Automatic secure device introduction and configuration

US 20070079113A1
Filed: 09/30/2005
Published: 04/05/2007
Est. Priority Date: 09/30/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method including using out-of-band (OOB) data transferred from a new device to an environment to an existing device of the environment, said OOB data including data for establishing at least a first secure communication channel between the existing device and the new device:

establishing the first secure communication channel based at least in part on said OOB data;

providing the new device at least one secret over the first secure communication channel;

establishing a second secure communication channel between the existing device and the new device based at least in part on knowledge of said secret;

providing configuration data to the new device over the second secure communication channel; and

automatically configuring the new device based at least in part on said configuration data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for transferring a credential between two devices according to a secure protocol are described. Portions of messages in the protocol are encrypted to prevent theft and tampering. Out-of-band (OOB) data is initially transferred to bootstrap trust in establishing one or more secure communication channels over which a new device may be configured. Systems using the methods are described and claimed.

159 Citations

26 Claims

1. A method including using out-of-band (OOB) data transferred from a new device to an environment to an existing device of the environment, said OOB data including data for establishing at least a first secure communication channel between the existing device and the new device:
- establishing the first secure communication channel based at least in part on said OOB data;
  
  providing the new device at least one secret over the first secure communication channel;
  
  establishing a second secure communication channel between the existing device and the new device based at least in part on knowledge of said secret;
  
  providing configuration data to the new device over the second secure communication channel; and
  
  automatically configuring the new device based at least in part on said configuration data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the at least one secret is mutually derived with the new device.
  - 3. The method of claim 1, further comprising:
    - provisioning a cryptographic certificate on the new device based at least in part on said secret.
  - 4. The method of claim 3, wherein the cryptographic certificate comprises an X.509 type certificate.
  - 5. The method of claim 1, further comprising automatically:
    - determining a configurable capability of the new device;
      
      identifying a configuration type for the configurable capability; and
      
      determining if said configuration data includes configuration data corresponding to the configurable capability, and if so, configuring the new device accordingly.
  - 6. The method of claim 5, further comprising:
    - if not, querying for configuration data for the configurable capability; and
      
      storing said queried configuration data to provide for said automatically configuring devices having the configurable capability.
  - 7. The method of claim 1, wherein said OOB data transfer comprises transferring a secret from the existing device to the new device.
  - 8. The method of claim 7, wherein said transferring the secret comprises temporarily communicatively coupling a component of the new device with the existing device, and while coupled thereto, transferring the secret through said temporary communicative coupling.
  - 9. The method of claim 8, wherein said temporary communicative coupling comprises a selected one of:
    - the new device reading a short range emission of the existing device;
      
      establishing a short range wireless connection between the existing device and the new device;
      
      or first attaching to the existing device a portable memory operable to store the secret, and second attaching to the new device the portable memory containing the secret.
  - 10. The method of claim 1, further comprising:
    - initializing an application framework to receive component introduction notifications; and
      
      receiving a component introduction notification responsive to presenting the new device to the network.
  - 11. The method of claim 1, further comprising determining a master session key based at least in part on the at least one secret to allow deriving therefrom additional secure communication channels.
  - 12. The method of claim 11, further comprising deriving a second secret from the master session key for establishing secure communication for an application program associated with the new device.
  - 13. The method of claim 11, further comprising:
    - introducing an other new device into the environment;
      
      deriving a second secret from the master session key; and
      
      establishing a third secure communication channel between the existing device and the other new device based at least in part on the second secret.

14. An article comprising a machine-accessible medium having one or more associated instructions for using out-of-band (OOB) data transferred from a new device to an environment to an existing device of the environment, said OOB data including data for establishing at least a first secure communication channel between the existing device and the new device, wherein the one or more instructions, if executed, results in a machine performing:
- establishing the first secure communication channel based at least in part on said OOB data;
  
  providing the new device at least one secret over the first secure communication channel;
  
  establishing a second secure communication channel between the existing device and the new device based at least in part on knowledge of said secret;
  
  providing configuration data from the existing device to the new device over the second secure communication channel; and
  
  automatically configuring the new device based at least in part on said configuration data.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The article of claim 14 wherein the machine-accessible media further includes instructions, when executed, results in the machine performing:
    - mutually deriving the at least one secret key with the new device.
  - 16. The article of claim 14 wherein the machine-accessible media further includes instructions, when executed, results in the machine performing:
    - provisioning a cryptographic certificate on the new device based at least in part on said secret.
  - 17. The method of claim 16, wherein the certificate comprises an X.509 type certificate.
  - 18. The article of claim 14 wherein the machine-accessible media further includes instructions, when executed, results in the machine automatically performing:
    - determining a configurable capability of the new device;
      
      identifying a configuration type for the configurable capability; and
      
      determining if said configuration data includes configuration data corresponding to the configurable capability, and if so, configuring the new device accordingly.
  - 19. The article of claim 18 wherein the machine-accessible media further includes instructions, when executed, results in the machine performing:
    - if not, querying for configuration data for the configurable capability; and
      
      storing said queried configuration data to provide for said automatically configuring devices having the configurable capability.
  - 20. The article of claim 14, wherein:
    - said OOB data transfer comprises transferring or mutually deriving a secret from the existing device to the new device by temporarily communicatively coupling a component of the new device with the existing device, and while coupled thereto, transferring or mutually deriving the secret through said temporary communicative coupling; and
      
      said temporary communicative coupling comprises a selected one of;
      
      the new device reading a short range emission of the existing device;
      
      establishing a short range wireless connection between the existing device and the new device;
      
      or first attaching to the existing device a portable memory operable to store the secret, and second attaching to the new device the portable memory containing the secret.
  - 21. The article of claim 14 wherein the machine-accessible media further includes instructions, when executed, results in the machine performing:
    - initializing an application framework to receive component introduction notifications; and
      
      receiving a component introduction notification responsive to presenting the new device to the network.
  - 22. The article of claim 14 wherein the machine-accessible media further includes instructions, when executed, results in the machine performing:
    - determining a master session key based at least in part on the secret to allow deriving therefrom additional secure communication channels; and
      
      deriving a second secret from the master session key for establishing a third secure communication channel for an application program communicatively coupled with the environment.

23. A system comprising:
- a first device having a device password;
  
  an access point to provide network access to devices having a credential; and
  
  a registrar;
  
  wherein the registrar is to receive the device password by an out-of-band (OOB) data transfer, and is to provide a credential to the first device for use by the first device to access the network through the access point.
- View Dependent Claims (24, 25, 26)
- - 24. The system of claim 23, wherein:
    - the first device includes a near-field communication (“
      
      NFC”
      
      ) token to contain the device password;
      
      the Registrar includes a near-field communication reader to read an NFC token; and
      
      the registrar is to obtain the first device'"'"'s device password by reading the first device'"'"'s NFC token.
  - 25. The system of claim 23 wherein the first device further comprises a radio communication interface to receive the credential.
  - 26. The system of claim 23 wherein the first device further comprises a removable storage interface to receive the credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Hegde, Shriharsha, Lortz, Victor, Kulkarni, Amol

Application Number

US11/241,080
Publication Number

US 20070079113A1
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0492   by using a location-limited...

H04L 63/18   using different networks or...

H04L 9/3215   using a plurality of channe...

H04L 9/3263   involving certificates, e.g...

H04W 12/12   Detection or prevention of ...

H04W 12/50   Secure pairing of devices

H04W 48/08   Access restriction or acces...

H04W 84/12   WLAN [Wireless Local Area N...

Automatic secure device introduction and configuration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

159 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic secure device introduction and configuration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

159 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links