AUTHENTICATION FOR DEVICES LOCATED IN CABLE NETWORKS

US 20080065883A1
Filed: 08/24/2006
Published: 03/13/2008
Est. Priority Date: 08/24/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an authorization response over a cable network that includes a cable modem address and one or more authentication criteria for a cable modem;

extracting a forwarding message from the authorization response;

sending the forwarding message over a packet switched network to a server;

receiving back a communication to establish a session key on the cable modem; and

forwarding a representation of the communication to the cable modem for establishment of the session key on the cable modem.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An extensible authentication framework is used in cable networks such as Data Over Cable Service Interface Specification (DOCSIS) cable networks. The authentication scheme allows for centralized authentication of cable modems, as well as authentication of the cable network by cable modems. Additionally, the authentication scheme allows a Cable Modem Termination System (CMTS) to authenticate devices downstream from cable modems, such as Customer Premise Equipment (CPE) devices.

69 Citations

View as Search Results

32 Claims

1. A method comprising:
- receiving an authorization response over a cable network that includes a cable modem address and one or more authentication criteria for a cable modem;
  
  extracting a forwarding message from the authorization response;
  
  sending the forwarding message over a packet switched network to a server;
  
  receiving back a communication to establish a session key on the cable modem; and
  
  forwarding a representation of the communication to the cable modem for establishment of the session key on the cable modem.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising forwarding an acknowledgement to the server, the acknowledgement indicating that the cable modem successfully established the session key using private credentials stored on the cable modem.
  - 3. The method of claim 1, further comprising:
    - receiving a request for the authentication criteria over the packet switched network, the request including a network identity; and
      
      forwarding a representation of the request for the authentication criteria to the cable modem to elicit the authorization response.
  - 4. The method of claim 3, further comprising:
    - identifying a Remote Authentication Dial In User Service (RADIUS) message included in the request before forwarding the representation of the request, the RADIUS message containing an Extensible Authentication Protocol (EAP) packet that contains the network identity;
      
      extracting the EAP packet;
      
      formatting the EAP packet; and
      
      sending the formatted EAP packet containing the network identity to the cable modem.
  - 5. The method of claim 4, further comprising:
    - cryptographically computing an authentication key using the session key; and
      
      sending the authentication key to a Dynamic Host Configuration Protocol (DHCP) server.
  - 6. The method of claim 1, further comprising:
    - receiving a downstream device credential request over the packet switched network, the downstream device credential request including a network identity;
      
      forwarding the downstream device credential request over the cable network to a downstream device located in the cable network and downstream from the cable modem; and
      
      receiving back a downstream device response from the downstream device that includes authentication credentials associated with the downstream device.
  - 7. The method of claim 6, further comprising:
    - stripping one or more frames including a Data Over Cable Service Interface Specification (DOCSIS) frame from the downstream device response;
      
      forwarding a remaining portion of the downstream device response to the server located in the packet switched network; and
      
      receiving back an authentication success for the downstream device.
  - 8. The method of claim 1 wherein the authorization response includes a DOCSIS frame containing an Ethernet frame that contains an 802.1x packet.

9. A method comprising.extracting one or more network authentication criteria from an authorization request received over a cable network;
- validating the network authentication criteria using a locally stored authentication value;
  
  sending back an authorization response that includes one or more cable modem authentication criteria when the network authentication criteria corresponds to the locally stored authentication value; and
  
  receiving a state change notification message corresponding to a local logical cable modem port.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9 further comprising:
    - receiving back a session key after sending the authorization response;
      
      decrypting the session key using a local private key; and
      
      sending back an acknowledgement demonstrating successful decryption of the session key.
  - 11. The method of claim 9 wherein the state change notification message indicates that the logical cable modem port is authorized to send network addressed communications.
  - 12. The method of claim 9 further comprising:
    - generating an Extensible Authentication Protocol (EAP) based packet including the cable modem authentication criteria;
      
      formatting a destination frame that includes the EAP-based packet; and
      
      including the destination frame having the EAP-based packet in the authorization response.
  - 13. The method of claim 12 further comprising including the destination frame in a Data Over Cable Service Interface Specification (DOCSIS) frame.
  - 14. The method of claim 9 further comprising:
    - exchanging authentication negotiation messages with an authenticator before receiving the authorization request, the authentication negotiation messages adding an additional exchange sequence for a cable modem security posture assessment to a predetermined sequence of exchanges; and
      
      exchanging additional authentication messages to perform the cable modem security posture assessment in response to the authentication criteria negotiation messages.

