pin value, iv) transmits to the second CD at least an obscured version of a new pin value and a new authentication value, or v) transmits to the second CD at least an error message.
[0063] Fig. 6 illustrates another process performed by the first communication device. The process may generally start at step 602, where the first communication device generates a key using at least a value used to calculate the first security parameter (Al) and the second security parameter (A2). This same key may be generated by the second user of the second communication device. In step 604, the first communication device uses the key (e.g., other key(s) derived from the key) to encrypt data, thereby generating the encrypted data. For example, in step 604 the first communication device can use the key to encrypt data by inputting the data and the key into an encryption process that encrypts the data using the input key. As another example, in step 604, the first communication device can use the key to encrypt data by inputting the data and another key derived from the key into the encryption process. Ensuring that the first and second communication device use the same security configuration (e.g. the same encryption algorithm and key derivation functions, etc) is outside the scope of the invention but may be provided by means of pre-configuration or signaling. In step 606, the first communication device transmits the encrypted data to the second communication device. Since the first and second users have the same key (i.e., shared secret key), the second communication device can decrypt the encrypted data received from the first communication device using at least the same key (or further derived key(s)) used to encrypt the data.
[0064] Fig. 7 is a flow chart illustrating a process performed by the second communication device (CD).
[0065] The process may generally start at step 702, where the second CD receives a first security parameter (Al), a first authentication value (AVI), and an obscured version of a first pin value (OV1).
[0066] In step 704, the second CD provides to a user of the second CD OV1.
[0067] In step 706, the second CD receives a user input from the user in response to the second CD providing OV1 to the user.
[0068] In step 708, the second CD uses at least the user input and Al to generate an authentication value.
[0069] In step 710, the second CD determines whether the generated
authentication value is in agreement with AVI (e.g., identical to AVI, which will occur when Al was not modified during transmission, the user input and first pin are equal, and the second CD uses the same authentication algorithm that the first CD used in generating AVI). If the generated authentication value is not in agreement with AVI, the communication session may be terminated by the second communication device transmitting to the first communication device session termination message.
Alternatively, the process can go back to step 704 to give the user another chance to input another user input.
[0070] In step 712, the second CD generates: i) a second security parameter (A2), ii) a second authentication value (AV2), and iv) an obscured version of a second pin value (OV3). In some embodiments, the second CD generates AV2 using at least A2, the second pin value, and the user input received in step 706. Additionally, in some embodiments, the second CD generates an obscured version of the user input received in step 706.
[0071] In step 714, the second CD transmits to the first CD: A2, AV2, and OV3. In some embodiments, the second CD further transmits an obscured version of the user input received in step 706 (i.e., OV2). In some embodiments, the second CD transmits OV2 and OV3 by transmitting a message containing a reference (e.g., URL) for an image file containing a distorted version of the user input received in step 706 and a distorted version of the second pin value.
[ 0072 ] In some embodiments, the processes illustrated in Figs. 2-7 may be implemented purely in software, such as an internet application ("app"), that is downloaded by anyone of the communication devices illustrated in Fig. 1. This app may include predetermined pin values that are selectable by users or an algorithm for generating such pin values, the algorithms for generating obscured versions of the pin value, and the algorithms for authenticating data.
[ 0073 ] Fig. 8 is a block diagram of an embodiment of communication device 106A and 106B. Fig. 8 is described with respect to communication device 106A.
However, it is understood by one of ordinary skill in the art that the description of Fig. 8 equally applies to communication device 106B. As shown in Fig. 8, the communication device 106 A may include or consist of: a computer system (CS) 802, which may include one or more processors 855 (e.g., a general purpose microprocessor) and/or one or more circuits, such as an application specific integrated circuit (ASIC), field-programmable gate arrays (FPGAs), a logic circuit, and the like; a network interface 803 for use in connecting the communication device 106A to a network 110; and a data storage system 806, which may include one or more non- volatile storage devices and/or one or more volatile storage devices (e.g., random access memory (RAM)). Part of the (non-)volatile storage may be tamper resistant, e.g. to protect cryptographic key(s). In embodiments where the computer includes a processor 855, a computer program product (CPP) 833 may be provided. CPP 833 includes or is a computer readable medium (CRM) 882 storing a computer program (CP) 883 comprising computer readable instructions (CRI) 888. CRM 882 is a non-transitory computer readable medium, such as, but not limited, to magnetic media (e.g., a hard disk), optical media (e.g., a DVD), solid state devices (e.g., random access memory (RAM), flash memory), and the like. In some embodiments, the CRI 888 of computer program 883 is configured such that when executed by computer system 802, the CRI causes the communication device 106A to perform steps described above (e.g., steps described above with reference to the flow charts and message flows shown in the drawings). In other embodiments, communication device 106A may be configured to perform steps described herein without the need for a computer program. That is, for example, computer system 802 may consist merely of one or more ASICs. Hence, the features of the embodiments described herein may be implemented in hardware and/or software.
[ 0074 ] Fig. 9 is a block diagram of an embodiment of communication devices 104A and 104B. Fig. 9 is described with respect to communication device 104A.
However, it is understood by one of ordinary skill in the art that the description of Fig. 9 equally applies to communication device 104B. As shown in Fig. 9, the communication device 104 A may include or consist of: a computer system (CS) 902, which may include one or more processors 955 (e.g., a general purpose microprocessor) and/or one or more circuits, such as an application specific integrated circuit (ASIC), field-programmable gate arrays (FPGAs), a logic circuit, and the like; a transceiver 903 connected to an antenna 922 for use in communicating with a base station (e.g., Wi-Fi router or other base station); and a data storage system 906, which may include one or more no n- volatile storage devices and/or one or more volatile storage devices (e.g., random access memory (RAM)). Part of the (non-)volatile storage may be tamper resistant. In embodiments where the computer includes a processor 955, a computer program product (CPP) 933 may be provided. CPP 933 includes or is a computer readable medium (CRM) 992 storing a computer program (CP) 993 comprising computer readable instructions (CRI)
999. CRM 992 is a non-transitory computer readable medium, such as, but not limited, to magnetic media (e.g., a hard disk), optical media (e.g., a DVD), solid state devices (e.g., random access memory (RAM), flash memory), and the like. In some embodiments, the CRI 999 of computer program 993 is configured such that when executed by computer system 902, the CRI causes the communication device 104A to perform steps described above (e.g., steps described above with reference to the flow charts and message flows shown in the drawings). In other embodiments, communication device 104A may be configured to perform steps described herein without the need for a computer program. That is, for example, computer system 902 may consist merely of one or more ASICs. Hence, the features of the embodiments described herein may be implemented in hardware and/or software.
[ 0075 ] While various embodiments of the present disclosure have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of the present disclosure should not be limited by any of the above-described exemplary embodiments. Moreover, any combination of the above-described elements in all possible variations thereof is encompassed by the disclosure unless otherwise indicated herein or otherwise clearly contradicted by context.
[ 0076] Additionally, while the processes described above and illustrated in the drawings are shown as a sequence of steps, this was done solely for the sake of illustration. Accordingly, it is contemplated that some steps may be added, some steps may be omitted, the order of the steps may be re-arranged, and some steps may be performed in parallel.

