`Approved for use through 11/30/2005. 0MB 0651-0035
`U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`arsons are re uired to res nd to a collection of information unless it dis la s a valid 0MB control number.
`
`CHANGE OF
`~...,
`CORRESPONDENCE ADDRESS
`Application
`
`Address to:
`Commissioner for Patents
`P.O. Box 1450
`Alexandria, VA 22313-1450.
`
`A
`
`lication Number
`
`Filin Date
`
`First Named Inventor
`
`Art Unit
`
`Examiner Name
`
`60/568, 119
`
`May 4, 2004
`
`Michael K. Brown
`
`Not yet assigned
`
`Not yet assigned
`
`1578.168
`
`Please change the Correspondence Address for the above-identified patent application to:
`
`0
`
`Customer Number :
`
`1000044208
`
`I
`
`OR
`
`(cid:143)
`
`Finn or
`lndlvldual Name
`Address
`
`Address
`
`City
`
`Countrv
`
`Telechone
`
`I State I
`
`I ZID I
`
`I Fax I
`
`This form cannot be used to change the data associated with a Customer Number. To change the
`data associated with an existing Customer Number use "Request for Customer Number Data
`Change" (PTO/SB/124).
`
`I am the:
`
`0 ApplicanUlnventor
`D Assignee of record of the entire Interest.
`0 Attorney or Agent of record. Registration Number 33,922
`D Registered practitioner named in the application transmittal letter in an application without an
`
`Statement under 37 CFR 3.73(b) is enclosed. (Form PTO/SB/96).
`
`executed oath or declaration. See 37 CFR 1.33(~)(1 ). Registration Number
`
`Typed or Printed R b rt H K II
`• e y
`Name
`o e
`
`Signature ~~ / 2 /
`'i'~f:?~:O sl/
`
`I Telephone 214-706-4200
`
`Date
`NOTE: Signatures of all the invtintors~t;;assignefls of record of the entire interest or their representatlve(s) are required. Submit multiple
`forms if more than one sianature is re uired, see below•.
`
`I 0
`
`forms are submitted.
`
`*Total of 1
`This collection of information is required by 37 CFR 1.33. The information is required to obtain or retain a benefit by the public which is to file (and by the USPTO
`to process) an application. Confidentiality Is governed by 35 U.S.C. 122 and 37 CFR 1.14. This collection is estimated ta take 3 minutes to complete, including
`gathering, preparing, and submitting the completed application form to the USPTO. Time will vary depending upon the individual case. Any comments on the
`amount of time you require to complete this form and/or suggestions for reducing this burden, should be sent to the Chief Information Officer, U.S. Patent and
`Trademark Office, U.S. Department of Commerce, P.O. Box 1450, Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED FORMS TO THIS
`ADDRESS. SEND TO: Commissioner for Patents, P .0. Box 1450, Alexandria, VA 22313-1450.
`
`If you need assistance in completing the form, ca/11-800-PTO-9199 and select option 2.
`
`1
`
`APPLE 1013
`
`
`
`PTO/SB/16 (06-03)E
`Approved for use through 07/31/2003. 0MB 0651-0032Q.. 0)
`U.S. Patent and Tredemar1< Offiee: U.S. DEPARTMENT OF COMMERCE
`,-.
`Under the Pape1W0111 Reduction Aet of 1995, no persons are required to respond to a c:ollectlon of lnfonnalion unless It displays a valid 0MB c:ontrol number{/),-.
`PROVISIONAL APPLICATION FOR PATENT COVER SHEET
`::>CO
`C:.0
`This is a re uest for filin a PROVISIONAL APPLICATION FOR PATENT under 37 CFR 1.53 c.
`lO
`ie)
`Ex ress Mall Label No. EV 387 990 539 US
`(\/c:o
`C\
`
`Given Name (first and middle Pf any]
`
`INVENTOR(S)
`Family Name or Surname
`
`Residence
`lCitv and either State or Foreign Country)
`
`\
`
`I'
`
`Michael K.
