Method, apparatus, and program product for automatically provisioning secure network elements

US 20040107366A1
Filed: 09/05/2003
Published: 06/03/2004
Est. Priority Date: 08/30/2002
Status: Active Grant

First Claim

Patent Images

1. A computer controlled method comprising:

establishing communication between a provisioning device and a network device over a preferred channel;

exchanging key commitment information over said preferred channel between said provisioning device and said network device to pre-authenticate said network device; and

providing provisioning information to said network device over said preferred channel, whereby said network device can automatically configure itself for communication over a network responsive to said provisioning information.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including wired and wireless networks, secure sensor networks (such as medical networks), emergency alert networks, as well as simply and automatically provisioning network devices whether secure or not.

Citations

55 Claims

1. A computer controlled method comprising:
- establishing communication between a provisioning device and a network device over a preferred channel;
  
  exchanging key commitment information over said preferred channel between said provisioning device and said network device to pre-authenticate said network device; and
  
  providing provisioning information to said network device over said preferred channel, whereby said network device can automatically configure itself for communication over a network responsive to said provisioning information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer controlled method of claim 1, wherein said provisioning information comprises network configuration information.
  - 3. The computer controlled method of claim 1, further comprising receiving a public key from said network device;
    - verifying said public key with said key commitment information; and
      
      automatically provisioning said network device with a credential authorized by a credential issuing authority.
  - 4. The computer controlled method of claim 3, further comprising establishing proof that said network device is in possession of a private key corresponding to said public key.
  - 5. The computer controlled method of claim 3, wherein said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 6. The computer controlled method of claim 3, wherein the step of automatically provisioning is responsive to authorization from a registration agent.
  - 7. The computer controlled method of claim 1, wherein said preferred channel is a location-limited channel.
  - 8. The computer controlled method of claim 1, wherein said preferred channel has a demonstrative identification property and an authenticity property.
  - 9. The computer controlled method of claim 1, wherein the network is a wireless network, and wherein said provisioning device is a wireless access point.
  - 10. The computer controlled method of claim 9, further comprising:
    - receiving a wireless communication;
      
      determining whether said wireless communication originated from said network device or from a second network device that was not provisioned by said wireless access point; and
      
      routing said wireless communication responsive to the step of determining.
  - 11. The computer controlled method of claim 10, wherein the step of routing comprises:
    - choosing a selected channel from a secure channel and an insecure channel responsive to the step of determining; and
      
      sending said wireless communication through said selected channel.
  - 12. The computer controlled method of claim 1, wherein said provisioning device is in communication with a credential issuing authority.

13. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method to provision a network device, the method comprising steps of:
- establishing communication between a provisioning device and said network device over a preferred channel;
  
  exchanging key commitment information over said preferred channel between said provisioning device and said network device to pre-authenticate said network device; and
  
  providing provisioning information to said network device over said preferred channel, whereby said network device can automatically configure itself for communication over a network responsive to said provisioning information.
- View Dependent Claims (14, 15)
- - 14. The computer-readable storage medium of claim 13, further comprising receiving a public key from said network device;
    - verifying said public key with said key commitment information; and
      
      automatically provisioning said network device with a credential authorized by a credential issuing authority.
  - 15. The computer-readable storage medium of claim 13, wherein the network is a wireless network, and wherein said provisioning device is a wireless access point.

