The proliferation of the Internet has inspired numerous smart-home electronic applications in such areas as home security, communication, entertainment, healthcare, as well as sharing rich digital assets with families and friends anywhere around the globe.
Increasingly, however, damaging security attacks and privacy invasions have raised the degree of urgency for protecting the security of networked electronic devices. This includes home networked electronic devices such as CE devices, and the privacy of the information stored on such devices.
For networked electronic devices in a home, providing security involves performing authentication by verifying the identity of a party who is attempting to access home devices, services and/or information. Authentication between two electronic devices involves verifying that both devices posses a shared secret and, therefore, can trust each other. Once authenticated, the devices can establish a trust relationship.
Conventional authentication mechanisms can be categorized into two methods: shared secret based authentication and certification based authentication. A shared secret is a method that requires a pre-defined secret to be distributed among devices such that when authentication is required among them, the secret is exchanged. A shared secret may be distributed by a courier, by email and by direct phone call. The difficulty of a shared secret is that securely distributing the secret is a difficult problem and there is no satisfactory, automatic way of distributing the secret without malicious interception.
The home network environment poses more difficulties. The most common case a user encounters is the Wired Equivalent Privacy (WEP) key set-up for wireless access points (APs). To set up a WEP key for a wireless AP, a user is required to input the WEP key to the wireless AP via a computer terminal. At a later time, if the user wishes to set-up a wireless device that can connect to the wireless AP, the user must input the same WEP key to the wireless device. In other words, the user is required to distribute the secret (WEP key) among the wireless AP and wireless devices. This typically requires the user to use a keyboard which is not commonly provided by CE devices.
As a result, a variety of methods have been proposed in an attempt to avoid such issues. One example is a challenge/response scheme that requires a challenger to encrypt a randomly generated challenge with a shared secret key, and send it to the responder. The responder decrypts the challenge using the shared secret key, and sends back the response that is also encrypted with the shared secret key.
Another common way of authentication is to use public key infrastructure (PKI), which provides a certificate authority (CA) that all entities (devices, persons, organizations, etc.) trust. The CA generates certificates for entities, wherein a certificate includes the Distinguished Name (DN) of the entity and the public key of the entity. A public and private key are created simultaneously by the CA. The private key is given only to the requesting party and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the Internet.
For example, entity A can use its private key to decrypt a message that has been encrypted by entity B using entity A's public key, wherein entity B can find entity A's public key from a public directory. Thus, if entity A sends a message to entity B, then entity B can find the public key (but not the private key) of entity A from a central administrator, and encrypt a message to entity A using entity A's public key. When entity A receives the message, entity A decrypts it with entity A's private key.
In addition to encrypting messages (which ensures privacy), entity A can authenticate itself to entity B (so that entity B knows that it is really entity A that sent the message), by using entity A's private key to sign the message. When entity B receives it, entity B can use the public key of entity A to verify it. When entity A tries to authenticate entity B, entity A asks for entity B's certificate. If the verification process succeeds, entity A is sure that entity B is what it claims to be.
The PKI approach has wide commercial applications, for example, on the Web using the HTTPS protocol. This is because a service provider can bind its name with the certificate when it applies for the certificate from the CA. For a home electronic device, however, the binding of its owner and application for the certificate for the device is a tedious and potentially costly step because the CA most likely charges a fee for the certificate and must perform a time consuming verification of the owner and device information. The transfer of such devices among different owners further complicates and lengthens the certificate issuing problem. There is, therefore, a need for a method and system for simplified secure communication between electronic devices.