AU2004226985B2 - Certification method, communication device and relay device - Google Patents
Certification method, communication device and relay device Download PDFInfo
- Publication number
- AU2004226985B2 AU2004226985B2 AU2004226985A AU2004226985A AU2004226985B2 AU 2004226985 B2 AU2004226985 B2 AU 2004226985B2 AU 2004226985 A AU2004226985 A AU 2004226985A AU 2004226985 A AU2004226985 A AU 2004226985A AU 2004226985 B2 AU2004226985 B2 AU 2004226985B2
- Authority
- AU
- Australia
- Prior art keywords
- node
- connection
- present time
- time information
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
- 238000004891 communication Methods 0.000 title claims description 103
- 238000000034 method Methods 0.000 title claims description 37
- 230000000977 initiatory effect Effects 0.000 claims description 4
- 235000009917 Crataegus X brevipes Nutrition 0.000 claims 1
- 235000013204 Crataegus X haemacarpa Nutrition 0.000 claims 1
- 235000009685 Crataegus X maligna Nutrition 0.000 claims 1
- 235000009444 Crataegus X rubrocarnea Nutrition 0.000 claims 1
- 235000009486 Crataegus bullatus Nutrition 0.000 claims 1
- 235000017181 Crataegus chrysocarpa Nutrition 0.000 claims 1
- 235000009682 Crataegus limnophila Nutrition 0.000 claims 1
- 235000004423 Crataegus monogyna Nutrition 0.000 claims 1
- 240000000171 Crataegus monogyna Species 0.000 claims 1
- 235000002313 Crataegus paludosa Nutrition 0.000 claims 1
- 235000009840 Crataegus x incaedua Nutrition 0.000 claims 1
- 239000004576 sand Substances 0.000 claims 1
- 230000006835 compression Effects 0.000 description 18
- 238000007906 compression Methods 0.000 description 18
- 230000005540 biological transmission Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 9
- 238000012546 transfer Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 230000004044 response Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000004353 relayed correlation spectroscopy Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Description
P001 Section 29 Regulation 3.2(2)
AUSTRALIA
Patents Act 1990 COMPLETE SPECIFICATION STANDARD PATENT Application Number: Lodged: Invention Title: Certification method, communication device and relay device The following statement is a full description of this invention, including the best method of performing it known to us: O CERTIFICATION METHOD, COMMUNICATION DEVICE AND RELAY DEVICE STECHNICAL FIELD OThe present invention relates to a communication method for judging the authenticity of the communication party, a communication device and a server a device to realize the method.
00
O
\BACKGROUND ART Various certification methods for judging the authenticity of correspondents have been in existence for a long time. Many certification 0 10 methods suitable to a communication system utilizing an open network for the general public such as the Internet have been developed in recent years. A digital sign method using public key cryptography is one kind of certification method, which is widely used. In the digital sign method, a sender who enciphers a plaintext by a secret key owned exclusively by the sender, transmits the enciphered text, which a recipient decrypts using the sender's public key. If the decryption is successful, the recipient can be certain that the decrypted plaintext was transmitted by the sender.
A successful decryption through a correct matching of the secret key and the public key can be achieved; however, in order to ensure that a high level of security is maintained, it is necessary to guarantee that the public key belongs to the real sender. This guarantee is realized by a public key certification, which is enciphered by the secret key owned exclusively by an impartial party, a Certifying Authority. That is to say, in the instance the recipient holds a public key of the Certifying Authority, and the sender transmits the above enciphered data along with the sender's own public key certificate acquired from the Certifying Authority, the recipient firstly verifies the authenticity of the public key certificate using the Certifying Authority's public key. And secondly, decrypts the enciphered data using the sender's public key included in the authenticated public key certificate. Sender's public key used here is guaranteed by Certificate Authority.
Therefore the success of the decryption on the above-enciphered data means nothing else than a guarantee by Certificate Authority that the sender of the enciphered data is authentic.
O The public key certificate issued by the Certifying Authority includes the date and time information on the validity period of the certificate; and the receiver Zof the above enciphered data and the public key certificate used by the recipient Sdetermines whether the present time is within the validity period in the public key certificate with reference to a clocking present time in the receiver. The receiver naturally determines that the public key certificate is authentic, if the present time 00 \is within the validity period of the public key certificate.
