Systems and methods for secure communications between devices
First Claim
1. A computer-implemented method for secure communications between devices, the steps of the method being performed by an intermediary computing device, comprising at least one processor, that provides authentication and privilege evaluation services to constrained devices, the method comprising:
- receiving, from a control device that is capable of transmitting control directives to a constrained smart device, a first X.509 certificate that binds an identity with a public encryption key and identifies the control device;
retrieving, from the first X.509 certificate;
authentication information comprising the public encryption key;
a permission setting indicating that the control device is only permitted to submit a device configuration command to configure the constrained smart device specified by the first X.509 certificate, wherein other types of commands are not permitted; and
an extension, within the first X.509 certificate, comprising a request from the control device to interact with the constrained smart device that lacks resources to perform authentication and privilege evaluation, wherein the requested interaction comprises a request to submit a command to the constrained smart device;
determining, based on the request included in the extension, that the control device is requesting to submit a command to the constrained smart device;
additionally receiving, from the constrained smart device, a second X.509 certificate;
retrieving, from the second X.509 certificate, authentication information that identifies the constrained smart device;
analyzing the authentication information in the first X.509 certificate in an attempt to use the authentication information to authenticate the control device;
analyzing the authentication information in the second X.509 certificate in an attempt to use the authentication information to authenticate the constrained smart device;
authenticating the control device based on the analyzed authentication information in the first X.509 certificate;
authenticating the constrained smart device based on the analyzed authentication information in the second X.509 certificate; and
upon successful authentication of the control device and the constrained smart device and in response to the determination that the requested interaction comprises a request to submit a command to the constrained smart device, restricting the requested interaction based on the permission setting in the first X.509 certificate, wherein restricting the requested interaction comprises;
allowing the requested interaction in response to a determination that the requested interaction comprises a request to configure the constrained smart device;
orrejecting the requested interaction in response to a determination that the requested interaction comprises a request to perform a type of command that is not a request to configure the constrained smart device.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for secure communications between devices may include (1) receiving, from a control device that is capable of providing instructions to one or more smart devices, a security certificate that identifies the control device and also contains privilege information that indicates how the control device is allowed to interact with the smart devices, (2) receiving, from the control device, a request to interact with a smart device, (3) analyzing the privilege information in the security certificate to determine whether the requested interaction is allowed by the privilege, and (4) controlling the requested interaction based on whether the privilege information indicates that the requested interaction is allowed. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for secure communications between devices, the steps of the method being performed by an intermediary computing device, comprising at least one processor, that provides authentication and privilege evaluation services to constrained devices, the method comprising:
-
receiving, from a control device that is capable of transmitting control directives to a constrained smart device, a first X.509 certificate that binds an identity with a public encryption key and identifies the control device; retrieving, from the first X.509 certificate; authentication information comprising the public encryption key; a permission setting indicating that the control device is only permitted to submit a device configuration command to configure the constrained smart device specified by the first X.509 certificate, wherein other types of commands are not permitted; and an extension, within the first X.509 certificate, comprising a request from the control device to interact with the constrained smart device that lacks resources to perform authentication and privilege evaluation, wherein the requested interaction comprises a request to submit a command to the constrained smart device; determining, based on the request included in the extension, that the control device is requesting to submit a command to the constrained smart device; additionally receiving, from the constrained smart device, a second X.509 certificate; retrieving, from the second X.509 certificate, authentication information that identifies the constrained smart device; analyzing the authentication information in the first X.509 certificate in an attempt to use the authentication information to authenticate the control device; analyzing the authentication information in the second X.509 certificate in an attempt to use the authentication information to authenticate the constrained smart device; authenticating the control device based on the analyzed authentication information in the first X.509 certificate; authenticating the constrained smart device based on the analyzed authentication information in the second X.509 certificate; and upon successful authentication of the control device and the constrained smart device and in response to the determination that the requested interaction comprises a request to submit a command to the constrained smart device, restricting the requested interaction based on the permission setting in the first X.509 certificate, wherein restricting the requested interaction comprises; allowing the requested interaction in response to a determination that the requested interaction comprises a request to configure the constrained smart device;
