Method, apparatus, and program product for automatically provisioning secure network elements

US 7,581,096 B2
Filed: 09/05/2003
Issued: 08/25/2009
Est. Priority Date: 08/30/2002
Status: Active Grant

First Claim

Patent Images

1. A computer controlled method in a provisioning device in a networked computer system comprising an execution mechanism configured to execute the method, the method comprising:

establishing communication between the provisioning device and the network device over a preferred channel, wherein the preferred channel is a bidirectional, location-limited channel which has a demonstrative identification property and an authenticity property;

pre-authenticating said network device, wherein pre-authenticating said network device involves;

exchanging key commitment information between said provisioning device and said network device over said bidirectional preferred channel;

exchanging keys between said provisioning device and said network device over a bidirectional channel other than the preferred channel; and

verifying the received keys using the received key commitment information on both the said provisioning device and said network device;

providing provisioning information to said network device over said bidirectional preferred channel, wherein the provisioning information comprises;

a first set of provisioning information which is used exclusively to establish secure and authenticated communication between the provisioning device and the said network device using a second channel; and

other provisioning information comprising at least one of application-specific information and device-specific assignment information;

whereby said network device can automatically configure itself for secure communication over a network responsive to said first and other provisioning information, wherein the secure communication can be over the second channel.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including wired and wireless networks, secure sensor networks (such as medical networks), emergency alert networks, as well as simply and automatically provisioning network devices whether secure or not.

100 Citations

View as Search Results

21 Claims

1. A computer controlled method in a provisioning device in a networked computer system comprising an execution mechanism configured to execute the method, the method comprising:
- establishing communication between the provisioning device and the network device over a preferred channel, wherein the preferred channel is a bidirectional, location-limited channel which has a demonstrative identification property and an authenticity property;
  
  pre-authenticating said network device, wherein pre-authenticating said network device involves;
  
  exchanging key commitment information between said provisioning device and said network device over said bidirectional preferred channel;
  
  exchanging keys between said provisioning device and said network device over a bidirectional channel other than the preferred channel; and
  
  verifying the received keys using the received key commitment information on both the said provisioning device and said network device;
  
  providing provisioning information to said network device over said bidirectional preferred channel, wherein the provisioning information comprises;
  
  a first set of provisioning information which is used exclusively to establish secure and authenticated communication between the provisioning device and the said network device using a second channel; and
  
  other provisioning information comprising at least one of application-specific information and device-specific assignment information;
  
  whereby said network device can automatically configure itself for secure communication over a network responsive to said first and other provisioning information, wherein the secure communication can be over the second channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer controlled method of claim 1, wherein said provisioning information comprises network configuration information.
  - 3. The computer controlled method of claim 1, further comprisingreceiving a public key from said network device;
    - verifying said public key with said key commitment information; and
      
      automatically provisioning said network device with a credential authorized by a credential issuing authority.
  - 4. The computer controlled method of claim 3, further comprising establishing proof that said network device is in possession of a private key corresponding to said public key.
  - 5. The computer controlled method of claim 3, wherein said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 6. The computer controlled method of claim 3, wherein the step of automatically provisioning is responsive to authorization from a registration agent.
  - 7. The computer controlled method of claim 1, wherein the network is a wireless network, and wherein said provisioning device is a wireless access point.
  - 8. The computer controlled method of claim 7, further comprising:
    - receiving a wireless communication;
      
      determining whether said wireless communication originated from said network device or from a second network device that was not provisioned by said wireless access point; and
      
      routing said wireless communication responsive to the step of determining.
  - 9. The computer controlled method of claim 8, wherein the step of routing comprises:
    - choosing a selected channel from a secure channel and an insecure channel responsive to the step of determining; and
      
      sending said wireless communication through said selected channel.
  - 10. The computer controlled method of claim 1, wherein said provisioning device is in communication with a credential issuing authority.

11. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method to provision a network device, the method comprising steps of:
- establishing communication between the provisioning device and said network device over a preferred channel, wherein the preferred channel is a bidirectional, location-limited channel which has a demonstrative identification property and an authenticity property;
  
  pre-authenticating said network device, wherein pre-authenticating said network device involves;
  
  exchanging key commitment information between said provisioning device and said network device over said bidirectional preferred channel;
  
  exchanging keys between said provisioning device and said network device over a bidirectional channel other than the preferred channel; and
  
  verifying the received keys using the received key commitment information on both the said provisioning device and said network device;
  
  providing provisioning information to said network device over said bidirectional preferred channel, wherein the provisioning information comprises;
  
  a first set of provisioning information which is used exclusively to establish secure and authenticated communication between the provisioning device and the said network device using a second channel; and
  
  other provisioning information comprising at least one of application-specific information and device-specific assignment information;
  
  whereby said network device can automatically configure itself for secure communication over a network responsive to said first and other provisioning information, wherein the secure communication can be over the second channel.
- View Dependent Claims (12, 13)
- - 12. The computer-readable storage medium of claim 11, further comprisingreceiving a public key from said network device;
    - verifying said public key with said key commitment information; and
      
      automatically provisioning said network device with a credential authorized by a credential issuing authority.
  - 13. The computer-readable storage medium of claim 11, wherein the network is a wireless network, and wherein said provisioning device is a wireless access point.

14. An apparatus for provisioning a network device comprising:
- at least one port configured to establish a preferred channel;
  
  a preferred communication mechanism configured to be able to establish communication with and said network device over said preferred channel, wherein the preferred channel is a bidirectional, location-limited channel which has a demonstrative identification property and an authenticity property;
  
  a pre-authentication mechanism configured to be able to;
  
  receive key commitment information over said preferred channel from said network device;
  
  exchange keys between said provisioning device and said network device over a bidirectional other than the preferred channel; and
  
  verify the received keys using the received key commitment information on both said provisioning device and said network device;
  
  a provisioning mechanism configured to provide provisioning information to said network device over said bidirectional preferred channel, wherein the provisioning information comprises;
  
  a first set of provisioning information which is used exclusively to establish secure and authenticated communication between the provisioning device and the said network device using a second channel; and
  
  other provisioning information comprising at least one of application-specific information and device-specific assignment information;
  
  whereby said network device can automatically configure itself for secure communication over a network responsive to said first and other provisioning information, wherein the secure communication can be over the second channel.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The apparatus of claim 14, wherein said provisioning information comprises network configuration information.
  - 16. The apparatus of claim 14, further comprisinga key reception mechanism configured to receive a public key;
    - a key verification mechanism configured to verify said public key with said key commitment information; and
      
      a credential provisioning mechanism configured to automatically provide a credential authorized by a credential issuing authority.
  - 17. The apparatus of claim 16, further comprising a key exchange mechanism configured to be able to perform a key exchange protocol with said network device.
  - 18. The apparatus of claim 16, wherein said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 19. The apparatus of claim 16, further comprising:
    - a packet receiver mechanism configured to receive a wireless communication;
      
      a determination mechanism configured to determine whether said wireless communication received by the packet receiver mechanism originated from said network device or from a second network device that was not provisioned by said wireless access point; and
      
      a router mechanism configured to route said wireless communication responsive to the determination mechanism.
  - 20. The apparatus of claim 19, wherein the router mechanism further comprises:
    - channel selection mechanism configured to choose a selected channel from a secure channel and an insecure channel responsive to the determination mechanism; and
      
      a transmission mechanism configured to send said wireless communication through said selected channel.
  - 21. The apparatus of claim 14, further comprising a non-preferred communication mechanism that can be used to communicate with a credential issuing authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Xerox Corporation (Xerox Holdings Corp.)
Inventors
Smetters, Diana K., Balfanz, Dirk, Durfee, Glenn E., Wong, Hao-Chi, Grinter, Rebecca E., Stewart, Paul Joseph
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
PATEL, NIRAV B

Application Number

US10/656,494
Publication Number

US 20040107366A1
Time in Patent Office

2,181 Days
Field of Search

713168-171, 713/150, 713/155, 713/156, 713/175, 380/258, 380/255, 380/270, 380/278, 455/410, 455/411, 726/2, 726/4, 726/5, 726/8, 726/18, 726/6
US Class Current

713/168
CPC Class Codes

H04L 12/1822   Conducting the conference, ...

H04L 63/0492   by using a location-limited...

H04L 63/065   for group communications cr...

H04L 63/0853   using an additional device,...

H04L 67/12   specially adapted for propr...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

H04W 12/062   Pre-authentication

Method, apparatus, and program product for automatically provisioning secure network elements

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Method, apparatus, and program product for automatically provisioning secure network elements

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others