SPrecise clocking of the receiver is necessary to maintain a high level of security since imprecise clocking makes an in precise judgement regarding the 0 10 validity period of the public key. Deviations in the clocking present time of communication devices, such as currently existing personal computers, inevitably occur and deviations are gradually enlarged, even though a user of the communication device may start clocking at the precise present time. In other cases, a user may forget the initialization of the clocking time, or a completely false in the initialization. In such a case, wrong present time is clocking in the receiver. Without a precise clocking of the present time it is impossible to judge with accuracy, the validity period of a public key certificate. The problem of the incorrect clocking of present time affects not only the authenticity of the public key cryptography method, but uniformly affects all certifying methods having a validity period for the certificate.
DISCLOSURE OF INVENTION It is an object of the present invention to provide a communication method, which is able to maintain the high level of security required, along with a communication device and a server device to realize this method.
According to a first aspect of the present invention there is provided a method for initiating a secured communication between a first node and a second node, including: requesting at the first node establishment of connection with the second node; receiving at the first node present time information which is obtainable from a trusted node subsequent to requesting establishment of connection; receiving at the first node an expirable certificate from the second node; and O verifying at the first node the certificate against its expiration, based on the N received present time information.
ZAccording to a second aspect of the present invention there is provided a Omobile terminal connectible to a network for communication with a node other than the mobile terminal, including: connection control means configured to request establishment of 00 C, connection with the other node; c time control means configured to receive present time information which is obtainable from a trusted node subsequent to said connection control requesting 0 10 establishment of connection; certificate receiver means configured to receive an expirable certificate from the other node; and authentication control means configured to verify the certificate against its expiration, based on the received present time information.
According to a third aspect of the present invention there is provided a server device including: connection control means configured to receive a connection request from a first node requesting establishment of connection with a second node; and time information transmitter means configured to transmit present time information to the first node subsequent to establishment of connection with the second node, wherein the present time information is used at the first node to verify a certificate received from the second node against its expiration.
According to a fourth aspect of the present invention there is provided a method for initiating a secured communication between a first node and a second node, including: receiving a connection request from the first node requesting establishment of connection with the second node; and transmitting present time information to the first node subsequent to establishment of connection with the second node, wherein the present time information is used to verify a certificate from the second node against its expiration.
0 BRIEF DESCRIPTION OF THE DRAWINGS 0 cN Fig.1 is a diagram showing a total configuration of the communication 0 system to which the certifying method is applied in one embodiment of the o present invention.
Fig.2 is a block diagram showing a hardware configuration of oo00
\O
0 00 PAGE 5 LEFT BLANK INTENTIONALLY F0447/3137 6 portable phone MS, which composes the communication system.
Fig.3 is a block diagram showing a hardware configuration of 0 Z gateway server GWS.
Fig.4 is a block diagram showing a hardware configuration of IP server W, which composes the communication system.
o Fig.5 is a flowchart showing in one embodiment a processing flow, ID which is implemented by portable phone MS at the time of starting SSL C communication.
Fig.6 is a flowchart showing in one embodiment a processing flow, 0 which is implemented by gateway server GWS at the time of starting SSL communication.
Fig.7 is a flowchart showing in one embodiment a processing flow, which is implemented by IP server W at the time of starting SSL communication.
Fig.8 is a sequence diagram showing in one embodiment a flow of the signals, (a message) up to the time of starting SSL communication by portable phone MS with IP server W.
Best Mode for Carrying Out the Invention Referring to the drawings, an embodiment will be described in accordance with the present invention as follows: Total Configuration Fig. 1 is a diagram showing the total configuration of the communication system applying the certifying method of the present invention. This communication system provides the WWW (World Wide Web) service to portable phone MS with a browsing function.
In this figure, portable phone MS is a mobile device receiving a packet communication service provided by the mobile packet communication network MPN. Portable phone MS is served by the mobile packet F0447/3137 7 communication network MPN and other mobile phone networks of which the drawings are omitted. The mobile phone network is a communication 0 S network providing a general communication service for a mobile phone to the portable phone MS. In addition, the portable phone supports the SSL (Secure Sockets Layer) communication protocol for the packet transmission and 00 receipt. SSL is a communication protocol stipulating certificate data encryption between a server and a client. In the communication through SSL (SSL communication hereinafter in this description), a method of enciphered communication with a common key is performed after certifying the 0 communication party through the public key encryption method.
Mobile packet communication network MPN includes plural base stations BS, plural packet subscriber processors PS, a gateway server GWS, and interconnecting communication lines. Base station BS telecommunicates with portable phones MS stationed in its own BS radio zone. Packet subscriber processor PS is a computer system in a packet subscriber switching office having plural base stations BS to relay packets between portable phones MS and gateway server GWS.