`
`Brown
`Kitchener, Ontario, Canada
`1
`Additional inventors are being named on the
`separately numbered sheets attached hereto
`TITLE OF THE INVENTION (500 characters max)
`Challenae Resoonse Svstem and Method
`CORRESPONDENCE ADDRESS
`Direct all correspondence to:
`
`OR
`
`[Z] Customer Number. I
`(cid:143)
`
`Firm or
`Individual Name
`Address
`
`30973
`
`I
`
`Address
`
`City
`
`Country
`
`State
`
`Telephone
`
`Zip
`
`Fax
`
`ENCLOSED APPLICATION PARTS (check all that apply)
`
`20
`
`5
`
`(cid:143)
`(cid:143)
`
`CD(s). Number
`
`Other (specify) Transmittal Letter & Express
`1t11a111r1g cen11., retarn pog~ra
`
`[Z] Specification Number of Pages
`~ Orawing(s) Number of Sheets
`D Application Date Sheet. See 37 CFR 1. 76
`(cid:143) Applicant claims small entity status. See 37 CFR 1.27.
`(cid:143)
`[a The Director is herby authorized to charge filing
`(cid:143) Payment by credit card. Form PT0-2038 is attached.
`
`METHOD OF PAYMENT OF FILING FEES FOR THIS PROVISIONAL APPLICATION FOR PATENT
`
`A check or money order is enclosed to cover the filing fees.
`
`fees or credit any overpayment to Deposit Account Number.
`
`50-2032
`
`FILING FEE
`Amount($)
`
`[:]
`
`The invention was made by an agency of the United States Government or under a contract with an agency of the·
`United States Government.
`0 No.
`D Yes, the name of the U.S. Government agency and the Government contract number are:
`Date· #117 oy
`
`Respectfully submitte ,
`
`[Page 1
`
`REGISTRATION NO . ...;3_3.:...,9_2_2 ____ _
`
`~o~'t°~i~~~r. 1578.168 (RIM 978)
`
`TELEPHONE 214-706-4201
`
`USE ONLY FOR FILING A PROVISIONAL APPLICATION FOR PATENT
`This eolleetion of lnfonnalion is required by 37 CFR 1.51. The lnfonnalion Is required to obtain or retain a benefit by the public which is to file (and by the USPTO
`to process) an application. Confidentiality Is govemed by 35 U.S.C. 122 and 37 CFR 1.14. This eollection Is estimated to take 8 hours to c:omplete, including
`gathering, preparing, and submitting the c:ompleted application fonn to the USPTO. Time will vary depending upon the individual ease. Any c:omments on the
`amount of time you require to eomplete this fonn and/or suggestions for reducing this burden, should be sent to the Chief Information Officer, U.S. Patent and
`Trademar1< Office, U.S. Department of Commerce, P.O. Box 1450, Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED FORMS TO THIS
`ADDRESS. SEND TO: Mall Stop Provisional Appllcatlon, Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313•1450.
`
`If you need assistance in completing the form, call 1-800-PT0-9199 and select option 2.
`
`2
`
`
`
`PROVISIONAL APPUCATION COVER SHEET
`Additional Page
`
`PTO/SB/16 (06-03)
`Approved for use through 07/31/2003. 0MB 0651-0032
`U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of Information unless it displays a valid 0MB control number
`
`I Docket Number
`
`1578.168 (RIM 978)
`INVENTOR(S)/APPLICANT(S)
`
`Given Name _{first and middle [if anvl
`
`Family or Surname
`
`Residence
`(Citv and either State or Foreian Country)
`
`Michael 5.
`
`Michael G.
`
`Herb
`
`Brown
`
`Kirkup
`
`Little
`
`Waterloo, Ontario, Canada
`
`Waterloo, Ontario, Canada
`
`Waterloo, Ontario, Canada
`
`(Page 2 of 2)
`
`2
`2
`_____ of ____ _
`
`Number
`
`WARNING: Information on this form may become public. Credit card information should not be
`included on this form. Provide credit card information and authorization on PTO-2038.
`
`3
`
`
`
`L
`
`§ <C ]H[ ]E ]E ]F l& § 1['<0fN ]E 1 ]L JL JP>~
`
`Legal counsel based on solid principles.
