UPnP authentication and authorization
First Claim
1. A method for establishing a secure connection between a UPnP (Universal Plug and Play) device and a UPnP endpoint in an open network wherein the UPnP device and UPnP endpoint can dynamically join and leave said network, said method comprising:
- receiving, by a UPnP device, a request for one or more UPnP services implemented by the UPnP device, said request being received from a UPnP endpoint via the network, said request including identification information and a digital signature associated with the UPnP endpoint, said identification information including a device model number and a serial number of the UPnP endpoint, said request further including a random number that is different for each received request, and a digital signature binding an initiator public key with said identification information;
authenticating the UPnP endpoint by the UPnP device as a function of the received digital signature of the UPnP endpoint to verify the identity of the UPnP endpoint;
determining, based on the received device model number and the received serial number of the UPnP endpoint, if any of the requested one or more UPnP services are compatible with the UPnP endpoint;
authorizing, if at least one of the requested one or more UPnP services is determined to be compatible with the UPnP endpoint, the UPnP endpoint by the UPnP device to access the at least one of the requested one or more services implemented by the UPnP device;
sending a response to the UPnP endpoint from the UPnP device indicating if the UPnP endpoint has been authenticated and authorized by the UPnP device, said response including;
a responder message, said responder message including a responder certificate and a responder public key, said responder certificate being encrypted with the initiator public key; and
a request identifier for matching, by the UPnP endpoint, subsequent requests from by the UPnP device to a previously successfully completed request, said request identifier being valid for a limited period of time; and
transmitting a confirmation by the UPnP endpoint to the UPnP device that the UPnP endpoint was able to decrypt the responder certificate, said confirmation including the request identifier and a security token, said security token being a number known to the UPnP endpoint and to the UPnP device and encrypted using an encryption key derived from a shared secret generated from the random number of the received request, wherein the UPnP endpoint and the UPnP device increment the number known to the UPnP endpoint and to the UPnP device for each request and the security token is different for each request.
2 Assignments
0 Petitions
Accused Products
Abstract
A secure handshake service is implemented among a plurality of UPnP (Universal Plug and Play) portable media devices and endpoints in an open network hosting one or more UPnP services. A first portable media device receives a first request for a hosted service from a second portable media device via the network. The first portable media device authenticates authorizes the second portable media device as a function of the certificate of the request. The second portable media device is allowed to access the requested service hosted on the first portable media device if the second portable media device has been authenticated and authorized by the first portable media device.
-
Citations
18 Claims
-
1. A method for establishing a secure connection between a UPnP (Universal Plug and Play) device and a UPnP endpoint in an open network wherein the UPnP device and UPnP endpoint can dynamically join and leave said network, said method comprising:
-
receiving, by a UPnP device, a request for one or more UPnP services implemented by the UPnP device, said request being received from a UPnP endpoint via the network, said request including identification information and a digital signature associated with the UPnP endpoint, said identification information including a device model number and a serial number of the UPnP endpoint, said request further including a random number that is different for each received request, and a digital signature binding an initiator public key with said identification information; authenticating the UPnP endpoint by the UPnP device as a function of the received digital signature of the UPnP endpoint to verify the identity of the UPnP endpoint; determining, based on the received device model number and the received serial number of the UPnP endpoint, if any of the requested one or more UPnP services are compatible with the UPnP endpoint; authorizing, if at least one of the requested one or more UPnP services is determined to be compatible with the UPnP endpoint, the UPnP endpoint by the UPnP device to access the at least one of the requested one or more services implemented by the UPnP device; sending a response to the UPnP endpoint from the UPnP device indicating if the UPnP endpoint has been authenticated and authorized by the UPnP device, said response including; a responder message, said responder message including a responder certificate and a responder public key, said responder certificate being encrypted with the initiator public key; and a request identifier for matching, by the UPnP endpoint, subsequent requests from by the UPnP device to a previously successfully completed request, said request identifier being valid for a limited period of time; and transmitting a confirmation by the UPnP endpoint to the UPnP device that the UPnP endpoint was able to decrypt the responder certificate, said confirmation including the request identifier and a security token, said security token being a number known to the UPnP endpoint and to the UPnP device and encrypted using an encryption key derived from a shared secret generated from the random number of the received request, wherein the UPnP endpoint and the UPnP device increment the number known to the UPnP endpoint and to the UPnP device for each request and the security token is different for each request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for establishing a new secure handshake service among a plurality of UPnP (Universal Plug and Play) portable media devices in an open network wherein one or more of the UPnP portable media devices can dynamically join and leave said network, comprising:
