Data structure for use as a positive list in a device, method for updating a positive list and device

US 10,461,941 B2
Filed: 03/13/2017
Issued: 10/29/2019
Est. Priority Date: 03/30/2016
Status: Active Grant

First Claim

Patent Images

1. A device comprising:

an update unit including a processor, anda memory;

wherein the update unit provides a data structure for use as a positive list in the device,wherein the memory stores the positive list;

wherein the positive list includes an entry for each permitted communication partner of the device each entry having;

a first identifier that explicitly identifies a permitted communication partner;

a value of a predetermined certificate field that identifies a certificate as explicitly associated with the permitted communication partner; and

a respective check value from at least one certificate of the permitted communication partner that explicitly identifies the at least one certificate;

wherein the data structure at least temporarily contains the respective check value of the at least one certificate of the permitted communication partner and a new check value of a new certificate of the permitted communication partner such that both the new certificate and the at least one certificate of the permitted communication partner are identifiable as valid certificates, wherein the new check value explicitly identifies the new certificate;

wherein an updated check value is transmitted to the device via a connection authenticated using the at least one certificate, and the new check value is transmitted via a connection authenticated using the new certificate, and the new certificate is identified in the positive list only if the new check value or a third check value derived from the new check value matches the updated check value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data structure is provided for use as a positive list in a device, including an entry for each permitted communication partner of the device having a first identifier that explicitly identifies the communication partner, a value of a predetermined certificate field that identifies a certificate as explicitly associated with the communication partner, and a respective check value from at least one certificate of a communication partner that explicitly identifies the certificate. A method for updating the positive list for certificates from permitted communication partners of a device comprises the method steps of receiving a new certificate from a communication partner in the device, checking whether the positive list has an entry having an identifier of the communication partner and a value of a predetermined certificate field from the new certificate.

Citations

20 Claims

1. A device comprising:
- an update unit including a processor, anda memory;
  
  wherein the update unit provides a data structure for use as a positive list in the device,wherein the memory stores the positive list;
  
  wherein the positive list includes an entry for each permitted communication partner of the device each entry having;
  
  a first identifier that explicitly identifies a permitted communication partner;
  
  a value of a predetermined certificate field that identifies a certificate as explicitly associated with the permitted communication partner; and
  
  a respective check value from at least one certificate of the permitted communication partner that explicitly identifies the at least one certificate;
  
  wherein the data structure at least temporarily contains the respective check value of the at least one certificate of the permitted communication partner and a new check value of a new certificate of the permitted communication partner such that both the new certificate and the at least one certificate of the permitted communication partner are identifiable as valid certificates, wherein the new check value explicitly identifies the new certificate;
  
  wherein an updated check value is transmitted to the device via a connection authenticated using the at least one certificate, and the new check value is transmitted via a connection authenticated using the new certificate, and the new certificate is identified in the positive list only if the new check value or a third check value derived from the new check value matches the updated check value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14)
- - 2. The device as claimed in claim 1, wherein the respective check value of the certificate is a value generated using a one-way function for the certificate.
  - 3. The device as claimed in claim 1, wherein the first identifier and the value of the certificate field of all entries are digitally signed.
  - 4. The device as claimed in claim 1, wherein the predetermined certificate field is the certificate holder.
  - 5. The device as claimed in claim 1, wherein an entry for the permitted communication partner additionally contains a serial number of a device certificate of the permitted communication partner.
  - 6. The device as claimed in claim 1, wherein the device notifies all communication partners contained in the positive list of an update of its own certificate.
  - 7. The device as claimed in claim 1, wherein the respective check value of the at least one certificate of the permitted communication partner is removed after a predetermined period of time.
  - 9. The method as claimed in claim 7, wherein the new check value is ascertained from the received certificate by the device.
  - 10. The method as claimed in claim 7, wherein the new certificate is included in the positive list only if the new certificate has been issued at a time after the at least one certificate.
  - 11. The method as claimed in claim 7, wherein the new certificate is included in the positive list only if the new certificate and the at least one certificate have additionally been issued by the same certification center.
  - 12. The method as claimed in claim 7, wherein the new certificate is included in the positive list only if the new certificate additionally contains the respective check value of the at least one certificate, in an attribute certificate.
  - 13. The method as claimed in claim 7, wherein the new certificate is included in the positive list only if the device is in a predetermined state.
  - 14. The method as claimed in claim 7, wherein the new certificate is included in the positive list only if at least one prescribed subset of fields of the at least one certificate is contained in the new certificate.

