Method and apparatus for integrated provisioning of a network device with configuration information and identity certification

US 7,386,721 B1
Filed: 03/12/2003
Issued: 06/10/2008
Est. Priority Date: 03/12/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A provisioning server for integrated provisioning of a network device with configuration information and identity certification, comprising:

a configuration module that is adapted for configuring the network device; and

an identification certification module that is configured for certifying the identity of the network device;

wherein the network device comprises one or more of routers, or packet data switches, that function in a packet switched communication network and wherein the provisioning server is physically co-located with and coupled to the network device via a physically secure communication link and wherein the provisioning server is configured to read and write configuration information and parameters, key information and identity certification information to and from the network device over the link;

wherein the provisioning server is configured to read and write the configuration information, key information and identity certification information over the link without network connectivity to the network device over the link;

wherein the identification certification module is configured for obtaining certification of the network device'"'"'s identity without a network connection between the network device and an external certificate authority; and

wherein the identification module is configured to;

generate a public key and a private key that are associated with the network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one aspect, a provisioning server comprises a configuration module that configures a network device and an identification certification module that certifies the identity of the network device. With use of the provisioning server, the network device does not require configuration with network connectivity in order to obtain its certified identity. In one embodiment, configuration module configures the device for operation at the device'"'"'s point of deployment in a network. In one embodiment, the identity certification module is configured to generate a digital certificate for the network device and the configuration module is configured to automatically configure the network device based on its digital certificate. The provisioning server is coupled to the network device with a secure communication link. As a result, a more trusted network device is ultimately deployed into its network of operation.

59 Citations

View as Search Results

22 Claims

1. A provisioning server for integrated provisioning of a network device with configuration information and identity certification, comprising:
- a configuration module that is adapted for configuring the network device; and
  
  an identification certification module that is configured for certifying the identity of the network device;
  
  wherein the network device comprises one or more of routers, or packet data switches, that function in a packet switched communication network and wherein the provisioning server is physically co-located with and coupled to the network device via a physically secure communication link and wherein the provisioning server is configured to read and write configuration information and parameters, key information and identity certification information to and from the network device over the link;
  
  wherein the provisioning server is configured to read and write the configuration information, key information and identity certification information over the link without network connectivity to the network device over the link;
  
  wherein the identification certification module is configured for obtaining certification of the network device'"'"'s identity without a network connection between the network device and an external certificate authority; and
  
  wherein the identification module is configured to;
  
  generate a public key and a private key that are associated with the network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The server of claim 1, wherein physically secure communication link is a serial cable.
  - 3. The server of claim 1, wherein a computer on which the server executes is mechanically and electrically coupled to the network device with an electrical cable.
  - 4. The server of claim 1, wherein the server resides on a portable computer-readable medium that is mechanically and electrically coupled to the network device.
  - 5. The server of claim 4, wherein the computer-readable medium comprises a removable flash memory.
  - 6. The server of claim 4, wherein the computer-readable medium comprises a smart card.
  - 7. The server of claim 1, wherein the configuration module is configured to configure the network device for operation at the device'"'"'s point of deployment in a network.
  - 8. The server of claim 1, wherein the identification certification module is configured to:
    - generate a digital certificate that is associated with a public key that is associated with the network device; and
      
      wherein the configuration module is configured to;
      
      configure the network device based on the digital certificate.
  - 9. The server of claim 8, wherein the identification module is configured to:
    - read, from the network device, the public key that is associated with the network device.
  - 10. The server of claim 1, wherein the identification certification module comprises an identity registrar for verifying information associated with a request for a digital certificate.
  - 11. The server of claim 10, wherein the identity registrar is a PKI registration authority.
  - 12. The server of claim 1, wherein the identification certification module comprises an identity registrar for verifying information associated with a request for a digital certificate and a certificate authority for issuing a digital certificate.

13. A method for integrated provisioning of a network device, the method comprising the computer-implemented steps of:
- in a provisioning server, configuring the network device at a provisioning location, for operation at a deployment location in a network; and
  
  in the provisioning server, certifying, from the provisioning location and without network connectivity, the identity of the network device;
  
  wherein the network device comprises one or more of routers, or packet data switches, that function in a packet switched communication network and wherein the provisioning server is physically co-located with and coupled to the network device via a physically secure communication link and wherein the provisioning server is configured to read and write configuration information and parameters, key information and identity certification information to and from the network device over the link;
  
  wherein the provisioning server is configured to read and write the configuration information, key information and identity certification information over the link without network connectivity to the network device over the link;
  
  wherein the identification certification module is configured for obtaining certification of the network device'"'"'s identity without a network connection between the network device and an external certificate authority; and
  
