With the advent of wireless telecommunications, there is an increasing need for the establishment of security to provide privacy to users and to protect confidentiality of network data. When two or more wireless parties (e.g. a network server and a mobile client) wish to establish a level of security, they will typically “authenticate,” that is prove to each other that they really are who they say they are. The proof of identity is typically through some form of “credential.” These credentials can be used to achieve different goals in the industry. For instance, a “user ID and password” serve as a credential to prove to a computer that a user is valid and thus gain entry to the system. Similarly, in a network, the “user ID and password” are used to prove the client's authenticity to gain access to the network. And credentials are typically used to achieve authentication through one of two types of cryptographic disciplines: “symmetric cryptography” or “asymmetric cryptography.”
Symmetric cryptography is based on the use of a “pre-shared secret,” in which both parties obtain the secret through some external means; that is, they may rely on a central source for the distribution of a “pre-shared secret”, or one of the parties may disclose (through some other protected means) the “pre-shared secret” prior to its use. For example, the pre-shared secret might be a typical “user ID/password” assigned to a user by a network administrator. The security strength of such symmetric cryptography techniques depend on strong “pre-shared secrets” and as such, the use of typical “user ID and password” techniques are often susceptible to dictionary attacks due to the inherent security weakness of passwords.
Asymmetric cryptography is based on newer technologies, such as “Public Key Infrastructure” (PKI) which can enable a “zero knowledge” approach to proof of identification at the cost of higher computational burdens. Furthermore, while providing a higher level of security than possible with symmetric approaches, the public key approaches while it may not require a shared secret between the two parties, must rely on a third party (known as a Certificate Authority) or must also rely on some a priori knowledge to validate the authenticity of the public key. Hence, PKI techniques are far more costly, and may be prohibitively expensive to implement on some wireless networks. Additionally, the public key approaches often requires a third party to authenticate the PKI credentials.
In summary, whether symmetric or asymmetric cryptography techniques are used to authenticate two parties, some established data or fingerprint must be common between such two parties. In the case of a symmetric cryptography scheme, a pre-shared secret must be mutually shared; whereas in the asymmetric cryptography either require a third party for certificate validation or a fingerprint to be provided to each party before the authentication can ensue. Today's solutions, whether it is in the wireless or wired communications, both schemes rely on a manual configuration or installation of such information. When symmetric cryptography techniques are used, the pre-shared-secrets are provided through external tools that often prove burdensome. Asymmetric cryptography techniques typically rely on the use of certificates (such as the ANSI X.509 certificate) and PKI that must be either validated by a trusted third party or must rely on the manual configuration of fingerprints used to validate a certificate. Thus, there is not a currently existing solution available that enables the distribution of such information (pre-shared-secret or certificate or fingerprint) in a protected and dynamic means. Tools in the trade today often demand an out-of-band or manual configuration for such information.