Gateway server GWS is a computer system in a mobile packet gateway switch transit office interconnecting mobile packet communication network MPN with other communication systems, Internet INET.
Gateway server GWS is managed by a communication business entity, which runs mobile packet communication network MPN. This communication business entity works as an impartial third party for the SSL communication between portable phones MS and IP server W. In addition, gateway server GWS functions as a so-called proxy server, and performs a protocol conversion between different networks, a communication relay, and so on. To be more precise, the conversion of the communication protocol means, an interconversion between a data link protocol for a mobile packet communication network MPN and a data link protocol for Internet INET, e.g., F0447/3137 8 TCP IP (Transmission Control Protocol Internet Protocol), HTTP (Hyper Text Transfer Protocol), and so forth. In addition, gateway server GWS has a 0 Z tunneling function. The contents of SSL communication cannot be grasped by gateway server GWS during SSL communication through the gateway server between portable phone MS and IP server W, and the gateway server works S merely as a router.
O IP sever W is a server connecting to Internet INET and provides clients such as portable phone MS with WWW service. Furthermore, IP server W supports SSL, and can perform SSL communication with portable 0 phone MS. In addition, IP server W holds its own secret key, a public key, and a public key certificate issued by Certificate Office C. IP server W returns Server Hello Message and Server Certificate Request Message with its own public key certificate to portable phone MS, when IP server receives Client Hello Message in SSL communication from portable phone MS through Internet INET.
Certificate Office C is an impartial third party realized as a server connecting to Internet INET. The Certificate Office issues and manages an electronic certificate such as a public key certificate. For example, Certificate Office C returns an electronic certificate or a public key of Certificate Office C to the requesting party in response to a request from portable phone MS or IP Server W. Furthermore, the public key certificate issued by Certificate Office C contains date time information with the validity period for the public key certificate. The date time information of the public key certificate is set up by Certificate Office C.
Configuration of portable phone MS Fig.2 is a block diagram showing a hardware configuration of a portable phone MS. As shown in Fig.2, the portable phone MS comprises a transmitter/receiver unit 21 (equipped with, an antenna, a radio unit, a F0447/3137 9 transmitter, and a receiver) for telecommunicating with a base station BS; a sound pickup unit 22 a microphone) for picking up sounds; a sound 0 S production unit 23 (equipped with, an amplifier and a speaker) for producing sound; an input operation unit 24 for inputting numerals, characters, and so on; a liquid crystal display 25 with a display area; a real time clock 27 for 00 clocking the present time; and a controller 26 for controlling these units.
SController 26 comprises CPU (Central Processing Unit) 261 for various controls; ROM (Read Only Memory) 262 for storing software such as a browser; SSL communication processing program and other necessary 0 information to connect with a gateway server GWS etc.; RAM (Random Access Memory) 263 to be used as a work area of CPU 261; and nonvolatile memory 264 for storing various information such as the public key of Certificate Office C. Furthermore, one or more types of encryption algorism and one or more types of compression algorism for portable phone MS are stored in ROM 262 or in nonvolatile memory 264.
CPU 261 reads out and implements software stored in ROM 262, and controls ROM 262, RAM 263, nonvolatile memory 264, and each part of portable phones MS 21-25 27, when the electric power is applied to portable phone MS. In addition, CPU 261 implements the SSL communication program stored in ROM 262 when a user inputs a command through input unit 24 to start SSL communication. CPU 261 first transmits a message to gateway server GWS in accordance with SSL communication program to request SSL communication starting with the communication party IP server W) indicated by user's input operation. In addition, CPU 261 receives a message responding to the above message from gateway server GWS by transmitter/receiver unit 21, and corrects, through the time information contained in the concerned message, the clocking present time of real time clock 27 so that it is more precise.
Furthermore, CPU 261 performs certification operation for the F0447/3137 communication party on the basis of the public key certificate contained in a server certificate request message which is received by transmitter/receiver 0 Z unit 21, the public key of Certificate Office C and the more precisely corrected clocking present time of real time clock 27, the certification operation including judgement whether the present time is within the validity period of 00 the public key certificate. And CPU 261 continues SSL communication, only when the communication party is authenticated in the certification operation.
Configuration of gateway server GWS 0 Fig.3 is a block diagram showing a hardware configuration of gateway server GWS. As shown in Fig.3, gateway server GWS comprises radio communication unit 31 for communicating with portable phone MS through base station BS, and packet subscriber processing unit PS, internet connecting interface 32 for communicating with IP server W etc. through Internet INET, rewritable storage unit 33 for storing various programs and data semiconductor disk, hard disk), real time clock 35 for clocking the present time, and control unit 34 for controlling these units.