16. An apparatus for provisioning a network device comprising:
- at least one port configured to establish a preferred channel;
  
  a preferred communication mechanism configured to be able to establish communication with and said network device over said preferred channel;
  
  a pre-authentication mechanism configured to be able to receive key commitment information over said preferred channel from said network device; and
  
  a provisioning mechanism configured to be able to provide provisioning information to said network device over said preferred channel, whereby said network device can automatically configure itself for communication over a network responsive to said provisioning information.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The apparatus of claim 16, wherein said provisioning information comprises network configuration information.
  - 18. The apparatus of claim 16, further comprising a key reception mechanism configured to receive a public key;
    - a key verification mechanism configured to verify said public key with said key commitment information; and
      
      a credential provisioning mechanism configured to automatically provide a credential authorized by a credential issuing authority.
  - 19. The apparatus of claim 18, further comprising a key exchange mechanism configured to be able to perform a key exchange protocol with said network device.
  - 20. The apparatus of claim 18, wherein said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 21. The apparatus of claim 16, wherein said preferred channel is a location-limited channel.
  - 22. The apparatus of claim 16, wherein the network is a wireless network, and the apparatus further comprises a wireless access point mechanism.
  - 23. The apparatus of claim 22, further comprising:
    - a packet receiver mechanism configured to receive a wireless communication;
      
      a determination mechanism configured to determine whether said wireless communication received by the packet receiver mechanism originated from said network device or from a second network device that was not provisioned by said wireless access point; and
      
      a router mechanism configured to route said wireless communication responsive to the determination mechanism.
  - 24. The apparatus of claim 23, wherein the router mechanism further comprises:
    - a channel selection mechanism configured to choose a selected channel from a secure channel and an insecure channel responsive to the determination mechanism; and
      
      a transmission mechanism configured to send said wireless communication through said selected channel.
  - 25. The apparatus of claim 16, further comprising a non-preferred communication mechanism that can be used to communicate with a credential issuing authority.

26. A computer controlled method comprising:
- establishing communication between a network device and a provisioning device over a preferred channel;
  
  receiving provisioning information from said provisioning device over said preferred channel;
  
  exchanging key commitment information over said preferred channel between said provisioning device and said network device to pre-authenticate said network device; and
  
  automatically configuring said network device for communication over a network responsive to said provisioning information.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 27. The computer controlled method of claim 26, further comprising executing a key exchange protocol.
  - 28. The computer controlled method of claim 27, further comprising establishing a communication channel between said network device and a credential issuing authority responsive to the step of executing wherein said communication channel is secure.
  - 29. The computer controlled method of claim 26, wherein the network is a wireless network, said provisioning device is a wireless access point, and wherein said provisioning information comprises a service set identifier (SSID).
  - 30. The computer controlled method of claim 29, wherein the network is a wireless network, said provisioning device is a wireless access point, and wherein said provisioning information comprises a privacy key.
  - 31. The computer controlled method of claim 26, wherein said provisioning information comprises a credential.
  - 32. The computer controlled method of claim 26, further comprising receiving a public key from said provisioning device;
    - verifying said public key with said key commitment information; and
      
      automatically provisioning said network device with a credential authorized by a credential issuing authority.
  - 33. The computer controlled method of claim 32, wherein the network is a wireless network, said provisioning device is a wireless access point, and wherein said provisioning information comprises a service set identifier (SSID).
  - 34. The computer controlled method of claim 33, wherein the network is a wireless network, said provisioning device is a wireless access point, and wherein said provisioning information comprises a privacy key.
  - 35. The computer controlled method of claim 32, wherein said provisioning information comprises network configuration information.
  - 36. The computer controlled method of claim 32, wherein the step of automatically provisioning is responsive to authorization from a registration agent.
  - 37. The computer controlled method of claim 32, wherein said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 38. The computer controlled method of claim 26, wherein said preferred channel is a location-limited channel.
  - 39. The computer controlled method of claim 26, wherein said preferred channel has a demonstrative identification property and an authenticity property.
  - 40. The computer controlled method of claim 26, wherein said network device is from one or more of the group consisting of a computer, a personal data assistant, a smart card, a cryptographic token, a medical device, a device containing personal information, a secure telephone, a cell telephone, a vehicle, a container, an access card, a biometric sensor, a wireless network device, a proximity sensor, a sensor device, traffic sensor, an alarm device, a robot, a device capable of receiving a credential, a device capable of issuing a credential.

41. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method to automatically provision a network device, the method comprising steps of:
- establishing communication between said network device and a provisioning device over a preferred channel;
  
  receiving provisioning information from said provisioning device over said preferred channel;
  
  exchanging key commitment information over said preferred channel between said provisioning device and said network device to pre-authenticate said network device; and
  
  automatically configuring said network device for communication over a network responsive to said provisioning information.
- View Dependent Claims (42, 43)
- - 42. The computer-readable storage medium of claim 41, wherein said preferred channel has a demonstrative identification property and an authenticity property.
  - 43. The computer-readable storage medium of claim 41, wherein said network device is from one or more of the group consisting of a computer, a personal data assistant, a smart card, a cryptographic token, a medical device, a device containing personal information, a secure telephone, a cell telephone, a vehicle, a container, an access card, a biometric sensor, a wireless network device, a proximity sensor, a sensor device, traffic sensor, an alarm device, a robot, a device capable of receiving a credential, a device capable of issuing a credential.

44. An apparatus comprising:
- at least one port configured to establish a preferred channel;
  
  a preferred channel communication mechanism configured to be able to establish communication with a provisioning device over said preferred channel;
  
  a receiver mechanism configured to be able to receive provisioning information from said provisioning device over said preferred channel;
  
  a pre-authentication mechanism configured to be able to receive key commitment information over said preferred channel from said provisioning device; and
  
  a communication setup mechanism configured to automatically configure the apparatus for communication over a network responsive to said provisioning information received by the receiver mechanism.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 45. The apparatus of claim 44, wherein said provisioning information comprises network configuration information.
  - 46. The apparatus of claim 44, wherein the network is a wireless network, said provisioning device is a wireless access point, and wherein said provisioning information comprises a service set identifier (SSID).
  - 47. The apparatus of claim 44, wherein said provisioning information comprises a credential.
  - 48. The apparatus of claim 44, further comprising a key exchange mechanism configured to execute a key exchange protocol.
  - 49. The apparatus of claim 44, further comprising a key reception mechanism configured to receive a public key;
    - a key verification mechanism configured to verify said public key with said key commitment information; and
      
      a credential receiver mechanism configured to receive a credential authorized by a credential issuing authority.
  - 50. The apparatus of claim 49, wherein the credential receiver mechanism is capable of being responsive to authorization from a registration agent.
  - 51. The apparatus of claim 49, wherein the network is a wireless network, said provisioning device is a wireless access point, and wherein said provisioning information comprises a service set identifier (SSID).
  - 52. The apparatus of claim 51, wherein the network is a wireless network, said provisioning device is a wireless access point, and wherein said provisioning information comprises a privacy key.
  - 53. The apparatus of claim 49, wherein said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 54. The apparatus of claim 44, wherein said preferred channel is a location-limited channel.
  - 55. The apparatus of claim 44, wherein the apparatus is from one or more of the group consisting of a computer, a personal data assistant, a smart card, a cryptographic token, a medical device, a device containing personal information, a secure telephone, a cell telephone, a vehicle, a container, an access card, a biometric sensor, a wireless network device, a proximity sensor, a sensor device, traffic sensor, an alarm device, a robot, a device capable of receiving a credential, a device capable of issuing a credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Xerox Corporation (Xerox Holdings Corp.)
Inventors
Smetters, Diana K., Balfanz, Dirk, Durfee, Glenn E., Wong, Hao-Chi, Grinter, Rebecca E., Stewart, Paul Joseph

Granted Patent

US 7,581,096 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 12/1822   Conducting the conference, ...

H04L 63/0492   by using a location-limited...

H04L 63/065   for group communications cr...

H04L 63/0853   using an additional device,...

H04L 67/12   specially adapted for propr...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

H04W 12/062   Pre-authentication

Method, apparatus, and program product for automatically provisioning secure network elements

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, and program product for automatically provisioning secure network elements

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links