Systems and Methods for "Machine-to-Machine" (M2M) Communications Between Modules, Servers, and an Application using Public Key Infrastructure (PKI)

US 20150106616A1
Filed: 10/16/2013
Published: 04/16/2015
Est. Priority Date: 09/10/2013
Status: Active Grant

First Claim

Patent Images

1. A method for supporting machine-to-machine communications, the method performed by a server, the method comprising:

authenticating a first message, wherein the first message includes a first module public key and a module identity;

receiving a module instruction and the module identity from an application server;

waiting to receive a second message that includes the module identity before sending the module instruction in a server encrypted data;

receiving the second message, wherein the second message includes a module encrypted data and a source Internet protocol address and port (IP;

port) number;

sending a response to the source IP;

port number, wherein the response includes the server encrypted data, wherein the server encrypted data is ciphered using the first module public key, and wherein the server encrypted data includes the module instruction and a security token; and

,authenticating a third message using the first module public key, wherein the third message includes a second module public key and the module identity.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for supporting efficient and secure “Machine-to-Machine” (M2M) communications using a module, a server, and an application. A module can communicate with the server by accessing the Internet, and the module can include a sensor and/or an actuator. The module, server, and application can utilize public key infrastructure (PKI) such as public keys and private keys. The module can internally derive pairs of private/public keys using cryptographic algorithms and a first set of parameters. A server can authenticate the submission of derived public keys and an associated module identity. The server can use a first server private key and a second set of parameters to (i) send module data to the application and (ii) receive module instructions from the application. The server can use a second server private key and the first set of parameters to communicate with the module.

125 Citations

24 Claims

1. A method for supporting machine-to-machine communications, the method performed by a server, the method comprising:
- authenticating a first message, wherein the first message includes a first module public key and a module identity;
  
  receiving a module instruction and the module identity from an application server;
  
  waiting to receive a second message that includes the module identity before sending the module instruction in a server encrypted data;
  
  receiving the second message, wherein the second message includes a module encrypted data and a source Internet protocol address and port (IP;
  
  port) number;
  
  sending a response to the source IP;
  
  port number, wherein the response includes the server encrypted data, wherein the server encrypted data is ciphered using the first module public key, and wherein the server encrypted data includes the module instruction and a security token; and
  
  ,authenticating a third message using the first module public key, wherein the third message includes a second module public key and the module identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein a module using the module identity sends the first, second, and third messages, wherein the module includes a set of cryptographic algorithms to derive (i) the first module public key and a first module private key and (ii) the second module public key and a second module private key, and wherein before receiving the third message, the server sends an instruction for the module to derive the second module public key.
  - 3. The method of claim 1, further comprising decrypting at least one of (i) the first module public key in the first message and the (ii) the second module public key in the third message.
  - 4. The method of claim 3, further comprising decrypting a set of parameters in at least one of the first message and the third message, wherein the set of parameters include at least one of (i) an elliptic curve cryptography (ECC) named curve, (ii) an ECC defining equation, and (iii) a modulus for an RSA algorithm.
  - 5. The method of claim 1, wherein authenticating further comprises using at least one of (i) a message digest, (ii) a symmetric key, (iii) a shared secret key, (iv) a module digital signature, and (v) a secure connection.
  - 6. The method of claim 1, wherein the module instruction received from the application server is decrypted using a first server public key, wherein the first server public key is processed using an RSA algorithm, wherein the server encrypted data is encrypted using a second server public key, and wherein the second server public key is processed using an ECC algorithm.
  - 7. The method of claim 1, wherein the module identity in the first message comprises a first string, and wherein the module identity in the second message comprises a second string, and wherein the first string and the second string are associated with a serial number of a module.
  - 8. The method of claim 1, wherein ciphering the server encrypted data using the first module public key further comprises ciphering the server encrypted data with a symmetric key, wherein the symmetric key is shared by using at least one of (i) the first module public key and a key derivation function, (ii) an asymmetric ciphering algorithm and the first module public key to encrypt the symmetric key, wherein the server sends the symmetric key, and (iii) a module digital signature verified with the module public key, wherein the server receives the symmetric key and the module digital signature.

9. A method for supporting machine-to-machine communications, the method performed by a server, the method comprising:
- authenticating a first message, wherein the first message includes a first module public key and a module identity;
  
  receiving a second message, wherein the second message includes the module identity and a module encrypted data, wherein the module encrypted data includes a sensor measurement and a security token;
  
  reading the sensor measurement by decrypting the module encrypted data using a first server private key;
  
  using a secure connection and a second server private key to send the sensor measurement and the module identity to an application server; and
  
  ,authenticating a third message;
  
  wherein the third message includes a second module public key and the module identity;
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, wherein decrypting the module encrypted data using the first server private key further comprises decrypting the module encrypted data using a symmetric key, wherein the symmetric key is shared by at least one of (i) sending the symmetric key and a server digital signature, wherein the server digital signature is processed using the first server private key, and (ii) using a key derivation function and the first server private key.
  - 11. The method of claim 9, wherein decrypting the module encrypted data using the first server private key further comprises, in sequence:
    - receiving a symmetric key that is encrypted using an asymmetric ciphering algorithm;
      