Real time clock 35 clocks the precise present time. There are methods, such as NTP (Network Time Protocol), to precisely maintain the present time clocked by real time clock 35. Furthermore, in this embodiment, gateway server GWS acquires the time information through a dedicated line (drawing omitted) from a device clocking the precise present time, e.g., Certificate Office C and corrects the registered time of real time clock using the concerned time information.
Control unit 34 comprises CPU 341 for various controls, ROM 342 and RAM 343. CPU 341 controls ROM 342, RAM 343 and the units 31-33 of the gateway server by reading out and implementing programs stored in ROM 342 or storage device 33.
In addition, CPU 341 measures transmission delay time of mobile F0447/3137 11 packet communication network MPN from gateway server GWS to portable phone MS, which transmits a request message for starting SSL communication S and stores the delay time in RAM 343. Furthermore, CPU 341 establishes TCP connection between portable phone MS, which is a sender of this message, and IP server W, which is a communication party with this portable phone MS, when CPU 341 receives a request message for starting SSL communication through radio communication device 31. In addition, CPU
(N
S 341 generates time information by adding the transmission delay time of mobile packet communication network MPN to the clocking present time of 0 real time clock 35. The time information is for correcting the present time clocked by real time clock 27 of portable phone MS so that it is punctual. CPU 341 transfers a message containing the time information to radio communication unit 31 to transmit the information to portable phone MS, which requires the starting of SSL communication.
Configuration of IP server W Fig.4 is a block diagram showing a hardware configuration of IP server W. As shown in Fig.4, IP server W comprises Internet connecting interface 41 for communicating through Internet INET with gateway server GWS; rewritable storage unit 42 for storing various contents, secret key public key of IP server W, SSL communication processing program etc.; real time clock 44 for clocking the present time; and control unit 43 for controlling these units.
Control unit 43 comprises CPU 431 for various controls, ROM 432 and RAM 433. Furthermore, one or more types of encryption algorithms and one or more types of compression algorithms are stored in ROM 432 or storage unit 42 to be used by IP server W.
CPU 431 controls ROM 432, RAM 433 and units 41-42,44 of IP server W by reading out and carrying out programs stored in ROM 432 or F0447/3137 12 storage unit 42. In addition, CPU 431 starts SSL communication processing program, when CPU 431 receives a client-hello message through interface 41 0 Z connecting to the Internet.
In accordance with the SSL communication processing program, CPU 431 first specifies one or more types of encryption algorithms and 00 compression algorithms for the common usage of IP server W and portable O phone MS on the basis of encryption algorithms and compression algorithms
(N
S stored in ROM 432 or storage device 42, and, correspondingly, on the basis of encryption algorithms and compression algorithms designated by the above 0 client hello message. Second, CPU 431 chooses an encryption algorithm and a compression algorithm to be used for SSL communication with portable phone MS among the specified encryption algorithms and compression algorithms.
Then CPU 431 generates a server hello message, which reports the chosen encryption algorithm and the chosen compression algorithm, and transfers to the concerned server, the server hello message through the Internet, connecting interface 41 to the client hello message sender, portable phone MS, as a return.
Furthermore, CPU 431 transfers a request message for a server certificate with a public key certificate of IP server W stored in storage device 42 through Internet connecting interface 41 to the client hello message sender, portable phone MS.
Operation The operations of portable phone MS, gateway server GWS and IP server W, which are performed for portable phone MS and IP server W to start SSL communication, will be explained with reference to Figs.5-8. Note that the above-mentioned operations are carried out only after CPU 261 started the SSL communication program, and note that CPU 341 of gateway server GWS has already calculated and stored in RAM 343 the transmission delay time F0447/3137 13 through mobile packet communication network MPN. In addition, the secret key of IP server W and the public key certificate should have been stored in 0 Z the storage device 42 of IP server W. Certificate Office C should have issued the public key certificate for the public key, which matches with the secret key. Furthermore, the public key of Certificate Office should have been stored S in nonvolatile memory 264 of portable phone MS.
,O When a user of portable phone MS inputs an instruction into input S unit 24 to communicate with IP server W, CPU 261 of portable phone MS implements SSL communication program stored in ROM 262 for the 0 processing shown in Fig.5. Namely, CPU 261 first generates a request message "Connect for SSL communication with IP server W designated by the user. Then CPU 261 transfers the concerned message through transmitter/receiver unit 21 to gateway server GWS (Step SA1). As a result, message ml is sent from portable phone MS to gateway server GWS as shown in Fig.8.
