Method and apparatus for integrated provisioning of a network device with configuration information and identity certification

US 8,095,788 B2
Filed: 05/23/2008
Issued: 01/10/2012
Est. Priority Date: 03/12/2003
Status: Active Grant

First Claim

Patent Images

1. A provisioning server for provisioning a network device, comprising:

a configuration module that is adapted for configuring the network device; and

an identification certification module that is configured for certifying the identity of the network device;

wherein the provisioning server is adapted to securely couple to the network device via a physically secure direct communications link;

wherein the configuration module is adapted for configuring the network device over the physically secure direct communications link without requiring the network device to have any network connectivity;

anwherein the identification certification module is configured for obtaining certification of the network device'"'"'s identity over the physically secure direct communications link without requiring the network device to have any network connectivity; and

wherein the identification certification module is configured for generating a cryptographic private key for the network device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one aspect, a provisioning server comprises a configuration module that configures a network device and an identification certification module that certifies the identity of the network device. With use of the provisioning server, the network device does not require configuration with network connectivity in order to obtain its certified identity. In one embodiment, configuration module configures the device for operation at the device'"'"'s point of deployment in a network. In one embodiment, the identity certification module is configured to generate a digital certificate for the network device and the configuration module is configured to automatically configure the network device based on its digital certificate. The provisioning server is coupled to the network device with a secure communication link. As a result, a more trusted network device is ultimately deployed into its network of operation.

Citations

31 Claims

1. A provisioning server for provisioning a network device, comprising:
- a configuration module that is adapted for configuring the network device; and
  
  an identification certification module that is configured for certifying the identity of the network device;
  
  wherein the provisioning server is adapted to securely couple to the network device via a physically secure direct communications link;
  
  wherein the configuration module is adapted for configuring the network device over the physically secure direct communications link without requiring the network device to have any network connectivity;
  
  anwherein the identification certification module is configured for obtaining certification of the network device'"'"'s identity over the physically secure direct communications link without requiring the network device to have any network connectivity; and
  
  wherein the identification certification module is configured for generating a cryptographic private key for the network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The server of claim 1, wherein the provisioning server is operatively coupled to the network device using an electrical cable.
  - 3. The server of claim 1, wherein the electrical cable is a serial cable.
  - 4. The server of claim 1, wherein the server resides on a human-portable computer-readable volatile or non-volatile medium that is mechanically and electrically coupled to the network device.
  - 5. The server of claim 4, wherein the computer-readable volatile or non-volatile medium comprises a removable flash memory.
  - 6. The server of claim 4, wherein the computer-readable volatile or non-volatile medium comprises a smart card.
  - 7. The server of claim 1, wherein the configuration module is configured to configure the network device for operation at the device'"'"'s point of deployment in a network.
  - 8. The server of claim 1, wherein the identification certification module is configured to:
    - generate a digital certificate that is associated with a public key that is associated with the network device; and
      
      wherein the configuration module is configured to;
      
      configure the network device based on the digital certificate.
  - 9. The server of claim 8, wherein the identification module is configured to:
    - read, from the network device, the public key that is associated with the network device.
  - 10. The server of claim 1, wherein the identification certification module comprises an identity registrar for verifying information associated with a request for a digital certificate.
  - 11. The server of claim 10, wherein the identity registrar is a PKI registration authority.
  - 12. The server of claim 1, wherein the identification certification module comprises an identity registrar for verifying information associated with a request for a digital certificate and a certificate authority for issuing a digital certificate.

13. A method for provisioning a network device, the method comprising the computer-implemented steps of:
- configuring the network device over a physically secure direct communications link without requiring the network device to have any network connectivity; and
  
  certifying the identity of the network device over the physically secure direct communications link without requiring the network device to have any network connectivity; and
  
  wherein certifying the identity of the network device includes generating a cryptographic private key for the network device.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the step of certifying comprises the steps of:
    - reading a public key associated with the network device;
      
      obtaining a digital certificate associated with the public key; and
      
      wherein the step of configuring includes configuring the network device based on the digital certificate.
  - 15. The method of claim 14, wherein the step of obtaining a digital certificate includes generating the digital certificate.
  - 16. The method of claim 14, wherein the step of obtaining a digital certificate includes the steps of:
    - verifying the identity of the network device based on information provided regarding the network device; and
      
      generating the digital certificate associated with the network device in response to verifying the identity of the network device.