8. A method for updating a positive list for certificates from permitted communication partners of a device, comprising:
- providing, by the device, a data structure for use as a positive list, the positive list including an entry for each permitted communication partner of the device, each entry having;
  
  a first identifier that explicitly identifies a permitted communication partner;
  
  a value of a predetermined certificate field that identifies a certificate as explicitly associated with the permitted communication partner; and
  
  a respective check value from at least one certificate of the permitted communication partner that explicitly identifies the at least one certificate;
  
  receiving, by the device, a new certificate from a communication partner;
  
  checking whether the positive list has an entry having an identifier of the communication partner and a value of a predetermined certificate field from the new certificate;
  
  andincluding a new check value, which explicitly identifies the new certificate, in the positive list when the positive list has an entry having the identifier of the communication partner and the value of a predetermined certificate field from the new certificate wherein an updated check value is transmitted to the device via a connection authenticated using the at least one certificate, and the new check value is transmitted via a connection authenticated using the new certificate, and the new certificate is identified in the positive list only if the new check value or a third check value derived from the new check value matches the updated check value.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method as claimed in claim 8, wherein the device reports the new certificate of the communication partner to a monitoring apparatus, and the device initiates measures on receiving a negative check result from the monitoring apparatus.
  - 16. The method as claimed in claim 8, wherein the new certificate and at least one certificate are entered into the positive list as valid and the at least one certificate becomes invalid after a predeterminable period of time has passed or after a positive check result is received or the validity period of the at least one certificate has expired.
  - 17. The method as claimed in claim 8, wherein the device uses a cryptographically protected message to notify all communication partners cited in the positive list of the change of certificate of the communication partner.
  - 18. The method as claimed in claim 8, wherein the communication partner, on a change of its certificate, additionally transmits its device certificate to the device for authentication.
  - 19. A computer program product, comprising a computer readable hardware storage device having computer readable program code stored therein, said program code executable by a processor of a computer system to implement a method loadable directly into a memory of a digital computer, comprising program code parts that are suitable for performing the steps of the method as claimed in claim 8.

20. A method comprising:
- providing a data structure for use as a positive list in a device, the positive list including an entry for a first permitted communication partner of the device, wherein the entry includes;
  
  a first identifier that explicitly identifies the first permitted communication partner;
  
  a value of a predetermined certificate field that identifies a first certificate as explicitly associated with the first permitted communication partner; and
  
  a first check value from the first certificate of the first permitted communication partner that explicitly identifies the first certificate;
  
  receiving, by the device, a second certificate from the first permitted communication partner;
  
  checking, by the device, whether the positive list has an entry having an identifier of the first permitted communication partner and a value of the predetermined certificate field that identifies the second certificate as explicitly associated with the first permitted communication partner;
  
  including a second check value in the entry when the positive list has an entry having an identifier of the first permitted communication partner and a value of the predetermined certificate field that identifies the second certificate as explicitly associated with the first permitted communication partner, wherein the second check value explicitly identifies the second certificate; and
  
  removing the first check value after a predetermined period of time,wherein an updated check value is transmitted to the device via a connection authenticated using the first certificate, and the second check value is transmitted via a connection authenticated using the second certificate, and the second certificate is identified in the positive list only if the second check value or a third check value derived from the second check value matches the updated check value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
Brockhaus, Hendrik, Falk, Rainer, Seltzsam, Stefan
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US15/457,245
Publication Number

US 20170288880A1
Time in Patent Office

960 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/0891   Revocation or update of sec...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

Data structure for use as a positive list in a device, method for updating a positive list and device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Data structure for use as a positive list in a device, method for updating a positive list and device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links