First, CPU 341 of Gateway server GWS establishes a TCP connection between portable phone MS and IP server W as shown in step SB 1 in Fig.6, when CPU 341 receives message ml through radio communication unit 31 (message m2 in Fig.8). Second, CPU 341 acquires the clocking present time of real time clock 35 (step SB2). In addition, CPU 341 acquires the transmission delay time stored in RAM 343. Then CPU 341 adds the concerned transmission delay time to the present time acquired in the above step SB 1, and thereby generates the time information indicating a time which is after the present time by the transmission delay (step SB3). Next, CPU 341 generates message m3 containing the generated time information and transfers the concerned message m3 through radio communication unit 31 to portable phone MS (step SB4). As a result, message m 3 is transmitted from gateway server GWS to portable phone MS as shown in Fig.8 as a response message to message ml, showing the establishment of a TCP connection. Hereafter, F0447/3137 14 gateway server GWS performs only the packet relay through the tunneling function concerning the TCP connection communication (step 0 z When CPU 261 of portable phone MS receives message m3 through transmitter/receiver unit 21 (step SA2 in Fig.5), CPU 261 corrects the clocking present time of real time clock 27 through the time information contained in message m3. As a result, the clocking present time of real time clock 27 is corrected so that it is more precise.
Next, CPU 261 of portable phone MS performs a processing concerning the determination of encryption algorithm and compression o algorithm for SSL communication. To be more specific, CPU 261 generates client-hello message m4 to notify IP server W of encryption algorithm and compression algorithm for the usage of portable phone MS. As a result, the client-hello message is transmitted from portable phone MS to IP server W through TCP connection established between portable phone MS and IP server W, as shown in Fig.8.
First, CPU 431 of IP server W specifies one or more types of encryption algorithms and one or more types of compression algorithms for the common use of IP server W and portable phone MS on the basis of encryption algorithms and compression algorithms stored in ROM 432 or storage unit 42, and correspondingly, on the basis of encryption algorithms and compression algorithms designated by message m4 as shown in step SC1 in Fig.7, when CPU 431 receives message m4 through Internet connecting interface 41. Second, CPU 431 chooses the encryption algorithm and the compression algorithm for SSL communication with portable phone MS among the specified encryption algorithms and the specified compression algorithms (step SC1). Then, CPU 431 generates message m5 to notify portable phone MS of the chosen encryption algorithm and the chosen compression algorithm. Next, CPU 431 transfers the concerned message through the Internet connecting interface 41 to portable phone MS (step SC2).
F0447/3137 As a result, message m5 is returned from IP server W through the TCP connection to mobile phone MS as shown in Fig.8.
0 z CPU 261 of mobile phone MS determines the encryption algorithm and the compression algorithm designated by message m5 as the encryption algorithm and the compression algorithm for SSL communication with IP server W (step SA4).
SOn the other hand CPU 431 of IP server W transmits message m5 to (-i (N portable phone MS and then reads out public key certificate of IP server W from storage unit 42. Then, CPU 431 generates message m6 containing read- (-i 0 out public key certificate and transfers the concerned message m6 through the Internet connecting interface 41 to portable phone MS (step SC3). As a result, message m6 is transmitted from IP server W through a TCP connection to portable phone MS as shown in Fig.8.
When CPU 261 of portable phone MS receives message m6 through transmitter/receiver unit 21 (step SA5), CPU 261 deciphers public key certificate in message m6 by the public key of Certificate Office C stored in non-volatile memory 264 (Step SA6). If the decryption is successful (step SA7), CPU 261 acquires the clocking present time of real time clock 27 corrected in the above-mentioned step SA3 (step SA8). Then, CPU 261 judges whether it is within the validity period specified in the deciphered public key certificate. Namely, CPU 261 determines whether the present time acquired in step SA8 is within the validity period set up in the public key certificate (step SA9). If the present time is within the validity period, CPU 261 continues SSL communication, as the public key certificate is the authentic public key certificate which validity period has not yet expired and which is guaranteed by Certificate Office C (step SA10). Therefore, only subsequently, is the enciphered communication performed between portable phone MS and IP server W. On the contrary, if the decryption is not successful in step SA6 (step SA7: No), or if the successful decryption finds out that the F0447/3137 16 validity period of the public key certificate has expired (step SA9: No), CPU 261 judges that certifying IP server W has failed. Then CPU 261 displays a 0 S message, which shows the failure of certifying IP server W and the reason for S the failure, on liquid crystal display 25. Furthermore, the failure the reason for the failure message of IP server W's certificate can be output as a voice message from voice unit 23. Then, CPU 261 transfers a command to disconnect TCP connection through transmitter/receiver 21 to gateway server '1 GWS (step SA11), following which, the TCP connection established between portable phone MS and IP server W is disconnected, resulting in the o termination of the SSL communication.
