Systems and methods for secure communications between devices

US 10,114,939 B1
Filed: 09/22/2014
Issued: 10/30/2018
Est. Priority Date: 09/22/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for secure communications between devices, the steps of the method being performed by an intermediary computing device, comprising at least one processor, that provides authentication and privilege evaluation services to constrained devices, the method comprising:

receiving, from a control device that is capable of transmitting control directives to a constrained smart device, a first X.509 certificate that binds an identity with a public encryption key and identifies the control device;

retrieving, from the first X.509 certificate;

authentication information comprising the public encryption key;

a permission setting indicating that the control device is only permitted to submit a device configuration command to configure the constrained smart device specified by the first X.509 certificate, wherein other types of commands are not permitted; and

an extension, within the first X.509 certificate, comprising a request from the control device to interact with the constrained smart device that lacks resources to perform authentication and privilege evaluation, wherein the requested interaction comprises a request to submit a command to the constrained smart device;

determining, based on the request included in the extension, that the control device is requesting to submit a command to the constrained smart device;

additionally receiving, from the constrained smart device, a second X.509 certificate;

retrieving, from the second X.509 certificate, authentication information that identifies the constrained smart device;

analyzing the authentication information in the first X.509 certificate in an attempt to use the authentication information to authenticate the control device;

analyzing the authentication information in the second X.509 certificate in an attempt to use the authentication information to authenticate the constrained smart device;

authenticating the control device based on the analyzed authentication information in the first X.509 certificate;

authenticating the constrained smart device based on the analyzed authentication information in the second X.509 certificate; and

upon successful authentication of the control device and the constrained smart device and in response to the determination that the requested interaction comprises a request to submit a command to the constrained smart device, restricting the requested interaction based on the permission setting in the first X.509 certificate, wherein restricting the requested interaction comprises;

allowing the requested interaction in response to a determination that the requested interaction comprises a request to configure the constrained smart device;

orrejecting the requested interaction in response to a determination that the requested interaction comprises a request to perform a type of command that is not a request to configure the constrained smart device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for secure communications between devices may include (1) receiving, from a control device that is capable of providing instructions to one or more smart devices, a security certificate that identifies the control device and also contains privilege information that indicates how the control device is allowed to interact with the smart devices, (2) receiving, from the control device, a request to interact with a smart device, (3) analyzing the privilege information in the security certificate to determine whether the requested interaction is allowed by the privilege, and (4) controlling the requested interaction based on whether the privilege information indicates that the requested interaction is allowed. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for secure communications between devices, the steps of the method being performed by an intermediary computing device, comprising at least one processor, that provides authentication and privilege evaluation services to constrained devices, the method comprising:
- receiving, from a control device that is capable of transmitting control directives to a constrained smart device, a first X.509 certificate that binds an identity with a public encryption key and identifies the control device;
  
  retrieving, from the first X.509 certificate;
  
  authentication information comprising the public encryption key;
  
  a permission setting indicating that the control device is only permitted to submit a device configuration command to configure the constrained smart device specified by the first X.509 certificate, wherein other types of commands are not permitted; and
  
  an extension, within the first X.509 certificate, comprising a request from the control device to interact with the constrained smart device that lacks resources to perform authentication and privilege evaluation, wherein the requested interaction comprises a request to submit a command to the constrained smart device;
  
  determining, based on the request included in the extension, that the control device is requesting to submit a command to the constrained smart device;
  
  additionally receiving, from the constrained smart device, a second X.509 certificate;
  
  retrieving, from the second X.509 certificate, authentication information that identifies the constrained smart device;
  
  analyzing the authentication information in the first X.509 certificate in an attempt to use the authentication information to authenticate the control device;
  
  analyzing the authentication information in the second X.509 certificate in an attempt to use the authentication information to authenticate the constrained smart device;
  
  authenticating the control device based on the analyzed authentication information in the first X.509 certificate;
  