Claims

CLAIMS:
1. A method performed by a first communication device (104 A, 106A), CD, for improving communication privacy, the method comprising:
the first CD (104 A, 106A) using at least a first pin value and a first security parameter (Al) to generate a first authentication value (AVI);
the first CD (104 A, 106A) initiating a communication session with a second CD (104B, 106B), the initiating the communication session comprising the first CD (104A, 106A) transmitting first information to the second CD (104B, 106B), the first information comprising: i) a first obscured version of the first pin value, ii) the first security parameter (Al), and iii) the first authentication value (AVI);
the first CD (104 A, 106A) receiving responsive information from the second CD, the responsive information comprising: i) an obscured version of a second pin value (OV3), ii) a second security parameter (A2), and iii) a second authentication value (AV2);
the first CD (104 A, 106A) providing to a first user of the first CD (104 A, 106A) the obscured version of the second pin value;
the first CD (104 A, 106A) receiving first user input from the first user after receiving the responsive information; and
the first CD (104 A, 106A) determining, based at least in part on the first user input, whether to continue with the communication session.
2. The method of claim 1, wherein
transmitting the first obscured version of the first pin value to the second CD comprises transmitting to the second CD a first image file containing a first distorted version of the first pin value or transmitting a reference to a storage of the first image file, and
receiving the responsive information comprises a) receiving a second image file containing a distorted version of the second pin value or b) receiving a reference to a storage of the second image file.
3. The method of claim 1, wherein the responsive information further comprises an obscured version of a third pin value.
4. The method of claim 3, wherein receiving the responsive information comprises a) receiving a second image file containing i) a distorted version of the third pin value and ii) a distorted version of the second pin value or b) receiving a reference to a storage of the second image file.
5. The method of claim 3 or 4, further comprising:
after providing to the first user the obscured version of the third pin value, the first CD (104 A, 106A) prompting the user to input a response;
the first CD (104 A, 106A) receiving second user input in response to the prompting; and
the first CD (104 A, 106A) determining, based on the second user input, whether the third pin value is equal to the first pin value.
6. The method of claim 5, wherein, in response to determining that the third pin value is not equal to the first pin value, the first CD (104 A, 106A) i) terminates the communication session, ii) retransmits to the second CD at least the first obscured version of the first pin value, iii) transmits to the second CD at least an obscured version of a new pin value and a new authentication value, vi) transmits to the second CD at least a new obscured version of the first pin value, or v) transmits to the second CD at least an error message.
7. The method of any one of claims 1-6, wherein
receiving the first user input comprises receiving from the first user a fourth pin value entered by the first user after the first CD (104 A, 106A) provided to the first user the obscured version of the second pin value, and
the method further comprises: the first CD (104 A, 106A) using at least the fourth pin value input by the user and A2 to generate a further authentication value;
the first CD (104 A, 106 A) determining whether the generated further
authentication value is in agreement with AV2; and
the first CD (104 A, 106A), in response to determining that the generated further authentication value is not in agreement with AV2, i) terminating the communication session, ii) retransmitting to the second CD at least the first obscured version of the first pin value, iii) transmitting to the second CD at least an obscured version of a new pin value and a new authentication value, vi) transmitting to the second CD at least a new obscured version of the first pin value, or v) transmitting to the second CD at least an error message.
8. The method of claim 7, wherein the first CD uses at least the first pin value, the fourth pin value input by the user, and A2 to generate the further authentication value.
9. The method of any one of claims 1-8, further comprising:
the first CD (104 A, 106A) generating a key using at least a value used to calculate the first security parameter (Al) and the second security parameter (A2);
the first CD (104 A, 106A) using at least the key to encrypt data, thereby generating encrypted data;
the first CD (104 A, 106A) transmitting the encrypted data to the second CD.
10. The method of any one of claims 1-9, further comprising:
providing to a second user the first obscured version of the first pin value;
receiving a pin value input by the second user in response to providing the first obscured version of the first pin value to the second user;
using at least the pin value input by the second user and Al to generate an authentication value; and