As explained above, in this embodiment, portable phone MS corrects its own clocking present time through the time information received from gateway server GWS just before the certificate processing is carried out for IP server W. As a result, portable phone MS can judge with a greater precise present time whether the present time is within the validity period specified in the public key certificate of IP server W. This means that, portable phone MS can perform the certification of IP server W more precisely. Enough high security can be obtained herewith concerning the communication party certificate through the procedure carried out in the present embodiment. As a natural result additionally mentioned, there is an advantage that the clocking present time of real time clock 27 can be maintained with precision in portable phone MS.
Furthermore, gateway server GWS generates time information to correct the present time clocked by portable phone MS in consideration for the transmission delay time through mobile packet communication network MPN.
Therefore, a more precise present time can be set up in portable phone MS excluding accidental errors of the transmission delay time.
The embodiments of the present invention were explained heretofore, however, this invention may be embodied in various forms without departing F0447/3137 17 S from the essential characteristics or spirit of the invention; the above embodiment being only illustrative, not restrictive. The scope of the invention Z is defined by the claims and all the transformations and changes within the equivalent scope of the claims belong to this invention. Following is a transformation example: 00 [Modification]
INO
ci In the above embodiment, portable phone MS is exemplified as a client of SSL communication. However, also applicable are PDA (Personal Digital Assistants) and portable communication terminals such as mobile 0 computers, PHS (Personal Handy phone System). A client can be, for instance, a terminal system combining a portable phone with a mobile computer, or a terminal system combining a radio communication terminal and a cable communication terminal with non-mobile computer.
In addition, the above embodiment exemplifies a public key certificate as certificate information with a validity period. However, the above certificate information can be an electronic key, an ID, or a password and so on.
The above-mentioned embodiment, describes a method for correcting the clocking present time of a portable phone MS, which is corrected in order to certify the communication party (IP server W) by portable phone MS. In another given example, the communication party (portable phone MS) can be certified by IP server W wherein, the clocking present time of real time clock 44 of IP server W is corrected by the time information generated from gateway server GWS. In this example, gateway server GWS measures the transmission delay time through a communication channel from gateway server GWS to IP server W and generates the time information according to the transmission delay time. In addition, when portable phone MS and IP server W authenticate each other, the clocking F0447/3137 18 present time of the real time clocks 27, 44 of both portable phone MS and IP server W are corrected on the basis of the time information generated by S gateway server GWS.
Furthermore, the function for measuring transmission delay can be set up in portable phone MS instead of gateway server GWS. Then, gateway 00 server GWS can notify portable phone MS of the clocking present time of real time clock 35 without making any delay compensation, and portable phone MS can correct the clocking present time of real time clock 27 so that it is precise on the basis of the notified present time and the measured transmission 0 delay. This type is especially effective for the communication carried out through the Internet or a network utilizing communication satellites etc., in which the transmission delay time greatly varies depending on the communication channel.
The above-mentioned embodiment describes an instance, in which time information is included in a return message m3 (response message) of gateway server GWS in response to request message ml of portable phone MS, which demands SSL communication. However, gateway server GWS can send another type of message, which consists of only time information, to portable phone MS upon receipt of the above message ml. However, the number of messages will be fewer in the above embodiment, since the time information is contained in a response message between portable phone MS and gateway server GWS, and consequently the traffic congestion of mobile communication network MPN will be reduced.
In addition, in the above embodiment, portable phone MS corrects the clocking present time of real time clock 27 using received time information from gateway server GWS and judges whether it is within the validity period specified in the public key certificate by the corrected present information. However, portable phone MS can directly use the time information itself (the present time information) from gateway server GWSfor F0447/3137 19 judging whether it is within the validity period. In this case, even a communication device without a real time clock or any other clocking 0 S measures can judge whether it is within the validity period specified in the public key certificate.