`
`CERTIFICATE OF MAILING UNDER 37 CFR § 1.10
`Express Mail Certificate: EV 387 990 539 US
`Date of Mailing: 4 May 2004
`
`May 4, 2004
`
`DOCKET NUMBER: 1578.168 (RIM 978)
`
`Mail Stop PROVISIONAL APPLICATION
`Commissioner for Patents
`P.O. Box 1450
`Alexandria, VA 22313-1450
`
`Sir:
`
`In re: US Provisional Application s/n: New Application
`Inventor(s): Michael K. Brown (Kitchener, Ontario, Canada); Michael S.Brown
`(Waterloo, Ontario, Canada); Michael G. Kirkup (Waterloo, Ontario,
`Canada); Herb Little (Waterloo, Ontario, Canada)
`Title: Challenge Response System and Method
`
`Enclosed are:
`
`[8l
`[8l
`[8l
`[8l
`
`Provisional Application for Patent Cover Sheet (in duplicate);
`Patent specification (20 pages);
`Five (5) sheets of Drawings
`Return post card.
`
`Respectfully submitted,
`
`5956 Sherry Lane• Suite 1400 • Dallas, Texas 75225 • Tel: (214) 706-4200 • Fax: (214) 706-4242 • www.scheefandstone.com
`
`4
`
`
`
`CHALLENGE RESPONSE SYSTEM AND METHOD
`
`BACKGROUND
`
`Technical Field
`
`The present invention relates generally to the field of communications, and in particular
`
`to a challenge response system and method.
`
`Description of the Related Art
`
`Mobile devices, such as personal digital assistants (PDAs), cellular phones, wireless
`
`communication devices and the like, are occasionally connected to a user's desktop system in
`
`order to synchronize information between the user's desktop system and their mobile device.
`
`Information such as a user's calendar, task list and phone book entries are examples of
`
`information that is routinely synchronized between the desktop system and the mobile device.
`
`Such information is usually of a sensitive nature and should be secured. The user is thus
`
`provided with an option to specify a device password on the mobile device in order to secure the
`
`mobile device and prevent use of the device without knowledge of the device password.
`
`When the mobile device is connected to the desktop system in order to synchronize
`
`information, the mobile device issues a challenge to the desktop system in order to determine if
`
`the desktop system is authorized to initiate a connection with the mobile device. The desktop
`
`system then provides a response to the mobile device. If the response provided by the desktop
`
`system matches the response expected by the mobile device, then the desktop system is allowed
`
`to connect to the mobile device and proceed to synchronize information.
`
`Typically, the issued challenge is a request for the hash of the user password. A hash
`
`function, such as SHA-1, is a one-way function that takes an input or varying length and converts
`
`5
`
`
`
`it into a unique output. The hash of the password provided by the user of the desktop system
`
`initiating a connection is sent to the device in response to the challenge by the mobile device. If
`
`the response matches the stored hash of the device password, the desktop system is allowed to
`
`connect to the mobile device and proceed to synchronize information.
`
`The device password is typically not stored on the device. Only the hash of the device
`
`password is stored on the device. However, since the device password itself is not stored on the
`
`device, certain operations requiring use of the device password cannot be performed if only the
`
`hash of the device password is available on the mobile device. For instance, if the information
`
`on the mobile device is encrypted using the device password, then the device password must be
`
`supplied in order to decrypt the information prior to synchronizing with the desktop system.
`
`SUMMARY
`
`In accordance with the teachings provided herein, systems and methods are provided for
`
`a challenge response scheme within which a secret, such as a password, may be securely
`
`transferred between a requesting device and an authenticating device. As an example of a
`
`system and method, the authenticating device generates a challenge that is issued to the
`
`requesting device. The requesting device combines the challenge with a hash of a password
`
`provided by a user of the requesting device, and the combination of the hash of the password and
`
`the challenge is further hashed in order to generate a requesting encryption key that is used to
`
`encrypt the user supplied password. The encrypted user supplied password is sent to the
`
`authenticating device as the response to the issued challenge. The authenticating device
`
`generates an authenticating encryption key by generating the hash of a combination of the
`
`challenge and a stored hash of an authenticating device password. The authenticating encryption
`
`2
`
`6
`
`
`
`key is used to decrypt the response in order to retrieve the user supplied password. If a hash of
`
`the user supplied password matches the stored hash of the authenticating device password, then
`
`the requesting device has been authenticated and the authenticating device is in possession of the
`
`password.
`
`As will be appreciated, the invention is capable of other and different embodiments, and
`
`its several details are capable of modifications in various respects, all without departing from the
`
`spirit of the invention. Accordingly, the drawings and description of the preferred embodiments
`
`set forth below are to be regarded as illustrative in nature and not restrictive.