determining whether the generated authentication value is in agreement with the first authentication value (AVI); and continuing with the communication session only if the generated authentication value is in agreement with the first authentication value (AVI).
11. The method of any one of claims 1- 10, wherein
the obscured version of the second pin value is a Completely Automated Public
Turing test to tell Computers and Humans Apart, CAPTCHA, and
the first obscured version of the first pin value is a CAPTCHA.
12. The method of claim 11, wherein the CAPTCHA is an audio CAPTCHA or an image CAPTCHA.
13. The method of any one of claims 1- 12, wherein transmitting to the second CD the first obscured version of the first pin value serves as a challenge data, and wherein the receiving of the second authentication value (AV2) serves as a verification data, said challenge data together with said verification data being usable to determine whether the second CD is being used by a human.
14. The method of any one of claims 3-6, wherein transmitting to the second CD the first obscured version of the first pin value serves as a challenge data, and wherein the receiving of the obscured version of the third pin value serves as a verification data, said challenge data together with said verification data being usable to determine whether the second CD is being used by a human.
15. A first communication device (104A, 106A), CD, for improving
communication privacy, the first CD (104 A, 106 A) adapted to:
use at least a first pin value and a first security parameter (Al) to generate a first authentication value (AVI);
initiate a communication session with a second CD (104B, 106B) by transmitting first information to the second CD (104B, 106B), the first information comprising: i) a first obscured version of the first pin value, ii) the first security parameter (Al), and iii) the first authentication value (AVI);
receive responsive information from the second CD, the responsive information comprising: i) an obscured version of a second pin value, ii) a second security parameter (A2), and iii) a second authentication value (AV2);
provide to a first user of the first CD (104 A, 106A) the obscured version of the second pin value;
receive first user input from the first user after receiving the responsive information; and
determine, based at least in part on the first user input, whether to continue with the communication session.
16. The first CD of claim 15, wherein
the first CD is adapted to transmit the first obscured version of the first pin value to the second CD by a) transmitting to the second CD a first image file containing a first distorted version of the first pin value or b) transmitting a reference to a storage of the first image file, and
the first CD receives the obscured version of the second pin by a) receiving a second image file containing a distorted version of the second pin value or b) receiving a reference to a storage of the second image file.
17. The first CD of claiml5, wherein
the responsive information further comprises an obscured version of a third pin value, and
the first CD receives the obscured versions of the second and third pin values by a) receiving a second image file containing i) a distorted version of the third pin value and ii) a distorted version of the second pin value or b) receiving a reference to a storage of the second image file.
18. The first CD of claim 17, wherein the first CD is further adapted to: provide to the first user the obscured version of the third pin value; prompt the user to input a response after providing to the first user the obscured version of the third pin value;
receive second user input in response to the prompting; and
determine, based on the second user input, whether the third pin value is equal to the first pin value.
19. The first CD of claim 18, wherein the first CD is further adapted such that, in response to determining that the third pin value is not equal to the first pin value, the first CD i) terminates the communication session, ii) retransmits to the second CD at least the first obscured version of the first pin value, iii) transmits to the second CD at least an obscured version of a new pin value and a new authentication value, vi) transmits to the second CD at least a new obscured version of the first pin value, or v) transmits to the second CD at least an error message.
20. The first CD of any one of claims 15- 19, wherein
receiving the first user input comprises receiving from the first user a pin value entered by the first user after the first CD provided to the first user the obscured version of the second pin value, and
the first CD is further adapted to:
use at least the pin value input by the user and A2 to generate a further authentication value;
determine whether the generated further authentication value is in agreement with AV2; and
in response to determining that the generated further authentication value is not in agreement with AV2, i) terminate the communication session, ii) retransmit to the second CD at least the first obscured version of the first pin value, iii) transmit to the second CD at least an obscured version of a new pin value and a new authentication value, vi) transmit to the second CD at least a new obscured version of the first pin value, or v) transmit to the second CD at least an error message.
