Legitimacy verification of a node in a distributed network

US 10,742,409 B2
Filed: 12/12/2017
Issued: 08/11/2020
Est. Priority Date: 12/13/2016
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a node in a distributed network,wherein the distributed network comprises a plurality of nodes connected to a shared medium of the distributed network,wherein each of the plurality of nodes is provisioned with an identity certificate comprising a public key, a private key associated with the public key and an identification sequence, wherein the identification sequence is unique to the system comprising the distributed network,said method comprising:

a second node of the plurality of nodes, generating a node authenticity related information for authenticating at a first node of the plurality of nodes, wherein the node authenticity related information comprises a signature generated using the private key of the second node from a sequence, which comprises the identification sequence; and

the second node, transmitting the node authenticity related information together with the identity certificate provisioned at the second node to the first node, wherein the first node is enabled to perform an authentication verification using the signature and the public key included in the identity certificate comprised in the receive request and the identification sequence, with which the first node is provisioned.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system of authenticating a node in a distributed network is provided. The distributed network comprises a plurality of nodes connected to a shared medium of the distributed network. Each of the plurality of nodes is provisioned with an identity certificate comprising a public key, a private key associated with the public key and an identification sequence. The identification sequence is unique to the system comprising the distributed network. A second node of the plurality of nodes generates a node authenticity related information for authenticating at a first node of the plurality of nodes. The node authenticity related information comprises a signature generated using the private key of the second node from a sequence, which comprises the identification sequence. The second node transmits the node authenticity related information together with the identity certificate provisioned at the second node to the first node.

21 Citations

19 Claims

1. A method of authenticating a node in a distributed network,wherein the distributed network comprises a plurality of nodes connected to a shared medium of the distributed network,wherein each of the plurality of nodes is provisioned with an identity certificate comprising a public key, a private key associated with the public key and an identification sequence, wherein the identification sequence is unique to the system comprising the distributed network,said method comprising:
- a second node of the plurality of nodes, generating a node authenticity related information for authenticating at a first node of the plurality of nodes, wherein the node authenticity related information comprises a signature generated using the private key of the second node from a sequence, which comprises the identification sequence; and
  
  the second node, transmitting the node authenticity related information together with the identity certificate provisioned at the second node to the first node, wherein the first node is enabled to perform an authentication verification using the signature and the public key included in the identity certificate comprised in the receive request and the identification sequence, with which the first node is provisioned.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 15)
- - 2. The method of claim 1,wherein the identification sequence is a vehicle identification number.
  - 3. The method of claim 1, wherein the sequence further comprises a timestamp sequence.
  - 4. The method of claim 1, wherein at least the second node and the first node are each provisioned with an ephemeral key pair comprising an ephemeral pubic key and an ephemeral private key,wherein the sequence further comprises the ephemeral public key of the second node and the ephemeral public key of the first node.
  - 5. The method of claim 4, wherein the method further comprisesthe second node, generating a shared secret key using the ephemeral private key of the second node and the ephemeral public key of the first node in accordance with the Diffie-Hellman key exchange procedure;
    - andthe second node, encrypting the signature using the shared secret key.
  - 6. The method of claim 1, wherein the identity certificate is signed by a certificate authority, wherein each of the plurality of nodes is provisioned with a public key of the certificate authority and enabled to verify the identity certificate of any other node using the public key of the certificate authority.
  - 7. The method of claim 1, wherein the authenticating of a node in a distributed network is used for legitimacy verification of one or more nodes participating in procedure of updating and distributing secret keys in the distributed network.
  - 8. The method of claim 7,wherein each node of the plurality of nodes is member of at least one group of a plurality of groups, wherein each group is associated with a secret group key, wherein each node of the plurality of nodes stores only the one or more secret group keys, of which it is member, wherein the updating and distributing secret keys in the distributed network further comprises:
    - the first node of the plurality of nodes, generating an authenticated update key request, wherein the authenticated update key request comprises an indication of a membership, of which the first node is member;
      
      the first node, broadcasting the authenticated update key request on the shared medium of the distributed network;
      
      each remaining node of the plurality of nodes, receiving the authenticated key update;
      
      each remaining node, performing an authentication verification based on the authenticated key update request;
      
      each remaining node, matching the respective memberships with the indication of a membership of the first node comprised in the authenticated key update request;
      
      each remaining node, in case of at least a partial matching of memberships, generating an authenticated update key request response, which comprises an indication of the membership of the respective remaining node;
      
      each remaining node, in case of a partial matching of memberships or a mismatch of the memberships, generating an authenticated update key request and broadcasting the authenticated update key request on the shared medium of the distributed network, wherein the authenticated update key request comprises an indication of a membership, of which the respective remaining node is member.
  - 9. The method according to claim 8, further comprising:
    - the first node, receiving an authenticated key update request response from the second node, wherein the second node is one of the remaining nodes having detected at least a partial match of the memberships;
      
      the first node, performing an authentication verification based on the authenticated key update request;
      
      the first node, generating an authenticated key update response including one or more secret keys according to a matching of the membership of the first node and the membership of the second node; and
      
      the first node, sending the authenticated key update response to the second node via a secure channel.
  - 15. The system of claim 9, wherein the identity certificate is signed by a certificate authority, wherein each of the plurality of nodes is provisioned with a public key of the certificate authority and enabled to verify the identity certificate of any other node using the public key of the certificate authority.

