SECURING COMMUNICATION WITHIN A NETWORK ENDPOINT

US 20170187698A1
Filed: 03/15/2017
Published: 06/29/2017
Est. Priority Date: 10/03/2013
Status: Active Grant

First Claim

Patent Images

1. A network endpoint device, comprising:

a communication module configured to communicate with a network and to communicate with a first module and a second module via a bidirectional communication path, wherein the first module, the second module, and the bidirectional communication path are within the network endpoint device;

the first module;

the second module; and

the bidirectional communication path, wherein the bidirectional communication path includes a first secure paired channel between the communication module and the first module established by an exchange of a first pairing key between the communication module and the first module, and a second secure paired channel between the communication module and the second module established by an exchange of a second pairing key between the communication module and the second module, andwherein the communication module is operable to receive a communication from an external network device that includes security data and requests a secure channel to the network endpoint device, to send the security data to the first module using the first secure paired channel and the first pairing key, and to send the security data to the second module using the second secure paired channel and the second pairing key, wherein the first pairing key, the second pairing key, and the security data are distinct.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing communication within a network endpoint, for example, a meter. The meter may include a communication module and a metrology module where the modules are connected via a communication path that is external to both modules. The modules exchange a pairing key to establish a paired channel of communication. When the communication module receives a communication through a network for establishing a secure channel to the endpoint, the communications module sends some or all of the security data to the metrology module to establish a secure communication from a head-end system through the communication module to the metrology module.

1 Citation

20 Claims

1. A network endpoint device, comprising:
- a communication module configured to communicate with a network and to communicate with a first module and a second module via a bidirectional communication path, wherein the first module, the second module, and the bidirectional communication path are within the network endpoint device;
  
  the first module;
  
  the second module; and
  
  the bidirectional communication path, wherein the bidirectional communication path includes a first secure paired channel between the communication module and the first module established by an exchange of a first pairing key between the communication module and the first module, and a second secure paired channel between the communication module and the second module established by an exchange of a second pairing key between the communication module and the second module, andwherein the communication module is operable to receive a communication from an external network device that includes security data and requests a secure channel to the network endpoint device, to send the security data to the first module using the first secure paired channel and the first pairing key, and to send the security data to the second module using the second secure paired channel and the second pairing key, wherein the first pairing key, the second pairing key, and the security data are distinct.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The network endpoint device of claim 1, wherein the first module is operable to receive a second communication from the communication module and to decrypt network data associated with the second communication using the security data.
  - 3. The network endpoint device of claim 1, wherein the first module is operable to receive a second communication from the communication module and to verify at least one key associated with the second communication using the security data.
  - 4. The network endpoint device of claim 1, wherein the first module is operable to encrypt module data using the security data and send the encrypted data in a second communication to the communication module via the first paired channel using the first pairing key.
  - 5. The network endpoint device of claim 4, wherein the first module is further operable to include keying data in the second communication sent to the communication module.
  - 6. The network endpoint device of claim 1, wherein the communication module is operable to receive a second communication from the network, wherein the second communication includes network data, to select the first module as a recipient, and to send the second communication to the first module via the first paired channel using the first pairing key.
  - 7. The network endpoint device of claim 1, wherein the communication module is operable to receive a second communication, and to send the second communication to the first module and the second module by:
    - sending the second communication to the first module using the first paired channel and the first pairing key; and
      
      sending the second communication to the second module using the second paired channel and the second pairing key.
  - 8. The network endpoint device of claim 1, wherein the first module is a metrology module.

9. A method for securing communications within a network, wherein the network includes a plurality of endpoints and a first endpoint includes a communication module and at least one additional module, comprising:
- receiving, by the communication module, a network communication that includes security data to establish a secure channel between a central system and the first endpoint;
  
  sending, by the communication module, the security data to a first additional module via a secure paired channel using a first pairing key, wherein the secure paired channel was previously established by an exchange of the first pairing key between the communication module and the first additional module, and the first pairing key and the security data are distinct;
  
  receiving, by the communication module, a second network communication that includes network data;
  
  determining, by the communication module, that the first additional module is a recipient for the second network communication;
  
  sending, by the communication module, the second network communication to the first additional module via the secure paired channel using the first pairing key; and
  
  verifying, by the first additional module, a key associated with the second network communication using the security data.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, further comprising:
    - decrypting, by the first additional module, the network data of the second network communication using the security data.
  - 11. The method of claim 9, further comprising:
    - sending, by the communication module, the security data to a second additional module via a second secure paired channel using a second pairing key, wherein the second secure paired channel was previously established by an exchange of the second pairing key between the communication module and the second additional module.
  - 12. The method of claim 11, further comprising:
    - receiving, by the communication module, a third network communication;
      
      determining, by the communication module, that the second additional module is a recipient for the third network communication;
      
      verifying, by the communication module, a key associated with the third network communication using the security data;
      
      sending, by the communication module, data from the third network communication to the second additional module via the second secure paired channel using the second pairing key.
  - 13. The method of claim 11, further comprising:
    - decrypting, by the second additional module, the data of the third network communication using the security data.
  - 14. The method of claim 9, further comprising:
    - replacing the first additional module with a replacement module; and
      
      establishing a secure channel between the communication module and the replacement module using the first pairing key or a replacement pairing key.

15. A network endpoint device, comprising:
- a communication module, including a communication device for wirelessly communicating with a network device via a network;
  
  at least one additional module; and
  
  a bidirectional communication path connecting the communication module and the at least one additional module, wherein the bidirectional communication path includes a first paired channel established by an exchange of a first pairing key between the communication module and the at least one additional module,wherein the communication module is operable to receive a communication from the network device via the communication device that includes security data and that requests a secure channel to the network endpoint device, and to send the security data to the at least one additional module using the first paired channel and the first pairing key, wherein the security data and the first pairing key are distinct, andwherein the at least one additional module is operable to use the security data to decrypt data received from the network and encrypt module data sent to the network device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The network endpoint device of claim 15, further comprising:
    - a second additional module,wherein the bidirectional communication path connects the communication module and the second additional module, and further includes a second paired channel established by an exchange of a second pairing key between the communication module and the second additional module.
  - 17. The network endpoint device of claim 15, wherein the at least one additional module is a metrology module and includes measurement circuitry.
  - 18. The network endpoint device of claim 15, wherein the at least one additional module is operable to receive a second communication from the communication module and to verify at least one key associate with the second communication using the security data.
  - 19. The network endpoint device of claim 16, wherein the communication module is operable to receive a second communication and to determine whether to send the second communication to the at least one additional module or to the second additional module.
  - 20. The network endpoint device of claim 16, wherein the communication module is operable to receive a second communication and to verify at least one key associated with the second communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Landis+Gyr Technology, Inc. (Landis+Gyr Group AG)
Original Assignee
Landis+Gyr Innovations Incorporated (Landis+Gyr Group AG)
Inventors
Salazar, Ruben, Chasko, Stephen

Granted Patent

US 9,900,296 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

H04L 63/18   using different networks or...

H04L 67/12   specially adapted for propr...

SECURING COMMUNICATION WITHIN A NETWORK ENDPOINT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

1 Citation

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURING COMMUNICATION WITHIN A NETWORK ENDPOINT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1 Citation

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links