SECURITY MODEL FOR INDUSTRIAL DEVICES

US 20120096272A1
Filed: 10/15/2010
Published: 04/19/2012
Est. Priority Date: 10/15/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a protocol buffer component configured to serialize a protocol message object into a series of bytes and to de-serialize the series of bytes into the protocol message object; and

a security token service configured to at least one of issue, renew, or validate a first security token in response to a token request having credential information from a requester, whereinthe apparatus obtains the token request as a first series of bytes, the protocol buffer component is further configured to de-serialize the first series of bytes into a token request message object retaining the credential information, and the security token service is further configured to generate the first security token based at least in part on the credential information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and/or methods are described relating to a security model that provides interoperability with foreign security domains while remaining scalable to small embedded devices. A security token service is provided, which is configured to issue, renew, and/or validate security tokens in response to a token request. A communication protocol, corresponding message structures, and the security tokens are defined in accordance with protocol buffer definitions.

66 Citations

View as Search Results

20 Claims

1. An apparatus, comprising:
- a protocol buffer component configured to serialize a protocol message object into a series of bytes and to de-serialize the series of bytes into the protocol message object; and
  
  a security token service configured to at least one of issue, renew, or validate a first security token in response to a token request having credential information from a requester, whereinthe apparatus obtains the token request as a first series of bytes, the protocol buffer component is further configured to de-serialize the first series of bytes into a token request message object retaining the credential information, and the security token service is further configured to generate the first security token based at least in part on the credential information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The apparatus of claim 1, wherein the security token service is configured to generate the first security token as a security token message object.
  - 3. The apparatus of claim 2, wherein the protocol buffer component is further configured to serialize the security token message object as a second series of bytes.
  - 4. The apparatus of claim 3, wherein the apparatus is configured to send the second series of bytes to the requester.
  - 5. The apparatus of claim 1, further comprising a cryptography component configured to verify a digital signature attached to the token request.
  - 6. The apparatus of claim 5, wherein the cryptography component is further configured to digitally sign the first security token.
  - 7. The apparatus of claim 1, further comprising a gateway component configured to obtain a second security token from an external entity.
  - 8. The apparatus of claim 7, wherein the gateway component is configured to utilize the WS-Trust standard to obtain the second security token.
  - 9. The apparatus of claim 8, wherein the second security token is a SAML security token.
  - 10. The apparatus of claim 7, further comprising a converter that translates the second security token into the first security token.
  - 11. The apparatus of claim 1, further comprising an authentication component configured to validate the credential information with a data store that stores account information.
  - 12. The apparatus of claim 1, wherein the first security token includes a collection of security assertions.
  - 13. The apparatus of claim 1, wherein the requester is an industrial automation device in an industrial automation environment.
  - 14. An industrial automation device, deployed in an industrial automation environment, having the apparatus of claim 1 integrated therein.

15. A method, comprising:
- obtaining a token request, as a series of bytes, that includes credential information to be authenticated;
  
  de-serializing the series of bytes to obtain the token request as an object structured in accordance with a first protocol buffer definition;
  
  serializing a security token, structured in accordance with a second protocol buffer definition, into a byte stream; and
  
  communicating the byte stream as a response to the token request.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, further comprising:
    - verifying a digital signature attached to the series of bytes representing the token request; and
      
      digitally signing the byte stream representing the security token.
  - 17. The method of claim 15, further comprising:
    - extracting the credential information from the token request; and
      
      validating the credential information against a data store having account information.
  - 18. The method of claim 15, further comprising:
    - converting the token request, structured in accordance with the first protocol buffer definition, into a second token request, having a XML representation, in accordance with a WS-Trust specification;
      
      sending the second token request to an external entity;
      
      receiving a second security token, having a SAML representation, from the external entity; and
      
      converting the second security token into the security token structured in accordance with the second protocol buffer definition.
  - 19. The method of claim 18, wherein the external entity is a security token service.

20. An industrial automation apparatus, comprising:
- a user interface configured to display a graphical user interface to a user and to obtain input information from the user;
  
  an security component, comprising;
  
  an authentication component configured to validate credential information; and
  
  a security token service configured to issue a security token based at least in part on authentication results from the authentication component; and
  
  an access control component configured to render access control decisions based at least in part on the security token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Original Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Inventors
Jasper, Taryl J., Miller, Michael B., Brandt, Robert A.

Granted Patent

US 8,504,837 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 63/0853   using an additional device,...

H04L 63/20   for managing network securi...

SECURITY MODEL FOR INDUSTRIAL DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

66 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY MODEL FOR INDUSTRIAL DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links