`
`DETAILED DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is an overview of an example communication system in which a wireless
`
`communication device may be used. One skilled in the art will appreciate that there may be
`
`hundreds of different topologies, but the system shown in FIG. 1 helps demonstrate the operation
`
`of the encoded message processing systems and methods described in the present application.
`
`There may also be many message senders and recipients. The simple system shown in FIG. 1 is
`
`for illustrative purposes only, and shows perhaps the most prevalent Internet e-mail environment
`
`where security is not generally used.
`
`FIG. 1 shows an e-mail sender 10, the Internet 20, a message server system 40, a wireless
`
`gateway 85, wireless infrastructure 90, a wireless network 105 and a mobile communication
`
`device 100.
`
`An e-mail sender system 10 may, for example, be connected to an ISP (Internet Service
`
`Provider) on which a user of the system 10 has an account, located within a company, possibly
`
`connected to a local area network (LAN), and connected to the Internet 20, or connected to the
`
`3
`
`7
`
`
`
`Internet 20 through a large ASP (application service provider) such as America Online (AOL).
`
`Those skilled in the art will appreciate that the systems shown in FIG. 1 may instead be
`
`connected to a wide area network (WAN) other than the Internet, although e-mail transfers are
`
`commonly accomplished through Internet-connected arrangements as shown in FIG. 1.
`
`The message server 40 may be implemented, for example, on a network computer within
`
`the firewall of a corporation, a computer within an ISP or ASP system or the like, and acts as the
`
`main interface for e-mail exchange over the Internet 20. Although other messaging systems
`
`might not require a message server system 40, a mobile device 100 configured for receiving and
`
`possibly sending e-mail will normally be associated with an account on a message server.
`
`Perhaps the two most common message servers are Microsoft Exchange TM and Lotus Domino TM.
`
`These products are often used in conjunction with Internet mail routers that route and deliver
`
`mail. These intermediate components are not shown in FIG. 1, as they do not directly play a role
`
`in the secure message processing described below. Message servers such as server 40 typically
`
`extend beyond just e-mail sending and receiving; they also include dynamic database storage
`
`engines that have predefined database formats for data like calendars, to-do lists, task lists, e(cid:173)
`
`mail and documentation.
`
`The wireless gateway 85 and infrastructure 90 provide a link between the Internet 20 and
`
`wireless network 105. The wireless infrastructure 90 determines the most likely network for
`
`locating a given user and tracks the user as they roam between countries or networks. A message
`
`is then delivered to the mobile device 100 via wireless transmission, typically at a radio
`
`frequency (RF), from a base station in the wireless network 105 to the mobile device 100. The
`
`particular network 105 may be virtually any wireless network over which messages may be
`
`exchanged with a mobile communication device.
`
`4
`
`8
`
`
`
`As shown in FIG. 1, a composed e-mail message 15 is sent by the e-mail sender 10,
`
`located somewhere on the Intern~t 20. This message 15 is normally fully in the clear and uses
`
`traditional Simple Mail Transfer Protocol (SMTP), RFC822 headers and Multipurpose Internet
`
`Mail Extension (MIME) body parts to define the format of the mail message. These techniques
`
`are all well known to those skilled in the art. The message 15 arrives at the message server 40
`
`and is normally stored in a message store. Most known messaging systems support a so-called
`
`"pull" message access scheme, wherein the mobile device 100 must request that stored messages
`
`be forwarded by the message server to the mobile device 100. Some systems provide for
`
`automatic routing of such messages which are addressed using a specific e-mail address
`
`associated with the mobile device 100. In a preferred embodiment described in further detail
`
`below, messages addressed to a message server account associated with a host system such as a
`
`home computer or office computer which belongs to the user of a mobile device 100 are
`
`redirected from the message server 40 to the mobile device 100 as they are received.
`
`Regardless of the specific mechanism controlling the forwarding of messages to the
`
`mobile device 100, the message 15, or possibly a translated or reformatted version thereof, is
`
`sent to the wireless gateway 85. The wireless infrastructure 90 includes a series of connections
`
`to wireless network 105. These connections could be Integrated Services Digital Network
`
`(ISDN), Frame Relay or Tl connections using the TCP/IP protocol used throughout the Internet.