orrejecting the requested interaction in response to a determination that the requested interaction comprises a request to perform a type of command that is not a request to configure the constrained smart device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for secure communications between devices, the system comprising:
-
a receiving module, stored in memory of an intermediary device that provides authentication and privilege evaluation services to constrained devices, that; receives, from a control device that is capable of transmitting control directives to a constrained smart device, a first X.509 certificate that binds an identity with a public encryption key and identifies the control device; retrieves, from the first X.509 certificate; authentication information comprising the public encryption key; a permission setting indicating that the control device is only permitted to submit a device configuration command to configure the constrained smart device specified by the first X.509 certificate, wherein other types of commands are not permitted; and an extension, within the first X.509 certificate, comprising a request from the control device to interact with the constrained smart device that lacks resources to perform authentication and privilege evaluation, wherein the requested interaction comprises a request to submit a command to the constrained smart device; determines, based on the request included in the extension, that the control device is requesting to submit a command to the constrained smart device; additionally receives, from the constrained smart device, a second X.509 certificate; retrieves, from the second X.509 certificate, authentication information that identifies the constrained smart device; an analysis module, stored in memory of the intermediary device, that; analyzes the authentication information in the first X.509 certificate in an attempt to use the authentication information to authenticate the control device; analyzes the authentication information in the second X.509 certificate in an attempt to use the authentication information to authenticate the constrained smart device; an authorization module, stored in memory of the intermediary device, that; authenticates the control device based on the analyzed authentication information in the first X.509 certificate; authenticates the constrained smart device based on the analyzed authentication information in the second X.509 certificate; upon successful authentication of the control device and the constrained smart device and in response to the determination that the requested interaction comprises a request to submit a command to the constrained smart device, restricts the requested interaction based on the permission setting in the first X.509 certificate, wherein restricting the requested interaction comprises; allowing the requested interaction in response to a determination that the requested interaction comprises a request to configure the constrained smart device;
orrejecting the requested interaction in response to a determination that the requested interaction comprises a request to perform a type of command that is not a request to configure the constrained smart device; and at least one physical processor configured to execute the receiving module, the analysis module, and the authorization module. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of an intermediary computing device that provides authentication and privilege evaluation services to constrained devices, cause the intermediary computing device to:
-
receive, from a control device that is capable of transmitting control directives to a constrained smart device, a first X.509 certificate that binds an identity with a public encryption key and identifies the control device; retrieve, from the first X.509 certificate; authentication information comprising the public encryption key; a permission setting indicating that the control device is only permitted to submit a device configuration command to configure the constrained smart device specified by the first X.509 certificate, wherein other types of commands are not permitted; and an extension, within the first X.509 certificate, comprising a request from the control device to interact with the constrained smart device that lacks resources to perform authentication and privilege evaluation, wherein the requested interaction comprises a request to submit a command to the constrained smart device; determine, based on the request included in the extension, that the control device is requesting to submit a command to the constrained smart device; additionally receive, from the constrained smart device, a second X.509 certificate; retrieve, from the second X.509 certificate, authentication information that identifies the constrained smart device; analyze the authentication information in the first X.509 certificate in an attempt to use the authentication information to authenticate the control device; analyze the authentication information in the second X.509 certificate in an attempt to use the authentication information to authenticate the constrained smart device; authenticate the control device based on the analyzed authentication information in the first X.509 certificate; authenticate the constrained smart device based on the analyzed authentication information in the second X.509 certificate; and upon successful authentication of the control device and the constrained smart device and in response to the determination that the requested interaction comprises a request to submit a command to the constrained smart device, restrict the requested interaction based on the permission setting in the first X.509 certificate, wherein restricting the requested interaction comprises; allowing the requested interaction in response to a determination that the requested interaction comprises a request to configure the constrained smart device;
orrejecting the requested interaction in response to a determination that the requested interaction comprises a request to perform a type of command that is not a request to configure the constrained smart device. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification