UPnP authentication and authorization

US 7,882,356 B2
Filed: 10/13/2006
Issued: 02/01/2011
Est. Priority Date: 10/13/2006
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a secure connection between a UPnP (Universal Plug and Play) device and a UPnP endpoint in an open network wherein the UPnP device and UPnP endpoint can dynamically join and leave said network, said method comprising:

receiving, by a UPnP device, a request for one or more UPnP services implemented by the UPnP device, said request being received from a UPnP endpoint via the network, said request including identification information and a digital signature associated with the UPnP endpoint, said identification information including a device model number and a serial number of the UPnP endpoint, said request further including a random number that is different for each received request, and a digital signature binding an initiator public key with said identification information;

authenticating the UPnP endpoint by the UPnP device as a function of the received digital signature of the UPnP endpoint to verify the identity of the UPnP endpoint;

determining, based on the received device model number and the received serial number of the UPnP endpoint, if any of the requested one or more UPnP services are compatible with the UPnP endpoint;

authorizing, if at least one of the requested one or more UPnP services is determined to be compatible with the UPnP endpoint, the UPnP endpoint by the UPnP device to access the at least one of the requested one or more services implemented by the UPnP device;

sending a response to the UPnP endpoint from the UPnP device indicating if the UPnP endpoint has been authenticated and authorized by the UPnP device, said response including;

a responder message, said responder message including a responder certificate and a responder public key, said responder certificate being encrypted with the initiator public key; and

a request identifier for matching, by the UPnP endpoint, subsequent requests from by the UPnP device to a previously successfully completed request, said request identifier being valid for a limited period of time; and

transmitting a confirmation by the UPnP endpoint to the UPnP device that the UPnP endpoint was able to decrypt the responder certificate, said confirmation including the request identifier and a security token, said security token being a number known to the UPnP endpoint and to the UPnP device and encrypted using an encryption key derived from a shared secret generated from the random number of the received request, wherein the UPnP endpoint and the UPnP device increment the number known to the UPnP endpoint and to the UPnP device for each request and the security token is different for each request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure handshake service is implemented among a plurality of UPnP (Universal Plug and Play) portable media devices and endpoints in an open network hosting one or more UPnP services. A first portable media device receives a first request for a hosted service from a second portable media device via the network. The first portable media device authenticates authorizes the second portable media device as a function of the certificate of the request. The second portable media device is allowed to access the requested service hosted on the first portable media device if the second portable media device has been authenticated and authorized by the first portable media device.

Citations

18 Claims

1. A method for establishing a secure connection between a UPnP (Universal Plug and Play) device and a UPnP endpoint in an open network wherein the UPnP device and UPnP endpoint can dynamically join and leave said network, said method comprising:
- receiving, by a UPnP device, a request for one or more UPnP services implemented by the UPnP device, said request being received from a UPnP endpoint via the network, said request including identification information and a digital signature associated with the UPnP endpoint, said identification information including a device model number and a serial number of the UPnP endpoint, said request further including a random number that is different for each received request, and a digital signature binding an initiator public key with said identification information;
  
  authenticating the UPnP endpoint by the UPnP device as a function of the received digital signature of the UPnP endpoint to verify the identity of the UPnP endpoint;
  
  determining, based on the received device model number and the received serial number of the UPnP endpoint, if any of the requested one or more UPnP services are compatible with the UPnP endpoint;
  
  authorizing, if at least one of the requested one or more UPnP services is determined to be compatible with the UPnP endpoint, the UPnP endpoint by the UPnP device to access the at least one of the requested one or more services implemented by the UPnP device;
  
  sending a response to the UPnP endpoint from the UPnP device indicating if the UPnP endpoint has been authenticated and authorized by the UPnP device, said response including;
  
  a responder message, said responder message including a responder certificate and a responder public key, said responder certificate being encrypted with the initiator public key; and
  
  a request identifier for matching, by the UPnP endpoint, subsequent requests from by the UPnP device to a previously successfully completed request, said request identifier being valid for a limited period of time; and
  
  transmitting a confirmation by the UPnP endpoint to the UPnP device that the UPnP endpoint was able to decrypt the responder certificate, said confirmation including the request identifier and a security token, said security token being a number known to the UPnP endpoint and to the UPnP device and encrypted using an encryption key derived from a shared secret generated from the random number of the received request, wherein the UPnP endpoint and the UPnP device increment the number known to the UPnP endpoint and to the UPnP device for each request and the security token is different for each request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the digital signature is a certificate provided by a trusted authority.
  - 3. The method of claim 2, wherein the certificate includes a public key of the UPnP endpoint and further comprising encrypting at least a portion of the response provided by the UPnP device with the public key of the UPnP endpoint.
  - 4. The method of claim 1, wherein the identification information further includes a list of media formats supported by the UPnP endpoint.
  - 5. The method of claim 1, further comprising authenticating the UPnP device by the UPnP endpoint with the responder certificate of the UPnP device.
  - 6. The method of claim 1, wherein the response includes a session identifier, the session identifier being included in subsequent requests.
  - 7. The method of claim 1, wherein the request includes a first random number generated by the UPnP endpoint and the response includes a second random number generated by the UPnP device, said response being encrypted with a public key of the UPnP endpoint, and further comprising confirming, in response to receiving the confirmation, the authentication and authorization of the UPnP endpoint by the UPnP device as a function of the security token.
  - 8. The method of claim 7, further comprising:
    - generating, by the UPnP device, a session identifier, said session identifier being included in the response to the UPnP endpoint, said session identifier further being included in subsequent requests from the UPnP endpoint and in subsequent responses from the UPnP device.
  - 9. The method of claim 8, wherein the session identifier includes a session token, and further comprising generating said session token as a function of the first and second random numbers such that a first generated session token is not equal to a second generated session token.
  - 10. The method of claim 9, wherein the session identifier and session token are embedded in an XML header of an UPnP request, said XML header having a tag format:
    - <
      
      msh;
      
      handshake xmlns;
      
      msh=‘
      
      namespace specification’
      
      msh;
      
      id=‘
      
      session identifier’
      