`
`As used herein, the term "wireless network" is intended to include three different types of
`
`networks, those being (1) data-centric wireless networks, (2) voice-centric wireless networks and
`
`(3) dual-mode networks that can support both voice and data communications over the same
`
`physical base stations. Combined dual-mode networks include, but are not limited to, (1) Code
`
`Division Multiple Access (CDMA) networks, (2) the Groupe Special Mobile or the Global
`
`5
`
`9
`
`
`
`System for Mobile Communications (GSM) and the General Packet Radio Service (GPRS)
`
`networks, and (3) future third-generation (3G) networks like Enhanced Data-rates for Global
`
`Evolution (EDGE) and Universal Mobile Telecommunications Systems (UMTS). Some older
`
`examples of data-centric network include the Mobitex™ Radio Network and the DataTAC™
`
`Radio Network.
`
`Examples of older voice-centric data networks
`
`include Personal
`
`Communication Systems (PCS) networks like GSM, and TOMA systems.
`
`FIG. 2 is a block diagram of a further example communication system including multiple
`
`networks and multiple mobile communication devices. The system of FIG. 2 is substantially
`
`similar to the FIG. 1 system, but includes a host system 30, a redirection program 45, a mobile
`
`device cradle 65, a wireless virtual private network (VPN) router 75, an additional wireless
`
`network 110 and multiple mobile communication devices 100. As described above in conjunction
`
`with FIG. 1, FIG. 2 represents an overview of a sample network topology. Although the encoded
`
`message processing systems and methods described herein may be applied to networks having
`
`many different topologies, the network of FIG. 2 is useful in understanding an automatic e-mail
`
`redirection system mentioned briefly above.
`
`The central host system 30 will typically be a corporate office or other LAN, but may
`
`instead be a home office computer or some other private system where mail messages are being
`
`exchanged. Within the host system 30 is the message server 40, running on some computer
`
`within the firewall of the host system, that acts as the main interface for the host system to
`
`exchange e-mail with the Internet 20.
`
`In the system of FIG. 2, the redirection program 45
`
`enables redirection of data items from the server 40 to a mobile communication device 100.
`
`Although the redirection program 45 is shown to reside on the same machine as the message
`
`server 40 for ease of presentation, there is no requirement that it must reside on the message
`
`6
`
`10
`
`
`
`server. The redirection program 45 and the message server 40 are designed to co-operate and
`
`interact to allow the pushing of information to mobile devices 100.
`
`In this installation, the
`
`redirection program 45 takes confidential and non-confidential corporate information for a
`
`specific user and redirects it out through the corporate firewall to mobile devices 100. A more
`
`detailed description of the redirection software 45 may be found in the commonly assigned
`
`United States Patent 6,219,694 ("the '694 Patent"), entitled "System and Method for Pushing
`
`Information From A Host System To A Mobile Data Communication Device Having A Shared
`
`Electronic Address", and issued to the assignee of the instant application on April 17, 2001,
`
`which is hereby incorporated into the present application by reference. This push technique may
`
`use a wireless friendly encoding, compression and encryption technique to deliver all
`
`information to a mobile device, thus effectively extending the security firewall to include each
`
`mobile device 100 associated with the host system 30.
`
`As shown in FIG. 2, there may be many alternative paths for getting information to the
`
`mobile device 100. One method for loading information onto the mobile device 100 is through a
`
`port designated 50, using a device cradle 65. This method tends to be useful for bulk
`
`information updates often performed at initialization of a mobile device 100 with the host system
`
`30 or a computer 35 within the system 30. The other main method for data exchange is over-the(cid:173)
`
`air using wireless networks to deliver the information. As shown in FIG. 2, this may be
`
`accomplished through a wireless VPN router 75 or through a traditional Internet connection 95 to
`
`a wireless gateway 85 and a wireless infrastructure 90, as described above. The concept of a
`
`wireless VPN router 75 is new in the wireless industry and implies that a VPN connection could
`
`be established directly through a specific wireless network 110 to a mobile device 100. The
`
`possibility of using a wireless VPN router 75 has only recently been available and could be used
`
`7
`
`11
`
`
`
`when the new Internet Protocol (IP) Version 6 (IPV6) arrives into IP-based wireless networks.
`
`This new protocol will provide enough IP addresses to dedicate an IP address to every mobile
`
`device 100 and thus make it possible to push information to a mobile device 100 at any time. A
`
`principal advantage of using this wireless VPN router 75 is that it could be an off-the-shelf VPN
`
`component, thus it would not require a separate wireless gateway 85 and wireless infrastructure
`
`90 to be used. A VPN connection would preferably be a Transmission Control Protocol
`
`(TCP)/IP or User Datagram Protocol (UDP)/IP connection to deliver the messages directly to the
`
`mobile device 100. If a wireless VPN 75 is not available then a link 95 to the Internet 20 is the
`
`most common connection mechanism available and has been described above.
