Systems and Methods for Security in a Wireless Utility Network

US 20100037293A1
Filed: 08/06/2008
Published: 02/11/2010
Est. Priority Date: 08/06/2008
Status: Active Grant

First Claim

Patent Images

1. A method for enrolling a requesting and previously untrusted node in a network consisting of a plurality of trusted nodes, the method comprising:

exchanging manufacturer originated digital certificates (“

birth certificates”

) with the requesting node;

verifying the birth certificate received from the requesting node;

establishing a first trust state with the requesting node based on the birth certificate received from the requesting node and the birth certificate sent to the requesting node;

while in the first trust state, sending an enrollment request to a certifying authority, the enrollment request including information extracted from the birth certificate received from the requesting node;

while in the first trust state, receiving a second digital certificate (“

driver'"'"'s license”

) from the certifying authority, said driver'"'"'s license being provided by the certifying authority based on a verification of the information extracted from the birth certificate received from the requesting node;

while in the first trust state, providing the driver'"'"'s license to the requesting node;

establishing a second trust state with the requesting node based on the driver'"'"'s license received from the certifying authority and a driver'"'"'s license of the responding node;

while in the second trust state, enrolling the requesting node in the network; and

while not being fully able to verify the authenticity of the requesting node within a preset time, maintaining one or more intermediate trusted states between the first and the second and subsequently requesting additional validation or repeat of enrollment request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems a provided for security in a wireless utility network. The methods and systems use different levels of trust to securely enroll new nodes into a network through other nodes acting as proxies. A node'"'"'s security state with respect to another node in the network is categorized into one of several trust levels. A node responds to certain requests, actions or messages depending based on its trust level with the other entity. Initially, a node is not trusted. A first trust level is established based on a digital certificate that is stored in a node when the node is manufactured. A second trust level is established based on a second digital certificate obtained from a certifying authority while a node is in the first trust level. A node with a verified second certificate can be fully enrolled in the network and participate as a network node with minimal or no constraints.

Citations

19 Claims

1. A method for enrolling a requesting and previously untrusted node in a network consisting of a plurality of trusted nodes, the method comprising:
- exchanging manufacturer originated digital certificates (“
  
  birth certificates”
  
  ) with the requesting node;
  
  verifying the birth certificate received from the requesting node;
  
  establishing a first trust state with the requesting node based on the birth certificate received from the requesting node and the birth certificate sent to the requesting node;
  
  while in the first trust state, sending an enrollment request to a certifying authority, the enrollment request including information extracted from the birth certificate received from the requesting node;
  
  while in the first trust state, receiving a second digital certificate (“
  
  driver'"'"'s license”
  
  ) from the certifying authority, said driver'"'"'s license being provided by the certifying authority based on a verification of the information extracted from the birth certificate received from the requesting node;
  
  while in the first trust state, providing the driver'"'"'s license to the requesting node;
  
  establishing a second trust state with the requesting node based on the driver'"'"'s license received from the certifying authority and a driver'"'"'s license of the responding node;
  
  while in the second trust state, enrolling the requesting node in the network; and
  
  while not being fully able to verify the authenticity of the requesting node within a preset time, maintaining one or more intermediate trusted states between the first and the second and subsequently requesting additional validation or repeat of enrollment request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, exchanging birth certificates includes, establishing a secure link with the requesting node.
  - 3. The method of claim 2, wherein establishing a secure link includes:
    - negotiating shared symmetric keys; and
      
      establishing a link layer (layer-2) secure link
  - 4. The method of claim 1, wherein the birth certificates includes a unique node identifier, manufacturing information of the node, and a public key corresponding to a private key stored at the node.
  - 5. The method of claim 4, wherein the birth certificate is signed by a certified manufacturing station.
  - 6. The method of claim 4, wherein the birth certificate identifies a role of the respective node in the network.
  - 7. The method of claim 3, wherein the shared symmetric key is independently derived by each node using a preset formula, and is not exchanged over the air.
  - 8. The method of claim 1, wherein the responding node puts the requesting node in an un-trusted state in the event a response from the authentication authority is not received within a preset period of time.
  - 9. The method of claim 8, wherein the responding node informs at least one other node in the network of the placement of requesting node in an un-trusted state.

10. A system comprising:
- a secure network;
  
  a requesting node; and
  
  a responding node,wherein, the responding node includes a data processor and a computer-readable medium that, when executed by the processor, control the responding node to perform a method for enrolling the requesting node in the network, the method comprising;
  
  exchanging manufacturer originated digital certificates (“
  
  birth certificates”
  
  ) with the requesting node;
  
  verifying the birth certificate received from the requesting node;
  
  establishing a first trust state with the requesting node based on the birth certificate received from the requesting node and the birth certificate sent to the requesting node;
  
  while in the first trust state, sending an enrollment request to a certifying authority, the enrollment request including information extracted from the birth certificate received from the requesting node;
  
  while in the first trust state, receiving a a second digital certificate (“
  
  driver'"'"'s license”
  
  ) from the certifying authority, said driver'"'"'s license being provided from the certifying authority based on a verification of the information extracted from the birth certificate received from the requesting node;
  
  while in the first trust state, providing the driver'"'"'s license to the requesting node;
  
  establishing a second trust state with the requesting node based on the driver'"'"'s license received from the certifying authority and a driver'"'"'s license of the responding node;
  
  while in the second trust state, enrolling the requesting node in the network; and
  
  while not being fully able to verify the authenticity of the requesting node within a preset time, maintaining one or more intermediate trusted states between the first and the second and subsequently requesting additional validation or repeat of enrollment request
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, exchanging birth certificates includes, establishing a secure link with the requesting node.
  - 12. The system of claim 11, wherein establishing a secure link includes:
    - negotiating shared symmetric keys; and
      
      establishing a link layer (layer-2) secure link
  - 13. The system of claim 10, wherein the birth certificates includes a unique node identifier, manufacturing information of the node, and a public key corresponding to a private key stored at the node.
  - 14. The system of claim 13, wherein the birth certificate is signed by a certified manufacturing station.
  - 15. The system of claim 13, wherein the birth certificate identifies a role of the respective node in the network.
  - 16. The system of claim 12 wherein the shared symmetric key is independently calculated by each node using a preset formula, and is not exchanged over the air.
  - 17. The system of claim 10, wherein the responding node puts the requesting node in an un-trusted state in the event a response from the authentication authority is not received within a preset period of time.
  - 18. The system of claim 17, wherein the responding node informs at least one other node in the network of the placement of requesting node in an un-trusted state.

19. A method for enrolling a new node in a network via a proxy node, said proxy node being a trusted member of the network, the method comprising:
- exchanging birth-certificates with the proxy node;
  
  establishing a first trust state with the proxy node based on the birth certificate received from the proxy node and the birth certificate sent to the new node;
  
  while in the first trust state, receiving a driver'"'"'s license from a certifying authority via the proxy node, said driver'"'"'s license including information extracted from the birth certificate of the new node;
  
  while in the first trust state, authenticating the driver'"'"'s license based on a previously provided system-specific root certificate;
  
  establishing a second trust state with the proxy node based on the driver'"'"'s license; and
  
  while in the second trust state, enrolling in the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Itron Networked Solutions, Inc. (Itron, Inc.)
Original Assignee
Silver Spring Networks, Inc. (Itron, Inc.)
Inventors
StJohns, Michael, Dubey, Aditi, Vaswani, Raj

Granted Patent

US 8,756,675 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/20   for managing network securi...

H04L 9/3263   involving certificates, e.g...

Systems and Methods for Security in a Wireless Utility Network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Security in a Wireless Utility Network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links