METHOD AND SYSTEM FOR PRODUCING A SECURE COMMUNICATION CHANNEL FOR TERMINALS

US 20170033931A1
Filed: 07/26/2016
Published: 02/02/2017
Est. Priority Date: 07/28/2015
Status: Active Grant

First Claim

Patent Images

1. A method for producing a secure communication channel for a terminal, the method having the following steps of:

setting up a secure communication channel between a communication partner and a backend by a communication protocol, an item of channel binding information respectively being stipulated for the backend and for the communication partner by the communication protocol;

producing a communication channel between the communication partner and the terminal;

transmitting the channel binding information relating to the secure communication channel to the terminal by the communication partner;

storing the channel binding information on the terminal;

creating a data structure and a first digital signature across the data structure by the backend using a first private key, the digital signature being able to be checked using a first public key;

sending the data structure and the digital signature from the backend to the terminal; and

checking authenticity of the data structure using a checking algorithm for verifying the digital signature using the public key by the terminal and/or by the communication partner.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, backend, terminal, and computer program product are disclosed for producing a secure communication channel for a terminal, the method having the following method steps. A first method step for setting up a secure communication channel between a communication partner and a backend by a communication protocol. A second method step for producing a communication channel between the communication partner and the terminal. A third method step for transmitting the channel binding information. A fourth method step for storing the channel binding information on the terminal. A fifth method step for creating a data structure and a first digital signature across the data structure y. A sixth method step for sending the data structure and the digital signature from the backend to the terminal. A seventh method step for checking authenticity of the data structure.

17 Citations

View as Search Results

30 Claims

1. A method for producing a secure communication channel for a terminal, the method having the following steps of:
- setting up a secure communication channel between a communication partner and a backend by a communication protocol, an item of channel binding information respectively being stipulated for the backend and for the communication partner by the communication protocol;
  
  producing a communication channel between the communication partner and the terminal;
  
  transmitting the channel binding information relating to the secure communication channel to the terminal by the communication partner;
  
  storing the channel binding information on the terminal;
  
  creating a data structure and a first digital signature across the data structure by the backend using a first private key, the digital signature being able to be checked using a first public key;
  
  sending the data structure and the digital signature from the backend to the terminal; and
  
  checking authenticity of the data structure using a checking algorithm for verifying the digital signature using the public key by the terminal and/or by the communication partner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 29, 30)
- - 2. The method as claimed in claim 1, the method having an additional method step for sending security information or/and identity information from the terminal to the backend via the communication partner, the method having, in particular, the following method steps of:
    - sending the security information and identity information relating to the terminal from the terminal to the communication partner;
      
      sending the security information and identity information relating to the terminal from the communication partner to the backend via the secure communication channel.
  - 3. The method as claimed in claim 1, wherein the data structure comprising the channel binding information and/or basic information from the backend.
  - 4. The method as claimed in claim 1, wherein a signal being provided by the terminal and/or by the communication partner if the checking algorithm determines invalid authenticity.
  - 5. The method as claimed in claim 1, wherein the first public key being provided for the terminal, a certification authority or the backend, in particular, providing the first public key.
  - 6. The method as claimed in claim 3, wherein the basic information from the backend comprising an item of configuration information, the configuration information comprising, in particular, an item of licensing information and/or program code for executing a command which is executed by the terminal on the terminal.
  - 7. The method as claimed in claim 2, wherein the terminal) having a second key pair in the form of a second public key and a second private key, which key pair is used to generate a second digital signature for the security information from the terminal.
  - 8. The method as claimed in claim 7, wherein the communication partner checking second authenticity of the security information using the second public key.
  - 9. The method as claimed in claim 2, wherein the security information having a nonce and/or an identifier of a certificate of the terminal and/or only a fingerprint of the second public key.
  - 10. The method as claimed in claim 2, wherein the security information and/or the channel binding information and/or the identity information being completely or partially included in the first digital signature.
  - 11. The method as claimed in claim 1, wherein the data structure and/or the first digital signature comprising an item of legitimacy information which causes the terminal to switch on particular programming, in particular.
  - 12. The method as claimed in claim 1, wherein the data structure being expanded with the first digital signature.
  - 13. The method as claimed in claim 2, wherein the data structure additionally comprising the security information and/or identity information from the terminal.
  - 14. The method as claimed in claim 1, wherein the checking algorithm additionally checking the stored channel binding information and the channel binding information in order to determine the authenticity, the checking algorithm being executed, in particular, on the terminal and/or on the communication partner.
  - 15. The method as claimed in claim 2, wherein the communication partner concomitantly sending additional information during the sending of the security information and identity information from the communication partner to the backend, the additional information comprising an item of user information.
  - 16. The method as claimed in claim 1, wherein the first public key being concomitantly sent during the sending of the data structure.
  - 17. The method as claimed in claim 1, wherein the public key being made available to the terminal at an earlier time, the earlier time being, the manufacturing time of the terminal, the public key being protected, from being changed on the terminal.
  - 18. The method as claimed in claim 1, wherein the first private key being a secret which is known to the backend, the secret being known, exclusively to the backend.
  - 19. The method as claimed in claim 1, wherein the terminal having only non-security-critical information.
  - 20. The method as claimed in claim 1, wherein the secure communication channel being produced by a symmetrical method, the symmetrical method using, authentication with a username and a password, or the secure communication channel being produced by an asymmetrical method, the asymmetrical method using a digital certificate.
  - 21. The method as claimed in claim 4, wherein the signal being evaluated by the backend or a further communication partner.
  - 22. The method as claimed in claim 1, wherein the secure communication channel meeting security requirements stipulated by the backend, the terminal checking, the first signature in order to determine whether the communication channel actually meets the security requirements of the backend.
  - 23. The method as claimed in claim 1, wherein the first public key being checked by the communication partner before the first public key is forwarded to the terminal, the public key being a certificate, the certificate being validated, in particular, against a known issuer, the validation of the certificate comprising a validity and/or a rejection status.
  - 29. A computer program product having program instructions for carrying out the method as claimed in claim 1.
  - 30. A provision apparatus for the computer program product as claimed in claim 29, the provision apparatus storing and/or providing the computer program product.