      >
      
      <
      
      /msh;
      
      handshake>
      
      .
  - 11. The method of claim 1, further comprising:
    - recording an address associated with the UPnP endpoint by the UPnP device as a function the authorization and authentication of the UPnP endpoint, said address being used by the UPnP device to identify subsequent requests from the UPnP endpoint.
  - 12. The method of claim 1, wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 1.

13. A method for establishing a new secure handshake service among a plurality of UPnP (Universal Plug and Play) portable media devices in an open network wherein one or more of the UPnP portable media devices can dynamically join and leave said network, comprising:
- sending a message via the network announcing the availability of UPnP services hosted by a first portable media device, said services including the handshake service and at least one additional UPnP service;
  
  receiving a first request initiating the handshake service from a second portable media device via the network by the first portable media device, said request including an initiating message, said initiating message including identification information of the second portable media device, a random number that is different each time said handshake service is initiated, and a digital signature binding an initiator public key with said identification information;
  
  authenticating the second portable media device by the first portable media device as a function of the digital signature of the second portable media device, said authenticating establishing the identity of the second portable media device;
  
  authorizing the second portable media device by the first portable media device as a function of the identification information of the request, said authorizing determining if the second portable media device is permitted to communicate with the first portable media device;
  
  sending a response to the second portable media device by the first portable media device via the network indicating if the second portable media device has been authenticated and authorized by the first portable media device, said response having an identical data structure to the received first request, said response including;
  
  a responder message, said responder message including a responder certificate and a responder public key, said responder certificate being encrypted with the initiator public key; and
  
  a request identifier for matching, by the second portable media device, subsequent requests from the first portable media device to a previously successfully completed request, said request identifier being valid for a limited period of time;
  
  encrypting a security token using an encryption key derived from a shared secret generated from the random number of the received initiating message, said security token being a number known to the first portable media device and to the second portable media device;
  
  transmitting a confirmation in binary format by the second portable media device to the first portable media device that the second portable media device was able to decrypt the responder certificate, said confirmation including the request identifier and the encrypted security token, wherein the first portable media device and the second portable media device increment the number known to the first portable media device and to the second portable media device for each request such that the security token is different for each request;
  
  receiving a second request via the network from the second portable media device by the first portable media device for the at least one additional UPnP service hosted by the first portable;
  
  wherein the second portable media device is allowed to access the at least one additional UPnP service hosted on the first portable media device if the second portable media device is authenticated and authorized by the first portable media device; and
  
  wherein the second portable media device is not allowed to the access at least one additional UPnP service hosted on the first portable media device if the second portable media device is not authenticated and authorized by the first portable media device.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the first portable media device comprises a UPnP Media Server and the second portable media device comprises a UPnP Media Renderer.
  - 15. The method of claim 13, wherein the first portable media device comprises a UPnP Media Renderer and the second portable media device comprises a UPnP Control Point.

16. A system of a media server for authorizing and authenticating a media renderer by the media server wherein the media server implements one or more UPnP services in an open network, said system comprising one or more processors for implementing:
- an interface component for ;
  
  receiving a request via the network from the media renderer, said request including an initiating message, said initiating message including identification information of the media renderer and a digital signature; and
  
  sending a response via the network to the media renderer indicating if the media renderer has been authenticated and authorized by the media server, said response including;
  
  a responder message, said responder message including a responder certificate and a responder public key, said responder certificate being encrypted with the initiator public key; and
  
  a request identifier for matching, by the media server, subsequent requests from the media renderer to a previously successfully completed request, said request identifier being valid for a limited period of time;
  
  a validation component for ;
  
  authenticating the media renderer as a function of the digital signature of the media renderer, said authenticating establishing the identity of the media renderer; and
  
  authorizing the media renderer as a function of the identification information of the request, said authorizing comprising querying the media renderer to obtain a list of supported media formats and authorizing the media renderer if at least one media format compatible with the media server is supported by the media renderer; and
  
  a security component for;
  
  granting access to the media renderer to one or more services implemented by the media server if the media renderer was authorized and authenticated by the validation component; and
  
  denying access to the media renderer to one or more services implemented by the media server if the media renderer was not authorized and authenticated by the validation component.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, wherein the one or more processors further implement components for authenticating and authorizing the media server by the media renderer in response to a request sent by the media server.
  - 18. The system of claim 16, wherein the media server and the media renderer are portable media devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Klemets, Anders, Walter, James T. Jr., da Costa, Bruno Kraychete, Srinivas, Kasy
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
SIMS, JING F

Application Number

US11/549,459
Publication Number

US 20080092211A1
Time in Patent Office

1,572 Days
Field of Search

713/156, 713/157, 713/159, 713/172, 713/177, 713/168, 713/170, 713/175
US Class Current

713/172
CPC Class Codes

H04L 2209/603   Digital right managament [DRM]

H04L 2209/80   Wireless

H04L 63/04   for providing a confidentia...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

UPnP authentication and authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

UPnP authentication and authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links