Mesh networks with end device recognition
First Claim
1. A router comprising:
- a certificate associated with the router and defined by a producing entity of the router and including a name and a signature, the signature created by performing an operation on the name using a private signing key of the producing entity of the router;
a list stored in the router, the list;
enumerating one or more routers each being a member of a predetermined neighborhood of which the router is also a member, the one or more routers each authenticating itself with the router; and
mapping, for each of the one or more routers in the predetermined neighborhood, a copy of a certificate to a corresponding router;
at least one processor; and
one or more media including processor-executable instructions that are capable of being executed by the at least one processor, the processor-executable instructions adapted to direct the router to perform actions comprising;
receiving, from an end device with which the router has not established trust relationship, a request comprising a first and a second certificate, wherein;
the first certificate is a certificate of a first router that authenticates the end device, the first certificate comprising a public key of a public-private key pair associated with the first router; and
the second certificate is a certificate associated with the end device, the second certificate having a signature signed by the first router using a private key of the public-private key pair associated with the first router;
ascertaining the first router is an authenticated member of the predetermined neighborhood by looking up the first router in the list stored in the router;
determining the first certificate is valid by comparing the first certificate with a copy in the list of the certificate mapped to the first router;
determining the second certificated is valid without routing the second certificate to the first router for its validation, the determining comprising performing, at the router, a signature verification procedure on the signature of the second certificate to verify, based on the pubic key in the first certificate, that the signature is signed by the first router; and
in an event the first router is ascertained to be a member of the predetermined neighborhood and the first and second certificates are determined to be valid, recognizing the end device as having a privileged status;
the privileged status relating to level of service.
3 Assignments
0 Petitions
Accused Products
Abstract
An exemplary router performs actions including: receiving at least one certificate from an end device, the at least one certificate issued by another router; ascertaining if the other router is a member of a predetermined neighborhood; determining if the at least one certificate is valid; and if the other router is ascertained to be a member of the predetermined neighborhood and the at least one certificate is determined to be valid, recognizing the end device as privileged. An exemplary mesh router is capable of establishing a wireless mesh network with other mesh routers, the mesh router is further capable of designating a neighborhood administrator mesh router; and the mesh router is adapted to grant privileged status to a particular end device associated with a particular certificate issued by a particular mesh router when the particular mesh router is a member of a neighborhood of the designated neighborhood administrator mesh router.
21 Citations
35 Claims
-
1. A router comprising:
-
a certificate associated with the router and defined by a producing entity of the router and including a name and a signature, the signature created by performing an operation on the name using a private signing key of the producing entity of the router; a list stored in the router, the list; enumerating one or more routers each being a member of a predetermined neighborhood of which the router is also a member, the one or more routers each authenticating itself with the router; and mapping, for each of the one or more routers in the predetermined neighborhood, a copy of a certificate to a corresponding router; at least one processor; and one or more media including processor-executable instructions that are capable of being executed by the at least one processor, the processor-executable instructions adapted to direct the router to perform actions comprising; receiving, from an end device with which the router has not established trust relationship, a request comprising a first and a second certificate, wherein; the first certificate is a certificate of a first router that authenticates the end device, the first certificate comprising a public key of a public-private key pair associated with the first router; and the second certificate is a certificate associated with the end device, the second certificate having a signature signed by the first router using a private key of the public-private key pair associated with the first router; ascertaining the first router is an authenticated member of the predetermined neighborhood by looking up the first router in the list stored in the router; determining the first certificate is valid by comparing the first certificate with a copy in the list of the certificate mapped to the first router; determining the second certificated is valid without routing the second certificate to the first router for its validation, the determining comprising performing, at the router, a signature verification procedure on the signature of the second certificate to verify, based on the pubic key in the first certificate, that the signature is signed by the first router; and in an event the first router is ascertained to be a member of the predetermined neighborhood and the first and second certificates are determined to be valid, recognizing the end device as having a privileged status;
the privileged status relating to level of service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. One or more processor-accessible storage media having processor-executable instructions stored thereon that, when executed by a first router, configure the first router to implement an arrangement module, the arrangement module comprising:
-