  authenticating the constrained smart device based on the analyzed authentication information in the second X.509 certificate; and
  
  upon successful authentication of the control device and the constrained smart device and in response to the determination that the requested interaction comprises a request to submit a command to the constrained smart device, restricting the requested interaction based on the permission setting in the first X.509 certificate, wherein restricting the requested interaction comprises;
  
  allowing the requested interaction in response to a determination that the requested interaction comprises a request to configure the constrained smart device;
  
  orrejecting the requested interaction in response to a determination that the requested interaction comprises a request to perform a type of command that is not a request to configure the constrained smart device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising creating the permission setting by:
    - requesting from a user an indication of how the control device is permitted to interact with the constrained smart device; and
      
      receiving from the user an indication of how the control device is permitted to interact with the constrained smart device.
  - 3. The computer-implemented method of claim 2, wherein the request for the indication is sent to the user in response to at least one of receiving the first X.509 certificate for the control device and receiving the request to interact with the constrained smart device.
  - 4. The computer-implemented method of claim 1, wherein receiving the first X.509 certificate comprises receiving the first X.509 certificate as part of an authentication process.
  - 5. The computer-implemented method of claim 1, wherein the authentication process comprises an authentication process managed by the intermediary device.
  - 6. The computer-implemented method of claim 1, wherein rejecting the requested interaction comprises ignoring the requested interaction.
  - 7. The computer-implemented method of claim 1, wherein rejecting the requested interaction comprises transmitting a message rejecting the requested interaction.

8. A system for secure communications between devices, the system comprising:
- a receiving module, stored in memory of an intermediary device that provides authentication and privilege evaluation services to constrained devices, that;
  
  receives, from a control device that is capable of transmitting control directives to a constrained smart device, a first X.509 certificate that binds an identity with a public encryption key and identifies the control device;
  
  retrieves, from the first X.509 certificate;
  
  authentication information comprising the public encryption key;
  
  a permission setting indicating that the control device is only permitted to submit a device configuration command to configure the constrained smart device specified by the first X.509 certificate, wherein other types of commands are not permitted; and
  
  an extension, within the first X.509 certificate, comprising a request from the control device to interact with the constrained smart device that lacks resources to perform authentication and privilege evaluation, wherein the requested interaction comprises a request to submit a command to the constrained smart device;
  
  determines, based on the request included in the extension, that the control device is requesting to submit a command to the constrained smart device;
  
  additionally receives, from the constrained smart device, a second X.509 certificate;
  
  retrieves, from the second X.509 certificate, authentication information that identifies the constrained smart device;
  
  an analysis module, stored in memory of the intermediary device, that;
  
  analyzes the authentication information in the first X.509 certificate in an attempt to use the authentication information to authenticate the control device;
  
  analyzes the authentication information in the second X.509 certificate in an attempt to use the authentication information to authenticate the constrained smart device;
  
  an authorization module, stored in memory of the intermediary device, that;
  
  authenticates the control device based on the analyzed authentication information in the first X.509 certificate;
  
  authenticates the constrained smart device based on the analyzed authentication information in the second X.509 certificate;
  
  upon successful authentication of the control device and the constrained smart device and in response to the determination that the requested interaction comprises a request to submit a command to the constrained smart device, restricts the requested interaction based on the permission setting in the first X.509 certificate, wherein restricting the requested interaction comprises;
  
  allowing the requested interaction in response to a determination that the requested interaction comprises a request to configure the constrained smart device;
  
  orrejecting the requested interaction in response to a determination that the requested interaction comprises a request to perform a type of command that is not a request to configure the constrained smart device; and
  
  at least one physical processor configured to execute the receiving module, the analysis module, and the authorization module.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, further comprising a permissions module, stored in memory of the intermediary device, that creates the permission setting by:
    - requesting from a user an indication of how the control device is permitted to interact with the constrained smart device; and
      