In another modification of the above-mentioned embodiment of the 00 present invention, the sender of the time information is limited to gateway server GWS; and no other communication device apart from gateway server S GWS can change the clocking present time of portable phone MS. Therefore, the high level of security is maintained. In this case, ID information of the o gateway server GWS such as the network address is stored in non-volatile memory 264 in portable phone MS to identify the gateway server, which is permitted to transmit the time information to portable phone MS. CPU 261 of the portable phone identifies the sender gateway server of the time information received by transmitter/receiver unit 21, by comparing the packet sender address with the network address of gateway server GWS stored in nonvolatile memory 264.
The above-mentioned embodiment of this invention is one example of an application of SSL communication. However, it is possible that this invention is applicable to various communication types with public encryption methods. Furthermore, the purpose of this invention is to judge, by the precise present time, whether the certificate is within its specified validity period, in the instance that a validity period of the certificate information certifying the communication party is established. In which case, the implementation of the enciphered communication is not an essential condition.
Claims (22)
1. A method for initiating a secured communication between a first node and a second node, including: requesting at the first node establishment of connection with the second node; 0 receiving at the first node present time information which is obtainable from Oa trusted node subsequent to requesting establishment of connection; receiving at the first node an expirable certificate from the second node; Sand verifying at the first node the certificate against its expiration, based on the received present time information.
2. The method according to claim 1, wherein the trusted node is a server operable to connect the first node to the second node.
3. The method according to claim 1, wherein the step of receiving present time information includes receiving a connection notice notifying a connection with the second node.
4. The method according to claim 3, wherein the present time information is included in the connection notice.
The method according to claim 1, wherein the step of receiving present time information includes adjusting a timer of the first node, using the received present time information.
6. The method according to claim 1, wherein the step of verifying the certificate includes authenticating the second node.
7. The method according to claim 6, wherein the step of authenticating the second node includes decrypting the certificate, using a public key of the second node.
8. The method according to claim 1, wherein the first and second nodes are located in different networks. O
9. A mobile terminal connectible to a network for communication with a node N other than the mobile terminal, including: Z connection control means configured to request establishment of Oconnection with the other node; time control means configured to receive present time information which is obtainable from a trusted node subsequent to said connection control requesting 00 C establishment of connection; ccertificate receiver means configured to receive an expirable certificate from the other node; and 0 10 authentication control means configured to verify the certificate against its (Ni expiration, based on the received present time information.
The mobile terminal according to claim 9, wherein the trusted node is a server located in the network and operable to connect the mobile terminal to the other node.
11. The mobile terminal according to claim 9, wherein the time control means receives a connection notice notifying a connection with the other node, wherein the present time information is included in the connection notice.
12. The mobile terminal according to claim 9, wherein the time control means includes a timer adjuster configured to adjust a timer of the mobile terminal, using the received present time information.
13. The mobile terminal according to claim 9, wherein the authentication control means authenticates the other node by decrypting the certificate, using a public key of the other node.
14. The mobile terminal according to claim 9, wherein the nodes are located in different networks.
A server device including: connection control means configured to receive a connection request from a first node requesting establishment of connection with a second node; and time information transmitter means configured to transmit present time information to the first node subsequent to establishment of connection with the 0 second node, wherein the present time information is used at the first node to 0 CI verify a certificate received from the second node against its expiration.
16. The server device according to claim 15, wherein the connection control N means sends the first node a connection notice notifying a connection with the second node. Vo 00
17. The server device according to claim 16, wherein the present time N information is included in the connection notice. (Ni
18. The server device according to claim 15, wherein the first and second nodes are located in different networks.
19. A method for initiating a secured communication between a first node and a second node, including: receiving a connection request from the first node requesting establishment of connection with the second node; and transmitting present time information to the first node subsequent to establishment of connection with the second node, wherein the present time information is used to verify a certificate from the second node against its expiration.
The method according to claim 19, wherein the step of transmitting present time information includes sending the first node a connection notice notifying establishment of connection with the second node.