receiver means for receiving a request form an end device with which the first router has not established trust relationship, the request comprising a first and a second certificate, wherein; the first certificate is a certificate of a second router to which the end device is affiliated; and the second certificate is a certificate associated with the end device and signed by the second router; ascertaining means for ascertaining if the second router is a member of a predetermined neighborhood, the ascertaining comprising looking up the second router in a list locally stored in the first router; determination means for determining the first and second certificate are valid, the determination means including operation means for performing a public key operation on the second certificate using a public key from the first certificate that is associated with the second router to which the end device is affiliated, the first certificate defined by a producing entity and including a signature created using a private signing key of the producing entity, wherein the determining is performed at the arrangement module without routing the first and second certificate to the second router for its validation; and recognition means for recognizing the end device as having a privileged status responsive to the ascertaining means and the determination means. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A mesh router including an associated certificate defined by a producing entity of the mesh router, the associated certificate including a signature created by performing an operation on a name of the mesh router using a private signing key of the producing entity of the mesh router, the mesh router configured to perform action s comprising:
-
establishing a connection with an end device over a wireless link in a multi-hop wireless network; receiving a request from the end device with which the mesh router has not established trust relationship, the request comprising a certificate associated with the end device, the certificate having a signature from a second mesh router to which the end device is affiliated; performing a signature verification procedure on the signature of the certificate without routing the request to the second mesh router for validation by the second mesh router, the signature verification procedure comprising verifying the signature based on available public key of the second mesh router; in and event the signature verification procedure is successful, granting the end device preferred access. - View Dependent Claims (21, 22, 23)
-
-
24. A mesh router that is capable of establishing a wireless mesh network with other mesh routers, the mesh router further capable of designating a neighborhood administrator mesh router;
- the mesh router adapted to grant privileged status to a particular end device with which the mesh router has not established trust relationship, the particular end device being associated with a particular certificate issued by a particular mesh router other than the mesh router when the particular mesh router is a member of a neighborhood of the designated neighborhood administrator mesh router, the mesh router including an associated certificate defined by a producing entity of the mesh router, the associated certificate including a name and a signature, the signature created by performing an operation on the name using a private signing key of the producing entity of the mesh router, wherein;
the particular certificate associated with the end device comprises a signature signed by a private key of a public-private key pair associated with the particular mesh router; a signature verification procedure is performed at the mesh router to verify if the particular certificate is signed by the particular mesh router through an available public key of the public-private key pair associated with the particular mesh router without sending the particular certificate to the particular mesh router for its validation. - View Dependent Claims (25, 26, 27, 28, 29)
- the mesh router adapted to grant privileged status to a particular end device with which the mesh router has not established trust relationship, the particular end device being associated with a particular certificate issued by a particular mesh router other than the mesh router when the particular mesh router is a member of a neighborhood of the designated neighborhood administrator mesh router, the mesh router including an associated certificate defined by a producing entity of the mesh router, the associated certificate including a name and a signature, the signature created by performing an operation on the name using a private signing key of the producing entity of the mesh router, wherein;
-
30. A method of enabling end device recognition at a first router, the method comprising:
-
receiving, at the first router, a request from an end device with which the first router has not established trust relationship, the request comprising a first and a second certificate, wherein; the first certificate is a certificate of a second router to which the end device is affiliated, the first certificate comprising a public key of a public-private key pair associated with the second router; and the second certificate is a certificate associated with the end device and having a signature signed by the second router using a private key of the public-private key pair associated with the second router; ascertaining the second router is a member of a predetermined neighborhood by looking up the second router in a list, wherein the list enumerates all members of the predetermined neighborhood and the list is stored in the first router; determining the second certificate is valid without routing the second certificate to the second router for its validation, the determining comprising performing, at the first router, a signature verification procedure on the signature of the second certificate to verify, based on the public key in the first certificate, that the signature is signed by the second router; and recognizing the end device as having a privileged status in an event the second router is a member of the predetermined neighborhood and the second certificate passes the signature verification procedure. - View Dependent Claims (31, 32, 33, 34, 35)
-
Specification