-
sending a message via the network announcing the availability of UPnP services hosted by a first portable media device, said services including the handshake service and at least one additional UPnP service; receiving a first request initiating the handshake service from a second portable media device via the network by the first portable media device, said request including an initiating message, said initiating message including identification information of the second portable media device, a random number that is different each time said handshake service is initiated, and a digital signature binding an initiator public key with said identification information; authenticating the second portable media device by the first portable media device as a function of the digital signature of the second portable media device, said authenticating establishing the identity of the second portable media device; authorizing the second portable media device by the first portable media device as a function of the identification information of the request, said authorizing determining if the second portable media device is permitted to communicate with the first portable media device; sending a response to the second portable media device by the first portable media device via the network indicating if the second portable media device has been authenticated and authorized by the first portable media device, said response having an identical data structure to the received first request, said response including; a responder message, said responder message including a responder certificate and a responder public key, said responder certificate being encrypted with the initiator public key; and a request identifier for matching, by the second portable media device, subsequent requests from the first portable media device to a previously successfully completed request, said request identifier being valid for a limited period of time; encrypting a security token using an encryption key derived from a shared secret generated from the random number of the received initiating message, said security token being a number known to the first portable media device and to the second portable media device; transmitting a confirmation in binary format by the second portable media device to the first portable media device that the second portable media device was able to decrypt the responder certificate, said confirmation including the request identifier and the encrypted security token, wherein the first portable media device and the second portable media device increment the number known to the first portable media device and to the second portable media device for each request such that the security token is different for each request; receiving a second request via the network from the second portable media device by the first portable media device for the at least one additional UPnP service hosted by the first portable; wherein the second portable media device is allowed to access the at least one additional UPnP service hosted on the first portable media device if the second portable media device is authenticated and authorized by the first portable media device; and wherein the second portable media device is not allowed to the access at least one additional UPnP service hosted on the first portable media device if the second portable media device is not authenticated and authorized by the first portable media device. - View Dependent Claims (14, 15)
-
-
16. A system of a media server for authorizing and authenticating a media renderer by the media server wherein the media server implements one or more UPnP services in an open network, said system comprising one or more processors for implementing:
-
an interface component for ; receiving a request via the network from the media renderer, said request including an initiating message, said initiating message including identification information of the media renderer and a digital signature; and sending a response via the network to the media renderer indicating if the media renderer has been authenticated and authorized by the media server, said response including; a responder message, said responder message including a responder certificate and a responder public key, said responder certificate being encrypted with the initiator public key; and a request identifier for matching, by the media server, subsequent requests from the media renderer to a previously successfully completed request, said request identifier being valid for a limited period of time; a validation component for ; authenticating the media renderer as a function of the digital signature of the media renderer, said authenticating establishing the identity of the media renderer; and authorizing the media renderer as a function of the identification information of the request, said authorizing comprising querying the media renderer to obtain a list of supported media formats and authorizing the media renderer if at least one media format compatible with the media server is supported by the media renderer; and a security component for; granting access to the media renderer to one or more services implemented by the media server if the media renderer was authorized and authenticated by the validation component; and denying access to the media renderer to one or more services implemented by the media server if the media renderer was not authorized and authenticated by the validation component. - View Dependent Claims (17, 18)
-
Specification