15. A system comprising:
- means for sending an authentication criterion request containing a network identity to a cable modem;
  
  means for validating the network identity at the cable modem;
  
  means for authenticating a source of the validated network identity;
  
  means for sending one or more authentication criteria to the authenticated source of the authentication criterion request;
  
  means for authenticating the cable modem; and
  
  means for changing a state of a port on the authenticated cable modem to allow the cable modem to send layer three communications.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15 further comprising:
    - means for sending an encrypted session key to the cable modem, the encrypted session key being encrypted using a public key included in a certificate exchanged between the cable modem and the source of the validated network identity;
      
      means for decrypting the encrypted session key using a local private key; and
      
      means for sending an acknowledgement of successful decryption to authenticate the cable modem.
  - 17. The system of claim 15 wherein the authentication criterion request is an Extensible Authentication Protocol (EAP) based packet included inside a variable length Protocol Data Unit (PDU) field of a Data Over Cable Service Interface Specification (DOCSIS) frame.
  - 18. The system of claim 15 further comprising:
    - means for sending an additional authentication criterion request containing the network identity to a downstream device located downstream from the cable modem;
      
      means for stripping one or more frames including a DOCSIS frame from the additional certificate request and forwarding a remaining portion to the downstream device; and
      
      means for validating the network identity at the downstream device.
  - 19. The system of claim 15 further comprising:
    - means for cryptographically computing a configuration file authorization key using the session key; and
      
      means for encrypting a file specifying a configuration of the cable modem using the configuration file authorization key.

20. A Cable Modem Termination System (CMTS) comprising;
- one or more processors; and
  
  a memory coupled to the one or more processors comprising instructions executable by the processors, the processors operable when executing the instructions to;
  
  receive an authorization response over a cable network, the authorization response including a device identification and one or more authentication criteria;
  
  extract a forwarding message from the authorization response;
  
  send the forwarding message to a server located in the packet switched network;
  
  receive back an authorization message to establish a session key on a device having the device identification; and
  
  forward a representation of the authorization message to the device.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The CMTS of claim 20, wherein the processors are operable when executing the instructions to forward an acknowledgement indicating that the device successfully established the session key using private credentials stored on the device.
  - 22. The CMTS of claim 20, wherein the processors are operable when executing the instructions to remove a Remote Authentication Dial In User Service (RADIUS) or Diameter header from the authorization message before sending the representation of the authorization message to the device.
  - 23. The CMTS of claim 20 wherein the processors are operable when executing the instructions to:
    - extract both the session key and an Extensible Authentication Protocol (EAP) success from the authorization message;
      
      computationally compute a Hashed Message Authentication Code (HMAC) key using the session key;
      
      integrity-protect the EAP success using the HMAC key; and
      
      send the integrity-protected EAP success to the device.
  - 24. The CMTS of claim 20 wherein the processors are operable when executing the instructions to:
    - complete ranging with the device before sending a certificate request that elicits the authorization response; and
      
      register the device as an authenticated cable modem after authenticating the device.

25. An apparatus comprising;
- one or more processors; and
  
  a memory coupled to the one or more processors comprising instructions executable by the processors, the processors operable when executing the instructions to;
  
  extract a first authentication criterion from an authorization request received over a cable network;
  
  validate the first authentication criterion with a stored authentication value;
  
  send back a response that includes a device identification and a second authentication criterion when the first authentication criterion matches the stored authentication value; and
  
  receive back a message that locally provides a session key after sending the response.
- View Dependent Claims (26, 27, 28)
- - 26. The apparatus of claim 25 wherein the processors are operable when executing the instructions to establish the session key and send and acknowledgement.
  - 27. The apparatus of claim 25 wherein the authorization request includes a Data Over Cable Service Interface Specification (DOCSIS) header with a frame control type and a frame control parameter respectively equal to binary 00 and 00000.
  - 28. The apparatus of claim 25 wherein first authentication criterion is an Authentication Authorization and Accounting (AAA) certificate generated by an AAA server located in a packet switched network and the second authentication criterion includes an X.509 certificate for a cable modem.

29. An authentication device, comprising:
- a memory storing one or more authentication values; and
  
  one or more processors to receive an authorization response that includes a cable modem address and one or more cable modem certificates, the processors to extract a first packet that corresponds to the Extensible Authentication Protocol (EAP) framework, to extract the cable modem address and the one or more cable modem certificates from the first packet, to compare the cable modem address and the one or more cable modem certificates to the one or more locally stored authentication values, to send a session key establishment message to the cable modem address when the cable modem address and the one or more cable modem certificates correspond to one or more locally stored authentication values.
- View Dependent Claims (30, 31, 32)
- - 30. The authentication device of claim 29 wherein the session key establishment message includes a locally generated session key is encrypted using a public key corresponding to a private key located on a cable modem having the cable modem address.
  - 31. The authentication device of claim 29 wherein the session key establishment message includes a locally generated session key that is included inside a second packet that corresponds to the Extensible Authentication Protocol (EAP) framework and the second packet is included inside an Ethernet frame that is included inside a Data Over Cable Service Interface Specification (DOCSIS) frame.
  - 32. The authentication device of claim 29 wherein the session key establishment message includes a locally generated session key that is included inside a second packet that corresponds to the Extensible Authentication Protocol (EAP) framework and the second packet is encapsulated in another communication for sending over a packet switched network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Frazier, Jason, Zeng, Shengyou, Littlefield, Joshua B., Salowey, Joseph A.

Granted Patent

US 7,865,727 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/0892   by using authentication-aut...

H04L 63/162   at the data link layer

AUTHENTICATION FOR DEVICES LOCATED IN CABLE NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

69 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATION FOR DEVICES LOCATED IN CABLE NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links