21. The method according to claim 20, wherein the present time information is included in the connection notice.
22. The method according to claim 19, wherein the first and second nodes are located in different networks. DATED this 18th day of July 2006 NTT DOCOMO, INC WATERMARK PATENT TRADE MARK ATTORNEYS 290 BURWOOD ROAD HAWTHORN VICTORIA 3122 AUSTRALIA P21660AU01
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2000-378061 | 2000-12-12 | ||
| PCT/JP2001/010835 WO2002049268A1 (en) | 2000-12-12 | 2001-12-11 | Authentication method, communication apparatus, and relay apparatus |
| AU2002221119A AU2002221119B2 (en) | 2000-12-12 | 2001-12-11 | Authentication method, communication apparatus, and relay apparatus |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2002221119A Division AU2002221119B2 (en) | 2000-12-12 | 2001-12-11 | Authentication method, communication apparatus, and relay apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| AU2004226985A1 AU2004226985A1 (en) | 2004-11-25 |
| AU2004226985B2 true AU2004226985B2 (en) | 2006-09-07 |
Family
ID=34382944
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2004226985A Ceased AU2004226985B2 (en) | 2000-12-12 | 2004-11-05 | Certification method, communication device and relay device |
Country Status (1)
| Country | Link |
|---|---|
| AU (1) | AU2004226985B2 (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH0424815A (en) * | 1990-05-21 | 1992-01-28 | Ricoh Co Ltd | Network control system |
| JPH0715421A (en) * | 1993-06-25 | 1995-01-17 | Fuji Facom Corp | Clock synchronizer in communication network |
| JPH08315021A (en) * | 1995-05-17 | 1996-11-29 | Brother Ind Ltd | Terminal device |
| US6223291B1 (en) * | 1999-03-26 | 2001-04-24 | Motorola, Inc. | Secure wireless electronic-commerce system with digital product certificates and digital license certificates |
-
2004
- 2004-11-05 AU AU2004226985A patent/AU2004226985B2/en not_active Ceased
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH0424815A (en) * | 1990-05-21 | 1992-01-28 | Ricoh Co Ltd | Network control system |
| JPH0715421A (en) * | 1993-06-25 | 1995-01-17 | Fuji Facom Corp | Clock synchronizer in communication network |
| JPH08315021A (en) * | 1995-05-17 | 1996-11-29 | Brother Ind Ltd | Terminal device |
| US6223291B1 (en) * | 1999-03-26 | 2001-04-24 | Motorola, Inc. | Secure wireless electronic-commerce system with digital product certificates and digital license certificates |
Also Published As
| Publication number | Publication date |
|---|---|
| AU2004226985A1 (en) | 2004-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2398383C (en) | Certification method, communication device and relay device | |
| US8582762B2 (en) | Method for producing key material for use in communication with network | |
| US7298847B2 (en) | Secure key distribution protocol in AAA for mobile IP | |
| EP1982547B1 (en) | Method and system for recursive authentication in a mobile network | |
| Lee et al. | A new delegation-based authentication protocol for use in portable communication systems | |
| US20020025046A1 (en) | Controlled proxy secure end to end communication | |
| US20030097592A1 (en) | Mechanism supporting wired and wireless methods for client and server side authentication | |
| JP2010259074A (en) | Setting up sensitive sessions based on wireless application protocols | |
| WO2007107708A3 (en) | Establishing communications | |
| JP2012110009A (en) | Methods and arrangements for secure linking of entity authentication and ciphering key generation | |
| RU2008146960A (en) | METHOD AND SYSTEM OF PROVIDING PROTECTED COMMUNICATION USING A CELLULAR NETWORK FOR MANY PERSONALIZED COMMUNICATION DEVICES | |
| Kambourakis et al. | Performance evaluation of public key-based authentication in future mobile communication systems | |
| EP1811719A1 (en) | Internetwork key sharing | |
| JP5248057B2 (en) | COMMUNICATION METHOD, SERVER DEVICE, AND TERMINAL DEVICE | |
| JP3910611B2 (en) | Communication support server, communication support method, and communication support system | |
| AU2004226985B2 (en) | Certification method, communication device and relay device | |
| EP1437024B1 (en) | Method and arrangement in a communications network | |
| JP5220625B2 (en) | Authentication method and system in terminal-to-terminal negotiation | |
| WO2001022685A1 (en) | Method and arrangement for communications security | |
| HK1056803A (en) | Authentication method, communication apparatus, and relay apparatus | |
| WO2010133036A1 (en) | Communication method, device and communication system between base stations | |
| He et al. | An asymmetric authentication protocol for M-Commerce applications | |
| TWI818703B (en) | Method for requesting and signing certificate, certificate system and computer-readable medium thereof | |
| Chang et al. | VESS: A versatile extensible security suite for MANET routing | |
| Samad et al. | Adaptive security established on the requirements and resource abilities of network nodes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| DA3 | Amendments made section 104 |
Free format text: THE NATURE OF THE AMENDMENT IS: AMEND CO-INVENTOR NAME FROM TAKAGO, KAZUHIRO TO TAKAGI, KAZUHIRO |
|
| FGA | Letters patent sealed or granted (standard patent) | ||
| MK14 | Patent ceased section 143(a) (annual fees not paid) or expired |