      using the first server private key to decrypt the symmetric key; and
      
      ,decrypting the sensor measurement using the symmetric key.
  - 12. The method of claim 9, wherein authenticating the first message further comprises using at least one of (i) a message digest, (ii) a symmetric key, (iii) a shared secret key, (iv) a module digital signature, and (v) a secure connection.
  - 13. The method of claim 9, wherein a module using the module identity sends the first, second, and third messages, wherein the module includes a set of cryptographic algorithms to derive (i) the first module public key and a first module private key and (ii) the second module public key and a second module private key, and wherein before receiving the third message, the server sends an instruction for the module to derive the second module public key.
  - 14. The method of claim 9, wherein the module identity in the first message comprises a first string, and wherein the module identity in the second message comprises a second string, and wherein the first string and the second string are associated with a serial number of a module.
  - 15. The method of claim 9, further comprising decrypting at least one of (i) the first module public key in the first message and the (ii) the second module public key in the third message.
  - 16. The method of claim 15, further comprising decrypting a set of parameters in at least one of the first message and the third message, wherein the set of parameters include at least one of (i) an elliptic curve cryptography (ECC) named curve, (ii) an ECC defining equation, and (iii) a modulus for an RSA algorithm.
  - 17. The method of claim 9, further comprising processing (i) the first server private key using an elliptic curve cryptography (ECC) algorithm, (ii) the second server private key using an RSA algorithm.

18. A system for supporting machine-to-machine communications, the system comprising:
- a set of cryptographic algorithms for using (i) a first server private key with a first set of parameters and (ii) a second server private key with a second set of parameters, and for authenticating a first message, wherein the first message includes a module public key and a module identity;
  
  a module controller for sending a server digital signature processed using the first server private key, for receiving a module encrypted data and the module identity, wherein the module encrypted data includes a sensor measurement and a security token, for using a symmetric key to decrypt the module encrypted data, for using the module public key and the first set of parameters to verify a module digital signature, for sending a module instruction within a server encrypted data, and for waiting until after (a) receiving a second message which includes the module identity and a source Internet protocol address and port (IP;
  
  port) number before (b) sending the module instruction to the source IP;
  
  port number; and
  
  ,a server program for establishing a secure connection with an application using the second server private key and the second set of parameters, for sending the sensor measurement and the module identity to the application via the secure connection, and for receiving the module instruction from the application;
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The system of claim 18, further comprising a module with the module identity for sending the first message and the second message, wherein the module derives the module public key and a module private key using the first set of parameters.
  - 20. The system of claim 19, wherein the module controller sends (i) the first set of parameters and (ii) an instruction for the module to derive the module public key and the module private key, before the module sends the first message.
  - 21. The system of claim 18, further comprising the cryptographic algorithms for decrypting at least one of the first module public key and the first set of parameters, wherein the first set of parameters include at least one of (i) an elliptic curve cryptography (ECC) named curve, (ii) an ECC defining equation, and (iii) a modulus for an RSA algorithm.
  - 22. The system of claim 18, wherein the secure connection with the application comprises at least one of (i) a transport layer security (TLS) connection, (ii) an IPSec connection, and (iii) a virtual private network (VPN) between a server and the application server, and wherein the server includes the module controller and the server application.
  - 23. The system of claim 18, wherein the first set of parameters is associated with an elliptic curve cryptography (ECC) algorithm, and wherein the second set of parameters is associated with an RSA algorithm.
  - 24. The system of claim 18, further comprising the cryptographic algorithms for authenticating the first message using at least one of (i) a message digest, (ii) a shared secret key, and (iii) a module digital signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John A. Nix
Original Assignee
M2M and IoT Technologies LLC
Inventors
Nix, John A.

Granted Patent

US 9,276,740 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/445   by mutual authentication, e...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

H04J 11/00   Orthogonal multiplex system...

H04L 12/2854   Wide area networks, e.g. pu...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/72   Signcrypting, i.e. digital ...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 67/04   specially adapted for termi...

H04L 9/006 : involving public key infras...

H04L 9/0816 : Key establishment, i.e. cry...

H04L 9/0841 : involving Diffie-Hellman or...

H04L 9/085 : Secret sharing or secret sp...

H04L 9/0861 : Generation of secret inform...

H04L 9/088 : Usage controlling of secret...

H04L 9/0894 : Escrow, recovery or storing...

H04L 9/14 : using a plurality of keys o...

H04L 9/30 : Public key, i.e. encryption...

H04L 9/3066 : involving algebraic varieti...

H04L 9/32 : including means for verifyi...

H04L 9/321 : involving a third party or ...

H04L 9/3239 : involving non-keyed hash fu...

H04L 9/3247 : involving digital signatures

H04L 9/3249 : using RSA or related signat...

H04L 9/3263 : involving certificates, e.g...

H04W 12/02 : Protecting privacy or anony...

H04W 12/033 : of the user plane, e.g. use...

H04W 12/04 : Key management, e.g. using ...

H04W 12/06 : Authentication

H04W 12/069 : using certificates or pre-s...

H04W 12/40 : Security arrangements using...

H04W 4/70 : Services for machine-to-mac...

H04W 40/005 : Routing actions in the pres...

H04W 52/0216 : using a pre-established act...

H04W 52/0235 : where the received signal i...

H04W 52/0277 : according to available powe...

H04W 76/27 : Transitions between radio r...

H04W 8/082 : for traffic bypassing of mo...

H04W 80/04 : Network layer protocols, e....

H04W 84/12 : WLAN [Wireless Local Area N...

H04W 88/12 : Access point controller dev...

H05K 999/99 : dummy group

Y02D 30/70 : in wireless communication n...

View All

Systems and Methods for "Machine-to-Machine" (M2M) Communications Between Modules, Servers, and an Application using Public Key Infrastructure (PKI)

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for "Machine-to-Machine" (M2M) Communications Between Modules, Servers, and an Application using Public Key Infrastructure (PKI)

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links