Method, apparatus, and program product for automatically provisioning secure network elements
First Claim
Patent Images
1. A computer controlled method in a provisioning device in a networked computer system comprising an execution mechanism configured to execute the method, the method comprising:
- establishing communication between the provisioning device and the network device over a preferred channel, wherein the preferred channel is a bidirectional, location-limited channel which has a demonstrative identification property and an authenticity property;
pre-authenticating said network device, wherein pre-authenticating said network device involves;
exchanging key commitment information between said provisioning device and said network device over said bidirectional preferred channel;
exchanging keys between said provisioning device and said network device over a bidirectional channel other than the preferred channel; and
verifying the received keys using the received key commitment information on both the said provisioning device and said network device;
providing provisioning information to said network device over said bidirectional preferred channel, wherein the provisioning information comprises;
a first set of provisioning information which is used exclusively to establish secure and authenticated communication between the provisioning device and the said network device using a second channel; and
other provisioning information comprising at least one of application-specific information and device-specific assignment information;
whereby said network device can automatically configure itself for secure communication over a network responsive to said first and other provisioning information, wherein the secure communication can be over the second channel.
9 Assignments
0 Petitions
Accused Products
Abstract
We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including wired and wireless networks, secure sensor networks (such as medical networks), emergency alert networks, as well as simply and automatically provisioning network devices whether secure or not.
100 Citations
21 Claims
-
1. A computer controlled method in a provisioning device in a networked computer system comprising an execution mechanism configured to execute the method, the method comprising:
-
establishing communication between the provisioning device and the network device over a preferred channel, wherein the preferred channel is a bidirectional, location-limited channel which has a demonstrative identification property and an authenticity property; pre-authenticating said network device, wherein pre-authenticating said network device involves; exchanging key commitment information between said provisioning device and said network device over said bidirectional preferred channel; exchanging keys between said provisioning device and said network device over a bidirectional channel other than the preferred channel; and verifying the received keys using the received key commitment information on both the said provisioning device and said network device; providing provisioning information to said network device over said bidirectional preferred channel, wherein the provisioning information comprises; a first set of provisioning information which is used exclusively to establish secure and authenticated communication between the provisioning device and the said network device using a second channel; and other provisioning information comprising at least one of application-specific information and device-specific assignment information; whereby said network device can automatically configure itself for secure communication over a network responsive to said first and other provisioning information, wherein the secure communication can be over the second channel. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method to provision a network device, the method comprising steps of:
-
establishing communication between the provisioning device and said network device over a preferred channel, wherein the preferred channel is a bidirectional, location-limited channel which has a demonstrative identification property and an authenticity property; pre-authenticating said network device, wherein pre-authenticating said network device involves; exchanging key commitment information between said provisioning device and said network device over said bidirectional preferred channel; exchanging keys between said provisioning device and said network device over a bidirectional channel other than the preferred channel; and verifying the received keys using the received key commitment information on both the said provisioning device and said network device; providing provisioning information to said network device over said bidirectional preferred channel, wherein the provisioning information comprises; a first set of provisioning information which is used exclusively to establish secure and authenticated communication between the provisioning device and the said network device using a second channel; and other provisioning information comprising at least one of application-specific information and device-specific assignment information; whereby said network device can automatically configure itself for secure communication over a network responsive to said first and other provisioning information, wherein the secure communication can be over the second channel. - View Dependent Claims (12, 13)
-
-
14. An apparatus for provisioning a network device comprising:
-
at least one port configured to establish a preferred channel; a preferred communication mechanism configured to be able to establish communication with and said network device over said preferred channel, wherein the preferred channel is a bidirectional, location-limited channel which has a demonstrative identification property and an authenticity property; a pre-authentication mechanism configured to be able to; receive key commitment information over said preferred channel from said network device; exchange keys between said provisioning device and said network device over a bidirectional other than the preferred channel; and verify the received keys using the received key commitment information on both said provisioning device and said network device; a provisioning mechanism configured to provide provisioning information to said network device over said bidirectional preferred channel, wherein the provisioning information comprises; a first set of provisioning information which is used exclusively to establish secure and authenticated communication between the provisioning device and the said network device using a second channel; and other provisioning information comprising at least one of application-specific information and device-specific assignment information; whereby said network device can automatically configure itself for secure communication over a network responsive to said first and other provisioning information, wherein the secure communication can be over the second channel. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification