Secure network channel

US 20050188193A1
Filed: 02/20/2004
Published: 08/25/2005
Est. Priority Date: 02/20/2004
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a secure communication channel between a first network device and a second network device that controls the first network device, comprising:

receiving, at the second network device, at least one authentication certificate from the first network device, wherein the at least one authentication certificate includes an authentication key;

searching a data store associated with the second network device for an authentication certificate that matches the at least one authentication certificate received from the first network device;

if the data store includes a matching authentication certificate, then implementing a secure communication channel using information derived from the matching authentication certificate; and

if the data store does not include a matching authentication certificate, then;

computing a master secret from information associated with the at least one authentication certificate received from the first network device; and

implementing a secure communication channel using information derived from the new master secret.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for establishing a secure network channel between two ore more devices in a communication network are disclosed. In exemplary implementations the network may be a UPnP network. A first device passes authentication information to at least a second device to permit the second device to authenticate the first device. Optionally, the first device may request to authenticate the second device, in which authentication information associated with the second device is passed to the first device. The first device uses this information to authenticate the second device. At least one of the first and second device may store authentication information in an data store associated with the device.

Citations

25 Claims

1. A method of establishing a secure communication channel between a first network device and a second network device that controls the first network device, comprising:
- receiving, at the second network device, at least one authentication certificate from the first network device, wherein the at least one authentication certificate includes an authentication key;
  
  searching a data store associated with the second network device for an authentication certificate that matches the at least one authentication certificate received from the first network device;
  
  if the data store includes a matching authentication certificate, then implementing a secure communication channel using information derived from the matching authentication certificate; and
  
  if the data store does not include a matching authentication certificate, then;
  
  computing a master secret from information associated with the at least one authentication certificate received from the first network device; and
  
  implementing a secure communication channel using information derived from the new master secret.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the at least one authentication certificate comprises an X.509 certificate.
  - 3. The method of claim 1, further comprising:
    - transmitting from the second network device to the first network device an introductory message including a first session identifier and a list of one or more cipher suites; and
      
      receiving at the second device, a response to the introductory message, wherein the response includes a second session identifier and an indicator identifying a selected cipher suite.
  - 4. The method of claim 3, further comprising implementing a secure communication channel using the first session identifier if the first session identifier matches the second session identifier.
  - 5. The method of claim 1, wherein computing a master secret from information associated with the at least one authentication certificate received from the first network device comprises verifying the authentication certificate received from the first network device using the authentication key.

6. A method of adding a device to a UPnP network, comprising:
- retrieving, at a control point in the UPnP network, a device description associated with the UPnP device;
  
  invoking, at the control point, a first authentication process to authenticate the device with the control point;
  
  retrieving, at the control point, a service description associated with the device; and
  
  retrieving, at the control point, a presentation page associated with the device.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The method of claim 6, wherein upon connection to the UPnP network the device multicasts information about itself to a predetermined address.
  - 8. The method of claim 7, wherein the control point uses the information multicast by the device to retrieve the device description.
  - 9. The method of claim 6, wherein the first authentication process comprises:
    - receiving a certificate from the device; and
      
      authenticating the device using the certificate.
  - 10. The method of claim 9, wherein the first authentication process further comprises:
    - sending a certificate from the control point to the device; and
      
      using the certificate at the device to authenticate the control point with the device.
  - 11. The method of claim 9, wherein the certificate includes a public key associated with the device.
  - 12. The method of claim 9, wherein the certificate is issued by a certificate authority and includes a public key associated with the certificate authority.
  - 13. The method of claim 10, wherein sending the certificate from the control point to the device comprises:
    - loading the certificate onto a memory module; and
      
      transferring the certificate from the control point to the device on the memory module.
  - 14. The method of claim 6, wherein the device invokes a second authentication process to authenticate the control point with the device.
  - 15. The method of claim 14, wherein the second authentication process comprises transmitting a PIN/password from the control point to the device.
  - 16. The method of claim 15, wherein the PIN/password comprises:
    - a credential; and
      
      a hash of a certificate sent from the device to the control point.

17. A method of adding a control point to a UPnP network, comprising:
- transmitting a search request multicast from the control point to a predetermined network address;
  
  receiving a response to the multicast from at least one device in the UPnP network, wherein the response includes an indicator requesting a secure communication between the device and the control point;
  
  invoking, at the control point, a first authentication process to authenticate the device with the control point;
  
  retrieving, at the control point, a device description associated with the UPnP device retrieving, at the control point, a service description associated with the device; and
  
  retrieving, at the control point, a presentation page associated with the device.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The method of claim 17, wherein the first authentication process comprises:
    - receiving a certificate from the device; and
      
      authenticating the device using the certificate.
  - 19. The method of claim 18, wherein the first authentication process further comprises:
    - sending a certificate from the control point to the device; and
      
      using the certificate at the device to authenticate the control point with the device.
  - 20. The method of claim 18, wherein the certificate includes a public key associated with the device.
  - 21. The method of claim 18, wherein the certificate is issued by a certificate authority and includes a public key associated with the certificate authority.
  - 22. The method of claim 19, wherein sending the certificate from the control point to the device comprises:
    - loading the certificate onto a memory module; and
      
      transferring the certificate from the control point to the device on the memory module.
  - 23. The method of claim 17, wherein the device invokes a second authentication process to authenticate the control point with the device.
  - 24. The method of claim 20, wherein the second authentication process comprises transmitting a PIN/password from the control point to the device.
  - 25. The method of claim 21, wherein the PIN/password comprises:
    - a credential; and
      
      a hash of a certificate sent from the device to the control point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kuehnel, Thomas, Chan, Shannon J.

Granted Patent

US 7,600,113 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/445   by mutual authentication, e...

H04L 12/66   Arrangements for connecting...

H04L 63/0442   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

Secure network channel

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure network channel

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links