21. The first CD of claim 20, wherein the first CD is a adapted to use at least the first pin value, the pin value input by the user, and A2 to generate the further
authentication value.
22. The first CD of any one of claims 15-21, wherein the first CD is further adapted to:
generate a key using at least a value used to calculate the first security parameter (Al) and the second security parameter (A2);
use the key to encrypt data, thereby generating encrypted data;
transmit the encrypted data to the second CD.
23. The first CD of any one of claims 15-21, wherein the first obscured version of the first pin value is usable to determine whether the second CD is being used by a human.
24. A method in a system comprising a first communication device (104 A, 106A), CD, and a second CD, for improving communication privacy, the method comprising:
the second CD receiving a first security parameter (Al), a first obscured version of a first pin value (OVl), and a first authentication value (AVI);
the second CD providing to a user of the second CD the first obscured version of a first pin value (OVl);
the second CD receiving a user input from the user of the second CD in response to the second CD providing the first obscured version of a first pin value (OVl) to the user;
the second CD using at least the user input and the first security parameter (Al) to generate an authentication value;
the second CD determining that the generated authentication value is in agreement with the first authentication value (AVI); the second CD generating: i) a second security parameter (A2), ii) a second authentication value (AV2), and iii) an obscured version of a second pin value (OV3); the second CD transmitting to the first CD i) the second security parameter (A2), ii) the second authentication value (AV2), and iii) the obscured version of the second pin value (OV3).
25. The method of claim 24, wherein the second CD generates the second authentication value (AV2) using at least the second security parameter (A2) and the second pin value.
26. The method of claim 25, wherein the second CD generates the second authentication value by inputting all of the second security parameter (A2), the second pin value, and the pin value input by the user into an authentication algorithm.
27. The method of any one of claims 24-26, wherein transmitting the obscured version of a second pin value (OV3) to the first CD comprises transmitting to the first CD a single image comprising a distorted version of the pin value input by the user and a distorted version of the second pin value.
28. The method of any one of claims 24-27, further comprising the method of any of claims 1-13.
29. A computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to any one of claims 1 to 14 or 24 to 28.
30. A computer program product comprising a non-transitory computer readable medium storing the computer program of claim 29.
31. A first communication device (104B, 106B), CD, for improving
communication privacy, the first CD (104B, 106B) adapted to:
receive a first security parameter (Al), a first obscured version of a first pin value (OV1), and a first authentication value (AVI);
provide to a user of the first CD the first obscured version of a first pin value
(OV1);
receive a user input from the user in response to providing the first obscured version of the first pin value (OV1) to the user;
use at least the received user input and the first security parameter (Al) to generate an authentication value;
determine that the generated authentication value is in agreement with the first authentication value (AVI);
generate i) a second security parameter (A2), ii) a second authentication value (AV2), and iii) an obscured version of a second pin value (OV3);
transmit to a second CD (104 A, 106A) i) the second security parameter (A2), ii) the second authentication value (AV2), and iii) the obscured version of the second pin value (OV3).
32. The first CD of claim 31, wherein the first CD is adapted to generate the second authentication value (AV2) using at least the second security parameter (A2) and the second pin value.
33. The first CD of claim 32, wherein the first CD is adapted to generate the second authentication value by inputting all of the second security parameter (A2), the second pin value, and the received user input into an authentication algorithm.
34. The first CD of any one of claims 31-33, wherein the first CD is adapted to transmit the obscured version of a second pin value (OV3) to the second CD by transmitting to the second CD a single image comprising a distorted version of the received user input and a distorted version of the second pin value.
PCT/SE2014/050276 2014-03-06 2014-03-06 Method, communication device, and computer program for improving communication privacy WO2015133951A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SE2014/050276 WO2015133951A1 (en) 2014-03-06 2014-03-06 Method, communication device, and computer program for improving communication privacy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2014/050276 WO2015133951A1 (en) 2014-03-06 2014-03-06 Method, communication device, and computer program for improving communication privacy

