DEVICE INTRODUCTION AND ACCESS CONTROL FRAMEWORK

US 20120185696A1
Filed: 03/26/2012
Published: 07/19/2012
Est. Priority Date: 09/03/2004
Status: Active Grant

First Claim

Patent Images

1. A method for introducing two devices, comprising the steps of:

activating each device of two devices to initiate an introduction;

reducing a respective strength of each device to an effective range of about five inches or less;

moving the devices toward each other to form an out-of-band channel;

each device detecting a signal of the other device, and simultaneously measuring a signal gradient by simultaneously measuring the signals received on both antennas;

determining if any of the signals diminish according to an acceptable profile; and

rejecting the introduction if any of the signals are not so diminished, and if a signal does have a correct strength gradient, receiving cryptographic material (such as public keys or key identifiers, but not precluding symmetric keys) across the out-of-band channel and subsequently using the cryptographic material to establish secure connection on an in-band channel after introduction.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, a method includes registering applications and network services for notification of an out-of-band introduction, and using the out-of-band introduction to bootstrap secure in-band provisioning of credentials and policies that are used to control subsequent access and resource sharing on an in-band channel. In another embodiment, an apparatus implements the method.

24 Citations

View as Search Results

8 Claims

1. A method for introducing two devices, comprising the steps of:
- activating each device of two devices to initiate an introduction;
  
  reducing a respective strength of each device to an effective range of about five inches or less;
  
  moving the devices toward each other to form an out-of-band channel;
  
  each device detecting a signal of the other device, and simultaneously measuring a signal gradient by simultaneously measuring the signals received on both antennas;
  
  determining if any of the signals diminish according to an acceptable profile; and
  
  rejecting the introduction if any of the signals are not so diminished, and if a signal does have a correct strength gradient, receiving cryptographic material (such as public keys or key identifiers, but not precluding symmetric keys) across the out-of-band channel and subsequently using the cryptographic material to establish secure connection on an in-band channel after introduction.
- View Dependent Claims (2, 3)
- - 2. The method according to claim 1, wherein operation of in-band hardware is modified such that it approximates an out-of-band channel.
  - 3. The method according to claim 2, wherein the devices being introduced reduce their own in-band signal strengths and also measure a signal strength gradient of signals received from the other device in real-time, to detect physical proximity.

4. A method for establishing trust between a server and a client, comprising the steps of:
- initiating an introductory process for the server and the client using an out-of-band (OOB) message in an OOB channel; and
  
  using in-band messages in an in-band channel to complete the introduction process for the server and the client.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The method according to claim 4, wherein the server sends its certificate, randomly generated secret and connection information to the client over the OOB channel.
  - 6. The method according to claim 5, wherein:
    - the client connects to the server over the in-band channel and sends a first secret encrypted with a server'"'"'s public key, another randomly generated second secret also encrypted with the server'"'"'s public key and a client'"'"'s public key;
      
      the server decrypts the first secret and verifies that this is the same client to which it had sent the OOB data;
      
      if the server decides to allow the client to join a constellation, the server creates a certificate for the client with the client'"'"'s public key, and using the client'"'"'s public key, the server encrypts the second secret, and another randomly generated third secret, the server then sending the certificate, the second secret and the third secret to the client;
      
      the client decrypts the second secret with its public key and verifies that its previous message reached the server; and
      
      the client, after decrypting the third secret, encrypts the third secret again using the server'"'"'s public key, and sends the third secret to the server as a guarantee that the server'"'"'s last message reached the client.
  - 7. The method according to claim 4, wherein the client sends its certificate, randomly generated secret and connection information to the server over the OOB channel.
  - 8. The method according to claim 7, wherein:
    - if the server decides to deny entry of the client into the constellation, it need not do anything further, and if the server decides to allow the client into a constellation, the server connects to the client over an in-band channel and sends a first secret encrypted with a client'"'"'s public key, a server'"'"'s certificate and a randomly generated second secret also encrypted with the client'"'"'s public key;
      
      after verifying the first secret, the client is assured that this is the same server to which it sent the OOB message, the client encrypts the second secret, and a newly generated third secret with the server'"'"'s public key and sends the third secret to the server;
      
      the second secret assures the server that the client received its previous message, the server creates a new certificate for the client, the server encrypts the third secret and a newly generated fourth secret with the client'"'"'s public key, and the server sends the certificate and the third and fourth secrets to the client; and
      
      receiving the third secret assures the client that the server received its previous message, the client then sends a further message to the server with the fourth secret encrypted using the server'"'"'s public key, as an assurance that the client received the previous message from the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amol A. Kulkarni, Jesse R. Walker, Shriharsha S. Hegde, Tsung-Yuan C. Tai, Victor B. Lortz
Original Assignee
Amol A. Kulkarni, Jesse R. Walker, Shriharsha S. Hegde, Tsung-Yuan C. Tai, Victor B. Lortz
Inventors
Lortz, Victor B., Walker, Jesse R., Hegde, Shriharsha S., Kulkarni, Amol A., Tai, Tsung-Yuan C.

Granted Patent

US 9,602,471 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/175
CPC Class Codes

G06F 21/43   wireless channels

G06F 2221/2129   Authenticate client device ...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/18   using different networks or...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

DEVICE INTRODUCTION AND ACCESS CONTROL FRAMEWORK

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

DEVICE INTRODUCTION AND ACCESS CONTROL FRAMEWORK

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links