      receiving from the user an indication of how the control device is permitted to interact with the constrained smart device.
  - 10. The system of claim 9, wherein the permissions module sends the request to the user in response to at least one of receiving the first X.509 certificate for the control device and receiving the request to interact with the constrained smart device.
  - 11. The system of claim 8, wherein the receiving module receives the request as part of an authentication process.
  - 12. The system of claim 8, wherein the authentication process comprises an authentication process managed by the intermediary device.
  - 13. The system of claim 8, wherein the authorization module rejects the requested interaction by ignoring the requested interaction.
  - 14. The system of claim 8, wherein the authorization module rejects the requested interaction by transmitting a message rejecting the requested interaction.

15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of an intermediary computing device that provides authentication and privilege evaluation services to constrained devices, cause the intermediary computing device to:
- receive, from a control device that is capable of transmitting control directives to a constrained smart device, a first X.509 certificate that binds an identity with a public encryption key and identifies the control device;
  
  retrieve, from the first X.509 certificate;
  
  authentication information comprising the public encryption key;
  
  a permission setting indicating that the control device is only permitted to submit a device configuration command to configure the constrained smart device specified by the first X.509 certificate, wherein other types of commands are not permitted; and
  
  an extension, within the first X.509 certificate, comprising a request from the control device to interact with the constrained smart device that lacks resources to perform authentication and privilege evaluation, wherein the requested interaction comprises a request to submit a command to the constrained smart device;
  
  determine, based on the request included in the extension, that the control device is requesting to submit a command to the constrained smart device;
  
  additionally receive, from the constrained smart device, a second X.509 certificate;
  
  retrieve, from the second X.509 certificate, authentication information that identifies the constrained smart device;
  
  analyze the authentication information in the first X.509 certificate in an attempt to use the authentication information to authenticate the control device;
  
  analyze the authentication information in the second X.509 certificate in an attempt to use the authentication information to authenticate the constrained smart device;
  
  authenticate the control device based on the analyzed authentication information in the first X.509 certificate;
  
  authenticate the constrained smart device based on the analyzed authentication information in the second X.509 certificate; and
  
  upon successful authentication of the control device and the constrained smart device and in response to the determination that the requested interaction comprises a request to submit a command to the constrained smart device, restrict the requested interaction based on the permission setting in the first X.509 certificate, wherein restricting the requested interaction comprises;
  
  allowing the requested interaction in response to a determination that the requested interaction comprises a request to configure the constrained smart device;
  
  orrejecting the requested interaction in response to a determination that the requested interaction comprises a request to perform a type of command that is not a request to configure the constrained smart device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the computer-readable instructions further cause the intermediary computing device to create the permission setting by:
    - requesting from a user an indication of how the control device is permitted to interact with the constrained smart device; and
      
      receiving from the user an indication of how the control device is permitted to interact with the constrained smart device.
  - 17. The non-transitory computer-readable medium of claim 16, wherein the request for the indication is sent to the user in response to at least one of receiving the first X.509 certificate for the control device and receiving the request to interact with the constrained smart device.
  - 18. The non-transitory computer-readable medium of claim 15, wherein the intermediary computing device receives the first X.509 certificate as part of an authentication process.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the authentication process comprises an authentication process managed by the intermediary device.
  - 20. The non-transitory computer-readable medium of claim 15, wherein the computer-readable instructions cause the intermediary computing device to reject the requested interaction by at least one of:
    - ignoring the requested interaction; and
      
      transmitting a message rejecting the requested interaction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bhalerao, Kokil
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Malinowski, Walter J

Application Number

US14/492,103
Time in Patent Office

1,499 Days
Field of Search

726 30, 713156, 713175
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 63/0823   using certificates cryptogr...

H04L 67/12   specially adapted for propr...

H04L 9/3263   involving certificates, e.g...

H04W 12/069   using certificates or pre-s...

Systems and methods for secure communications between devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secure communications between devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links