`
`In the automatic redirection system of FIG. 2, a composed e-mail message 15 leaving the
`
`e-mail sender 10 arrives at the message server 40 and is redirected by the redirection program 45
`
`to the mobile device 100. As this redirection takes place the message 15 is re-enveloped, as
`
`indicated at 80, and a possibly proprietary compression and encryption algorithm can then be
`
`applied to the original message 15. In this way, messages being read on the mobile device 100
`
`are no less secure than if they were read on a desktop workstation such as 35 within the firewall.
`
`All messages exchanged between the redirection program 45 and the mobile device 100
`
`preferably use this message repackaging technique. Another goal of this outer envelope is to
`
`maintain the addressing information of the original message except the sender's and the
`
`receiver's address. This allows reply messages to reach the appropriate destination, and also
`
`allows the "from" field to reflect the mobile user's desktop address. Using the user's e-mail
`
`address from the mobile device 100 allows the received message to appear as though the
`
`message originated from the user's desktop system 35 rather than the mobile device 100.
`
`8
`
`12
`
`
`
`With reference back to the port 50 and cradle 65 connectivity to the mobile device 100,
`
`this connection path offers many advantages for enabling one-time data exchange of large items.
`
`For those skilled in the art of personal digital assistants (PDAs) and synchronization, the most
`
`common data exchanged over this link is Personal Information Management (PIM) data 55.
`
`When exchanged for the first time this data tends to be large in quantity, bulky in nature and
`
`requires a large bandwidth to get loaded onto the mobile device 100 where it can be used on the
`
`road. This serial link may also be used for other purposes, including setting up a private security
`
`key 111 such as an S/MIME or PGP specific private key, the Certificate (Cert) of the user and
`
`their Certificate Revocation Lists (CRLs) 60. The private key is preferably exchanged so that the
`
`desktop 35 and mobile device 100 share one personality and one method for accessing all mail.
`
`The Cert and CRLs are normally exchanged over such a link because they represent a large
`
`amount of the data that is required by the device for S/MIME, PGP and other public key security
`
`methods.
`
`FIG. 3 shows a typical challenge response scheme used by an authenticating device, such
`
`as mobile device 10 to authenticate a requesting device, such as desktop system 35 that may be
`
`requesting a connection to the device 10. When device 10 is connected to the desktop system 35,
`
`for instance through a serial link such as a universal serial bus (USB) link, the user of the
`
`desktop system 35 is prompted to enter a password in order to authenticate the user to the device
`
`10. The desktop system 35 creates a one-way hash of the password provided by the user, and
`
`transmits the hash of the password to the device 10. The device 10 then compares the hash of the
`
`password to a stored hash of the device password. If the two values match, then the user is
`
`authenticated and the desktop system 35 is allowed to form a connection with the device 10. In
`
`this typical challenge response scheme, only the hash of the password is transmitted to the device
`
`9
`
`13
`
`
`
`10. If the password itself were sent over the communications link, an attacker would be able to
`
`intercept the transmission and gain knowledge of the password.
`
`FIG. 4
`
`illustrates a challenge response scheme in accordance with a preferred
`
`embodiment of the present invention. In the preferred embodiment, a requesting device, such as
`
`the desktop system 35, is connected to an authenticating device, such as mobile device 10, using
`
`a communications link, such as a universal serial bus (USB) link, through which the requesting
`
`device may send a connection request. The connection request may be in the form of a software
`
`request sent to the authenticating device, or the detection of a change in a hardware state of the
`
`communications link. The authenticating device detects that a connection is being requested,
`
`and proceeds to authenticate the requesting device in accordance with the challenge response
`
`scheme described below. It will be understood that the authenticating device may only initiate
`
`the challenge response scheme if the authenticating device has been secured by a device
`
`password ( device _password).
`
`In order to determine if a requesting device needs to be
`
`authenticated, the authenticating device may check for the presence of a hash of the device
`
`password H(device_password)
`
`in a memory of the authenticating device.
`
`In other
`
`implementations, the authentication device may check for a flag indicating whether the device
`
`has been secured.