24. A backend havinga first cryptography device;
- a production device for creating a data structure and a first digital signature across the data structure using the first cryptography device and a first private key, the first digital signature being able to be checked using a first public key;
  
  a first communication device which is programmed by a first processorto send the data structure and the first digital signature to a terminal;
  
  to set up a secure communication channel to a communication partner by a communication protocol using the first cryptography device, an item of channel binding information respectively being stipulated by the communication protocol for the backend and for the communication partner.

25. A communication partner havinga second cryptography device;
- a second communication device which is programmed by a second processorto set up a secure communication channel to a backend using the second cryptography device, an item of channel binding information respectively being stipulated, by the communication protocol for the backend and for the communication partner,to set up a communication channel to a terminal, andto send the channel binding information to the terminal.

26. A terminal havinga third communication device which is programmed by a third processorto set up a communication channel to a communication partner, an item of channel binding information respectively being stipulated, by the communication protocol for a backend and for the communication partner;
- to receive the channel binding information and/or a data structure and/or a first digital signature and/or a public key, the first digital signature having been produced across the data structure, by the backend using a first private key;
  
  a checking device for checking authenticity of the data structure by a checking algorithm using the first digital signature and the public key;
  
  a memory for storing the channel binding information and/or the data structure and/or the first digital signature and/or the first public key.

27. A system having:
- a backend havinga first cryptography device;
  
  a production device for creating a data structure and a first digital signature across the data structure using the first cryptography device and a first private key, the first digital signature being able to be checked using a first public key;
  
  a first communication device which is programmed by a first processorto send the data structure and the first digital signature to a terminal;
  
  to set up a secure communication channel to a communication partner by a communication protocol using the first cryptography device, an item of channel binding information respectively being stipulated by the communication protocol for the backend and for the communication partner;
  
  the communication partner havinga second cryptography device;
  
  a second communication device which is programmed by a second processorto set up the secure communication channel to the backend using the second cryptography device,to set up a communication channel to the terminal, andto send the channel binding information to the terminal;
  
  the terminal havinga third communication device which is programmed by a third processorto set up the communication channel to the communication partner,to receive the channel binding information and/or the data structure and/or the first digital signature and/or the public key;
  
  a checking device for checking authenticity of the data structure by a checking algorithm using the first digital signature and the public key;
  
  a memory for storing the channel binding information and/or the data structure and/or the first digital signature and/or the first public key.
- View Dependent Claims (28)
- - 28. The system as claimed in claim 27, the system being a virtualized system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
SCHAFHEUTLE, MARCUS, FRIES, STEFFEN

Granted Patent

US 10,243,745 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/123   received data contents, e.g...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

H04W 12/06   Authentication

METHOD AND SYSTEM FOR PRODUCING A SECURE COMMUNICATION CHANNEL FOR TERMINALS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR PRODUCING A SECURE COMMUNICATION CHANNEL FOR TERMINALS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links