Publications (1)

Publication Number Publication Date
WO2015133951A1 true WO2015133951A1 (en) 2015-09-11

Family

ID=54055632

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2014/050276 WO2015133951A1 (en) 2014-03-06 2014-03-06 Method, communication device, and computer program for improving communication privacy

Country Status (1)

Country Link
WO (1) WO2015133951A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060031338A1 (en) * 2004-08-09 2006-02-09 Microsoft Corporation Challenge response systems
US20060218636A1 (en) * 2005-03-24 2006-09-28 David Chaum Distributed communication security systems
US20070255959A1 (en) * 2006-04-27 2007-11-01 Samsung Electronics Co. Ltd. Communication apparatus and communication method thereof
WO2009020986A2 (en) * 2007-08-07 2009-02-12 Microsoft Corporation Spam reduction in real time communications by human interaction proof
US20090228707A1 (en) * 2008-03-06 2009-09-10 Qualcomm Incorporated Image-based man-in-the-middle protection in numeric comparison association models
US20130276125A1 (en) * 2008-04-01 2013-10-17 Leap Marketing Technologies Inc. Systems and methods for assessing security risk

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060031338A1 (en) * 2004-08-09 2006-02-09 Microsoft Corporation Challenge response systems
US20060218636A1 (en) * 2005-03-24 2006-09-28 David Chaum Distributed communication security systems
US20070255959A1 (en) * 2006-04-27 2007-11-01 Samsung Electronics Co. Ltd. Communication apparatus and communication method thereof
WO2009020986A2 (en) * 2007-08-07 2009-02-12 Microsoft Corporation Spam reduction in real time communications by human interaction proof
US20090228707A1 (en) * 2008-03-06 2009-09-10 Qualcomm Incorporated Image-based man-in-the-middle protection in numeric comparison association models
US20130276125A1 (en) * 2008-04-01 2013-10-17 Leap Marketing Technologies Inc. Systems and methods for assessing security risk

Similar Documents

Publication Publication Date Title
JP4663011B2 (en) Method for matching a secret key between at least one first communication subscriber and at least one second communication subscriber to protect the communication connection
EP2950506B1 (en) Method and system for establishing a secure communication channel
EP2039199B1 (en) User equipment credential system
US9693226B2 (en) Method and apparatus for securing a connection in a communications network
CN107040513B (en) Trusted access authentication processing method, user terminal and server
CN105828332B (en) improved method of wireless local area network authentication mechanism
JP2017535998A5 (en)
CN103763356A (en) Establishment method, device and system for connection of secure sockets layers
CN107612889B (en) Method for preventing user information leakage
WO2010012203A1 (en) Authentication method, re-certification method and communication device
KR20180095873A (en) Wireless network access method and apparatus, and storage medium
JP2012019511A (en) System and method of safety transaction between wireless communication apparatus and server
CN110087240B (en) Wireless network security data transmission method and system based on WPA2-PSK mode
JP2012235214A (en) Encryption communication device and encryption communication system
CN112312393A (en) 5G application access authentication method and 5G application access authentication network architecture
CN109075973A (en) A kind of method that use is carried out network and serviced unified certification based on the cryptography of ID
US20070263577A1 (en) Method for Enrolling a User Terminal in a Wireless Local Area Network
CN105577365A (en) Key consultation method and device for user' access to WLAN
CN105141629A (en) Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
CN110635901A (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN104243452A (en) Method and system for cloud computing access control
US9356931B2 (en) Methods and apparatuses for secure end to end communication
WO2015180399A1 (en) Authentication method, device, and system
JP2009303188A (en) Management device, registered communication terminal, unregistered communication terminal, network system, management method, communication method, and computer program
CN106992866A (en) It is a kind of based on wireless network access methods of the NFC without certificate verification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14884417

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14884417

Country of ref document: EP

Kind code of ref document: A1