10. A system comprising a plurality of node connected to a shared medium of the distributed network,wherein each of the plurality of nodes is provisioned with an identity certificate comprising a public key, a private key associated with the public key and an identification sequence, wherein the identification sequence is unique to the system comprising the distributed network,wherein a second node of the plurality of nodes is configured togenerate a node authenticity related information for authenticating at a first node of the plurality of nodes, wherein the second node authenticity related information comprises a signature generated using the private key of the second node from a sequence, which comprises the identification sequence;
- andtransmit the node authenticity related information together with the identity certificate provisioned at the second node to the other node, wherein the first node is enabled to perform an authentication verification using the signature and the public key included in the identity certificate comprised in the receive request and the identification sequence, with which the first node is provisioned.
- View Dependent Claims (11, 12, 13, 14, 16, 17, 18, 19)
- - 11. The system of claim 10,wherein the identification sequence is a vehicle identification number.
  - 12. The system of claim 10,wherein the sequence further comprises a timestamp sequence.
  - 13. The system of claim 10,wherein at least the second node and the first node are each provisioned with an ephemeral key pair comprising an ephemeral pubic key and an ephemeral private key,wherein the sequence further comprises the ephemeral public key of the second node and the ephemeral public key of the first node.
  - 14. The system of claim 10, wherein the second node is further configured toto generate a shared secret key using the ephemeral private key of the second node and the ephemeral public key of the first node in accordance with the Diffie-Hellman key exchange procedure;
    - andto encrypt the signature using the shared secret key.
  - 16. The system of claim 10, wherein the authenticating of the node in a distributed network is used for legitimacy verification of one or more nodes participating in procedure of updating and distributing secret keys in the distributed network.
  - 17. The system of claim 16,wherein each node of the plurality of nodes is member of at least one group of a plurality of groups, wherein each group is associated with a secret group key, wherein each node of the plurality of nodes stores only the one or more secret group keys, of which it is member, wherein for updating and distributing secret keys in the distributed network:
    - the first node is configured to generate an authenticated update key request, wherein the authenticated update key request comprises an indication of a membership, of which the first node is member;
      
      the first node is configured to broadcast the authenticated update key request on the shared medium of the distributed network;
      
      each remaining node of the plurality of nodes is configured to receive the authenticated key update;
      
      each remaining node is configured to perform an authentication verification based on the authenticated key update request;
      
      each remaining node is configured to match the respective memberships with the indication of a membership of the first node comprised in the authenticated key update request;
      
      each remaining node is configured, in case of at least a partial matching of memberships, to generate an authenticated update key request response, which comprises an indication of the membership of the respective remaining node;
      
      each remaining node is configured, in case of a partial matching of memberships or a mismatch of the memberships, to generate an authenticated update key request and broadcasting the authenticated update key request on the shared medium of the distributed network, wherein the authenticated update key request comprises an indication of a membership, of which the respective remaining node is member.
  - 18. The system according to claim 17,wherein the first node is configured to receive an authenticated key update request response from the second node, wherein the second node is one of the remaining nodes having detected at least a partial match of the memberships;
    - wherein the first node is configured to perform an authentication verification based on the authenticated key update request;
      
      wherein the first node is configured to generate an authenticated key update response including one or more secret keys according to a matching of the membership of the first node and the membership of the second node;
      
      wherein the first node is configured to send the authenticated key update response to the second node via a secure channel.
  - 19. The system according to claim 18, wherein the authenticated key update request response comprises the node authenticity related information relating to the second node,wherein the first node is configured to perform an authentication verification based on the node authenticity related information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NXP B.V. (NXP Semiconductors NV)
Original Assignee
NXP B.V. (NXP Semiconductors NV)
Inventors
Walrant, Thierry G. C.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Kaplan, Benjamin A

Application Number

US15/839,783
Publication Number

US 20180167218A1
Time in Patent Office

973 Days
Field of Search

713176
US Class Current
CPC Class Codes

H04L 2012/40215   Controller Area Network CAN

H04L 63/065   for group communications cr...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/101   Access control lists [ACL]

H04L 63/12   Applying verification of th...

H04L 63/126   the source of the received ...

H04L 9/0822   using key encryption key

H04L 9/0833   involving conference or gro...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321   involving a third party or ...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04W 12/06 : Authentication

H04W 12/069 : using certificates or pre-s...

H04W 12/12 : Detection or prevention of ...

H04W 12/122 : Counter-measures against at...

View All

Legitimacy verification of a node in a distributed network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Legitimacy verification of a node in a distributed network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links