`
`When the authenticating device detects a connection request, it generates a Challenge c to
`
`issue to the requesting device. The Challenge c may be a group of bits that have been randomly
`
`generated by the authenticating device. Alternatively, the numbers of bits used in the Challenge
`
`c may also be randomized. The authenticating device may use a hardware-based random number
`
`generator or a software-based random number generator to generate the random Challenge c.
`
`10
`
`14
`
`
`
`The requesting device prompts the user of the requesting device for a password
`
`user_yassword. This password is hashed, using known hashing functions such as SHA-I, to
`
`create H(user _yassword) which is then combined with the Challenge c received from the
`
`authenticating device.
`
`In the preferred embodiment, the Challenge c and the hash of the
`
`password H(user_yassword) are concatenated together. It is understood that there are different
`
`ways in which to combine the two values. This combination of the Challenge c and the hash of
`
`the password H(user_yassword) is further hashed in order to generate a requesting encryption
`
`key k,=H(cllH(user_yassword) that is used in creating a responser to the challenge issued by the
`
`authenticating device. The response r is generated by encrypting the password user _yassword
`
`using known techniques such as AES or TripleDES. In some implementations, the response r
`
`may also be generated by applying the XOR function to the requesting encryption key k, and the
`
`password user _yassword. The response r is then transmitted to the authenticating device.
`
`The authenticating device determines an authenticating encryption key ka by following a
`
`process similar to that followed by the requesting device. The authenticating device combines
`
`the stored hash of the device password H(stored_yassword) with the randomly generated
`
`Challenge c, and then generates a hash of the combination, in order to generate the authenticating
`
`encryption key ka=H(cllH(stored_yassword). The authenticating encryption key ka is used to
`
`decrypt the response r received from the requesting device. A hash of the decrypted response
`
`H(decrypted_response)
`
`is
`
`then compared to
`
`the stored hash of the device password
`
`H(device_yassword). If the two hashes match, then the decrypted response was the correct
`
`device password. Thus the authenticating device has authenticated the requesting device. The
`
`authenticating device is also in possession of the device password for use in operations that
`
`require the device password. If the two hashes do not match, then the user did not provide the
`
`11
`
`15
`
`
`
`correct password, and the authenticating device rejects the connection request from the
`
`requesting device, and thereby disallows the connection.
`
`The systems and methods disclosed herein are presented only by way of example and are
`
`not meant to limit the scope of the invention. Other variations of the systems and methods
`
`described above will be apparent to those skilled in the art and as such are considered to be
`
`within the scope of the invention. For example, it should be understood that steps and the order
`
`of the steps in the processing described herein may be altered, modified and/or augmented and
`
`still achieve the desired outcome.
`
`As another example, the systems and methods disclosed herein may be used with many
`
`different computers and devices, such as a wireless mobile communications device shown in FIG.
`
`5. With reference to FIG. 5, the mobile device 100 is a dual-mode mobile device and includes a
`
`transceiver 311, a microprocessor 338, a display 322, non-volatile memory 324, random access
`
`memory (RAM) 326, one or more auxiliary input/output (1/0) devices 328, a serial port 330, a
`
`keyboard 332, a speaker 334, a microphone 336, a short-range wireless communications sub(cid:173)
`
`system 340, and other device sub-systems 342.
`
`The transceiver 311 includes a receiver 312, a transmitter 314, antennas 316 and 318, one
`
`or more local oscillators 313, and a digital signal processor (DSP) 320. The antennas 316 and
`
`318 may be antenna elements of a multiple-element antenna, and are preferably embedded
`
`antennas. However, the systems and methods described herein are in no way restricted to a
`
`particular type of antenna, or even to wireless communication devices.
`
`The mobile device 100 is preferably a two-way communication device having voice and
`
`data communication capabilities. Thus, for example, the mobile device 100 may communicate
`
`over a voice network, such as any of the analog or digital cellular networks, and may also
`
`12
`
`16
`
`
`
`communicate over a data network. The voice and data networks are depicted in FIG. 5 by the
`
`communication tower 319. These voice and data networks may be separate communication
`
`networks using separate infrastructure, such as base stations, network controllers, etc., or they
`
`may be integrated into a single wireless network.
`
`The transceiver 311 is used to communicate with the network 319, and includes the
`
`receiver 312, the transmitter 314, the one or more local oscillators 313 and the DSP 320. The
`
`DSP 320 is used to