Early authentication in cable modem initialization

US 8,255,682 B2
Filed: 07/27/2006
Issued: 08/28/2012
Est. Priority Date: 07/27/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

sending messages from and receiving messages by a cable modem termination system (CMTS) to establish a link layer connection between a cable modem and said CMTS;

sending messages from and receiving messages by said CMTS to authenticate said cable modem on a primary service flow;

sending messages from and receiving messages by said CMTS to establish IP connectivity between said cable modem and said CMTS after said cable modem has been authenticated;

sending messages from and receiving messages by said CMTS to register said cable modem with the CMTS after said IP connectivity has been established;

determining whether baseline privacy is enabled in said cable modem after said cable modem is registered with the CMTS; and

responsive to a determination that baseline privacy is not enabled in said cable modem, suspending at least one of an integrity check and encryption of data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that eliminates some of the security vulnerabilities in the prior art systems by using a new sequence of steps to perform initialization of the cable modem: Instead of performing authentication after the cable modem has been registered, the cable modem authentication step is performed immediately after the cable modem completes ranging. Thus an early authentication method and system are provided. The control of authentication is shifted from the cable modem to the CMTS. Instead of the CMTS relying on a Registration Request message (REG-REQ) to determine whether a cable modem must perform authentication (that is to determine if BPI+ is enabled) the CMTS configuration is what determines whether a cable modem must perform authentication.

35 Citations

View as Search Results

21 Claims

1. A method comprising:
- sending messages from and receiving messages by a cable modem termination system (CMTS) to establish a link layer connection between a cable modem and said CMTS;
  
  sending messages from and receiving messages by said CMTS to authenticate said cable modem on a primary service flow;
  
  sending messages from and receiving messages by said CMTS to establish IP connectivity between said cable modem and said CMTS after said cable modem has been authenticated;
  
  sending messages from and receiving messages by said CMTS to register said cable modem with the CMTS after said IP connectivity has been established;
  
  determining whether baseline privacy is enabled in said cable modem after said cable modem is registered with the CMTS; and
  
  responsive to a determination that baseline privacy is not enabled in said cable modem, suspending at least one of an integrity check and encryption of data.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising interrogating a configuration file in said CMTS to determine if early authentication prior to registration is enabled on said CMTS.
  - 3. The method of claim 1 including:
    - determining by messages sent from or received by said CMTS if authentication prior to registration is enabled on said cable modem and if authentication prior to registration is not enabled, dropping all messages except authentication messages from the cable modem until it is successfully authenticated.
  - 4. The method of claim 1 wherein if the cable modem fails authentication prior to registration, the method further comprising directing cable modem provisioning messages received by said CMTS to a secured storage area.
  - 5. The method of claim 1 including determining from messages sent from and received by said CMTS if authentication prior to registration is enabled on said cable modem and if authentication prior to registration is not enabled, authenticating said cable modem after said cable modem is registered.

6. A cable modem termination system (CMTS) including a processor configured to:
- establish a link layer connection to a cable modem;
  
  authenticate said cable modem prior to registration of said cable modem;
  
  establish IP connectivity between said CMTS and said cable modem after said authentication is complete;
  
  register said cable modem after said connectivity has been established;
  
  determine whether baseline privacy is enabled in said cable modem after said cable modem is registered;
  
  responsive to a determination that baseline privacy is enabled in said cable modem, initialize baseline privacy in said cable modem; and
  
  responsive to a determination that baseline privacy is not enabled in said cable modem, suspend at least one of an integrity check and encryption of data.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The CMTS of claim 6, wherein said processor is configured to provide traffic encryption keys for encryption on at least one secondary service flow.
  - 8. The CMTS of claim 6, wherein said processor is configured to drop all messages except authentication messages from the cable modem until the cable modem is successfully authenticated.
  - 9. The CMTS of claim 6, wherein said processor is configured to interrogate a configuration file stored on said CMTS to determine if authentication prior to registration is enabled on said CMTS.
  - 10. The CMTS of claim 6, wherein said processor is configured to send and receive dynamic host configuration protocol (DHCP) provisioning messages, time of day (ToD) provisioning messages, and trivial file transfer protocol (TFTP) provisioning messages.
  - 11. The CMTS recited in claim 6 wherein said processor is configured to send and receive messages to determine if a cable modem is configured for authentication prior to registration.
  - 12. The CMTS recited in claim 6 wherein said processor is configured to send all messages from said cable modem to a secure area if authentication prior to registration fails.
  - 13. The CMTS recited in claim 6 wherein said processor is configured to authenticate said cable modem based on an X.509 certificate received from said cable modem.

14. A cable modem including:
- a port to communicate over a link layer connection with a cable modem termination system (CMTS);
  
  a processor adapted to;
  
  receive messages from said CMTS via said port to conduct authentication of said cable modem on a primary service flow prior to registration of said modem;
  
  establish IP connectivity with said CMTS;
  
  register said cable modem with said CMTS after said authentication is complete;
  
  determine whether baseline privacy is enabled in said cable modem after said cable modem is registered with said CMTS;
  
  responsive to a determination that baseline privacy is enabled in said cable modem, initialize baseline privacy in said cable modem; and
  
  responsive to a determination that baseline privacy is not enabled in said cable modem, suspend at least one of an integrity check and encryption of data.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The cable modem of claim 14 wherein said processor is further adapted to utilize encryption keys for encryption on at least one secondary service flow.
  - 16. The cable modem of claim 14 wherein said cable modem includes a configuration file.
  - 17. The cable modem of claim 14 wherein said processor is further adapted to provide an X.509 certificate to be used by said CMTS to conduct said authentication of said cable modem on said primary service flow.
  - 18. The cable modem of claim 14, wherein said processor is further adapted to, responsive to suspending at least one of said integrity check and encryption of data, notify an operator.
  - 19. The cable modem of claim 14, wherein said primary service flow is identified by a primary security association identification (SAID).
  - 20. The cable modem of claim 15, wherein said primary service flow is identified by a primary security association identification (SAID) and said at least one secondary service flow is identified by a secondary SAID.
  - 21. The cable modem of claim 20, wherein said processor is further adapted to initialize baseline privacy for said secondary SAID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zeng, Shengyou
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US11/460,570
Publication Number

US 20080028437A1
Time in Patent Office

2,224 Days
Field of Search

726/2, 726/4, 726/14, 713/153, 713/156, 713/168, 380/232, 709/223, 717/178
US Class Current

713/153
CPC Class Codes

G06F 2221/2129   Authenticate client device ...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04N 7/104   Switchers or splitters

Early authentication in cable modem initialization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Early authentication in cable modem initialization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links