17. A computer-readable non-transitory medium storing one or more sequences of instructions for provisioning a network device, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- configuring the network device over a physically secure direct communications link without requiring the network device to have any network connectivity; and
  
  certifying the identity of the network device over the physically secure direct communications link without requiring the network device to have any network connectivity; and
  
  wherein certifying the identity of the network device includes generating a cryptographic private key for the network device.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The computer-readable non-transitory medium of claim 17, wherein the one or more sequences of instructions cause the one or more processors to carry out the step of certifying by:
    - reading a public key associated with the network device;
      
      obtaining a digital certificate associated with the public key; and
      
      cause the one or more processors to carry out the step of certifying by configuring the network device based on the digital certificate.
  - 19. The computer-readable non-transitory medium of claim 18, wherein the one or more sequences of instructions cause the one or more processors to carry out the step of obtaining a digital certificate by generating the digital certificate.
  - 20. The computer-readable non-transitory medium of claim 18, wherein the one or more sequences of instructions cause the one or more processors to carry out the step of obtaining a digital certificate by carrying out the steps of:
    - verifying the identity of the network device based on information provided regarding the network device; and
      
      generating the digital certificate associated with the network device in response to verifying the identity of the network device.
  - 21. The computer-readable non-transitory medium of claim 17, wherein the computer-readable non-transitory medium is a component of a human-portable computing device that is mechanically and electrically coupled to the network device.
  - 22. The computer-readable non-transitory medium of claim 21, wherein the computer-readable non-transitory medium comprises a removable flash memory.
  - 23. The computer-readable non-transitory medium of claim 21, wherein the computer-readable non-transitory medium comprises a smart card.

24. A system for provisioning a network device, the system comprising:
- means for configuring the network device; and
  
  means for certifying the identity of the network device;
  
  wherein the system is adapted to securely couple to the network device via a physically secure direct communications link;
  
  wherein the system is adapted for configuring the network device over the physically secure direct communications link without requiring the network device to have any network connectivity;
  
  wherein the system is configured for obtaining certification of the network device'"'"'s identity over the physically secure direct communications link without requiring the network device to have any network connectivity; and
  
  wherein the system is configured for generating a cryptographic private key for the network device.

25. A device for provisioning a network device, the device comprising:
- one or more processors;
  
  a computer-readable storage medium comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of;
  
  configuring the network device; and
  
  certifying the identity of the network device;
  
  wherein the device is adapted to securely couple to the network device via a physically secure direct communications link;
  
  wherein the device is adapted for configuring the network device over the physically secure direct communications link without requiring the network device to have any network connectivity;
  
  anwherein the device is configured for obtaining certification of the network device'"'"'s identity over the physically secure direct communications link without requiring the network device to have any network connectivity; and
  
  wherein the device is configured for generating a cryptographic private key for the network device.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The device of claim 25, wherein the one or more sequences of instructions cause the one or more processors to carry out the step of certifying by:
    - reading a public key associated with the network device;
      
      obtaining a digital certificate associated with the public key; and
      
      cause the one or more processors to carry out the step of certifying by configuring the network device based on the digital certificate.
  - 27. The device of claim 26, wherein the one or more sequences of instructions cause the one or more processors to carry out the step of obtaining a digital certificate by generating the digital certificate.
  - 28. The device of claim 26, wherein the one or more sequences of instructions cause the one or more processors to carry out the step of obtaining a digital certificate by carrying out the steps of:
    - verifying the identity of the network device based on information provided regarding the network device; and
      
      generating the digital certificate associated with the network device in response to verifying the identity of the network device.
  - 29. The device of claim 25, wherein the device is human-portable and is mechanically and electrically coupled to the network device.
  - 30. The device of claim 29, wherein the device comprises a removable flash memory.
  - 31. The device of claim 29, wherein the device comprises a smart card.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vilhuber, Jan, Pritikin, Max
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Nobahar, Abdulhakim

Application Number

US12/126,219
Publication Number

US 20080222413A1
Time in Patent Office

1,327 Days
Field of Search

713/153, 713/155, 713/156, 726/1, 726/4, 726/10, 726/11, 726/18, 726/21, 709/220, 709223-225
US Class Current

713/156
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 9/3263   involving certificates, e.g...

Method and apparatus for integrated provisioning of a network device with configuration information and identity certification

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for integrated provisioning of a network device with configuration information and identity certification

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links