| CPC H04L 9/0825 (2013.01) [H04L 9/0863 (2013.01); H04L 9/0869 (2013.01); H04L 63/0869 (2013.01)] | 58 Claims |
|
1. A method comprises:
providing direct communication between a server and an initiator client, indirect communication between the server and a recipient client, and direct communication between the initiator client and the recipient client;
providing mutual identity authentication; and
providing forward secrecy, confidentiality of data, and integrity of data comprising:
the initiator client encapsulating a first shared secret using a static Key Encapsulation Mechanism (KEM) public key to produce a first ciphertext;
the initiator client sending the first ciphertext to the server;
the initiator client generating an ephemeral KEM keypair;
the initiator client sending the ephemeral KEM public key to the server using an Authenticated Encryption with Associated Data (AEAD) with the first shared secret;
the server decapsulating the first ciphertext using the static KEM private key to produce the first shared secret;
the server encapsulating a second shared secret using the ephemeral KEM public key to produce a second ciphertext;
the server sending the second ciphertext to the initiator client;
the initiator client decapsulating the second ciphertext using the ephemeral KEM private key to produce the second shared secret;
the server generating a plurality of symmetric session keys, wherein each symmetric session key is updated by the server and the server generating a number of bytes each one of the symmetric session keys used to encrypt;
clients switching to a next symmetric session key prior to a current symmetric session key encrypting a predetermined number of bytes associated with the current symmetric session key; and
the initiator client forwarding an encrypted buffer generated by the server to the recipient client to establish a secure session.
|