  wherein the identification module is configured to;
  
  generate a public key and a private key that are associated with the network device.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the step of certifying comprises the steps of:
    - reading a public key associated with the network device;
      
      obtaining a digital certificate associated with the public key; and
      
      wherein the step of configuring includes configuring the network device based on the digital certificate.
  - 15. The method of claim 14, wherein the step of obtaining a digital certificate includes generating the digital certificate.
  - 16. The method of claim 14, wherein the step of obtaining a digital certificate includes the steps of:
    - verifying the identity of the network device based on information provided regarding the network device; and
      
      generating the digital certificate associated with the network device in response to verifying the identity of the network device.

17. A computer-readable medium carrying one or more sequences of instructions for provisioning of a network device, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- configuring the network device at a provisioning location, for operation at a deployment location in a network; and
  
  certifying, from the provisioning location and without network connectivity, the identity of the network device;
  
  wherein the network device comprises one or more of routers, or packet data switches, that function in a packet switched communication network and wherein the instructions are physically co-located with and communicate with the network device via a physically secure communication link and wherein the instructions are configured to read and write configuration information and parameters, key information and identity certification information to and from the network device over the link;
  
  wherein the instructions are configured to read and write the configuration information, key information and identity certification information over the link without network connectivity to the network device over the link;
  
  wherein the identification certification module is configured for obtaining certification of the network device'"'"'s identity without a network connection between the network device and an external certificate authority; and
  
  wherein a identification module is configured to;
  
  generate a public key and a private key that are associated with the network device.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, wherein the one or more sequences of instructions cause the one or more processors to carry out the step of certifying byreading a public key associated with the network device;
    - obtaining a digital certificate associated with the public key; and
      
      cause the one or more processors to carry out the step of certifying byconfiguring the network device based on the digital certificate.
  - 19. The computer-readable medium of claim 18, wherein the one or more sequences of instructions cause the one or more processors to carry out the step of obtaining a digital certificate by generating the digital certificate.
  - 20. The computer-readable medium of claim 18, wherein the one or more sequences of instructions cause the one or more processors to carry out the step of obtaining a digital certificate by carrying out the steps of:
    - verifying the identity of the network device based on information provided regarding the network device; and
      
      generating the digital certificate associated with the network device in response to verifying the identity of the network device.

21. A system for integrated provisioning of a network device, the system comprising:
- means for configuring the network device at a provisioning location, for operation at a deployment location in a network; and
  
  means for certifying, from the provisioning location and without network connectivity, the identity of the network device;
  
  wherein the network device comprises one or more of routers, or packet data switches, that function in a packet switched communication network and wherein the system is physically co-located with and coupled to the network device via a physically secure communication link and wherein the system is configured to read and write configuration information and parameters, key information and identity certification information to and from the network device over the link;
  
  wherein the system is configured to read and write the configuration information, key information and identity certification information over the link without network connectivity to the network device over the link;
  
  wherein the identification certification module is configured for obtaining certification of the network device'"'"'s identity without a network connection between the network device and an external certificate authority; and
  
  wherein the identification module is configured to;
  
  generate the public key and a private key that are associated with the network device.

22. A device that can provision a network device, the device comprising:
- a processor;
  
  a computer-readable medium comprising one or more stored sequences which, when executed by the processor, cause the processor to carry out the steps of;
  
  configuring the network device at a provisioning location, for operation at a deployment location in a network; and
  
  certifying, from the provisioning location and without network connectivity, the identity of the network device;
  
  wherein the network device comprises one or more of routers, or packet data switches, that function in a packet switched communication network and wherein the device is physically co-located with and coupled to the network device via a physically secure communication link and wherein the device is configured to read and write configuration information and parameters, key information and identity certification information to and from the network device over the link;
  
  wherein the device is configured to read and write the configuration information, key information and identity certification information over the link without network connectivity to the network device over the link;
  
  wherein the identification certification module is configured for obtaining certification of the network device'"'"'s identity without a network connection between the network device and an external certificate authority; and
  
  wherein the identification module is configured to;
  
  generate the public key and a private key that are associated with the network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vilhuber, Jan, Pritikin, Max
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
NOBAHAR, ABDULHAKIM

Application Number

US10/388,246
Time in Patent Office

1,917 Days
Field of Search

713/156, 713/153, 726/11, 726/18
US Class Current

713/156
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 9/3263   involving certificates, e.g...

Method and apparatus for integrated provisioning of a network device with configuration information and identity certification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

59 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for integrated provisioning of a network device with configuration information and identity certification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links