Method and apparatus for providing security in wireless communication networks

US 8,280,057 B2
Filed: 01/25/2008
Issued: 10/02/2012
Est. Priority Date: 09/04/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving at a first wireless routing node a digital signature from a trust authority, wherein the digital signature is generated using a Medium Access Control (MAC) address/public key pair, and wherein the digital signature is received from the trust authority via an isolated connection prior to the first wireless routing node joining a wireless network;

verifying at the first wireless routing node whether a digital certificate provided by a second wireless routing node in the wireless network is signed using the digital signature associated with the trust authority;

based upon the verification, exchanging encryption keys with the second wireless routing node, the exchanged encryption keys including a first encryption key;

receiving first data at the first wireless routing node from the second wireless routing node, wherein the first data is encrypted and is associated with an industrial control and automation system;

decrypting the received first data using the first encryption key to produce first decrypted data, the first encryption key uniquely associated with communications between the first and second wireless routing nodes;

encrypting the first decrypted data using a second encryption key to produce first encrypted data, the second encryption key uniquely associated with communications between the first wireless routing node and a third wireless routing node in the wireless network, the second encryption key being exchanged after the third wireless routing node has been verified by the first wireless routing node using the digital signature of the trust authority; and

communicating the first encrypted data to the third wireless routing node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving data at a first wireless node in a wireless network, where the data is associated with an industrial control and automation system. The method also includes decrypting the received data using a first encryption key to produce decrypted data and encrypting the decrypted data using a second encryption key to produce encrypted data. The method further includes communicating the encrypted data to at least a second wireless node in the wireless network. Another method includes generating first data at a first wireless node in a wireless network, where the data is associated with an industrial control and automation system. The other method also includes encrypting the first data using an encryption key and transmitting the first data to multiple second wireless nodes in the wireless network, where the second wireless nodes are capable of using the same encryption key to decrypt the first data.

99 Citations

View as Search Results

21 Claims

1. A method comprising:
- receiving at a first wireless routing node a digital signature from a trust authority, wherein the digital signature is generated using a Medium Access Control (MAC) address/public key pair, and wherein the digital signature is received from the trust authority via an isolated connection prior to the first wireless routing node joining a wireless network;
  
  verifying at the first wireless routing node whether a digital certificate provided by a second wireless routing node in the wireless network is signed using the digital signature associated with the trust authority;
  
  based upon the verification, exchanging encryption keys with the second wireless routing node, the exchanged encryption keys including a first encryption key;
  
  receiving first data at the first wireless routing node from the second wireless routing node, wherein the first data is encrypted and is associated with an industrial control and automation system;
  
  decrypting the received first data using the first encryption key to produce first decrypted data, the first encryption key uniquely associated with communications between the first and second wireless routing nodes;
  
  encrypting the first decrypted data using a second encryption key to produce first encrypted data, the second encryption key uniquely associated with communications between the first wireless routing node and a third wireless routing node in the wireless network, the second encryption key being exchanged after the third wireless routing node has been verified by the first wireless routing node using the digital signature of the trust authority; and
  
  communicating the first encrypted data to the third wireless routing node.
- View Dependent Claims (2, 3, 4, 5, 19, 20, 21)
- - 2. The method of claim 1, further comprising:
    - exchanging encryption keys at the first wireless routing node with any wireless node having (i) an active link with the first wireless routing node and (ii) a certificate signed by the trust authority.
  - 3. The method of claim 1, wherein decrypting the received first data and encrypting the first decrypted data are performed at one or more of:
    - a MAC layer and a network layer in the first wireless routing node.
  - 4. The method of claim 1, wherein the first wireless routing node and the third wireless routing node use a same encryption key to communicate with one or more leaf nodes in the wireless network.
  - 5. The method of claim 1, further comprising receiving second data at the first wireless routing node, wherein the second data is associated with at least one of:
    - a sensor and an actuator in the industrial control and automation system.
  - 19. The method of claim 1, wherein a MAC address of the first wireless routing node and a MAC address of the third wireless routing node are registered with the trust authority.
  - 20. The method of claim 19, further comprising:
    - verifying that the MAC address of the third wireless routing node has been registered with the trust authority; and
      
      exchanging encryption keys between the first and third wireless routing nodes, the encryption keys including the second encryption key uniquely associated with communications between the first and third wireless routing nodes.
  - 21. The method of claim 1, wherein receiving at the first wireless routing node the digital signature of the trust authority comprises:
    - registering a MAC address of the first wireless routing node with the trust authority and receiving the digital signature of the trust authority over the isolated connection prior to the first wireless routing node joining the wireless network;
      
      wherein a MAC address of the third wireless routing node is also registered with the trust authority.

6. A wireless routing node comprising:
- at least one transceiver configured to communicate over a wireless network; and
  
  at least one controller configured to;
  
  receive a digital signature of a trust authority via an isolated connection prior to joining the wireless network, wherein the digital signature is associated with a Medium Access Control (MAC) address/public key pair;
  
  verify whether a digital certificate provided by a second wireless routing node in the wireless network is signed using the digital signature associated with the trust authority;
  
  exchange encryption keys with the second wireless routing node based upon the verification, the exchanged encryption keys including a first encryption key;
  
  receive first data from the second wireless routing node, wherein the first data is encrypted and is associated with an industrial control and automation system;
  
  decrypt the first data using the first encryption key to produce first decrypted data, the first encryption key uniquely associated with communications between the wireless routing node and the second wireless routing node;
  
  receive a second encryption key from a third wireless routing node in the wireless network after verifying the third wireless routing node using the digital signature of the trust authority;
  
  encrypt the first decrypted data using the second encryption key to produce first encrypted data, the second encryption key uniquely associated with communications between the wireless routing node and the third wireless routing node; and
  
  provide the first encrypted data to the at least one transceiver for communication to the third wireless routing node.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The wireless routing node of claim 6, wherein the at least one controller is configured to exchange encryption keys at the wireless routing node with any other wireless node having (i) an active link with the wireless routing node and (ii) a certificate signed by the trust authority.
  - 8. The wireless routing node of claim 6, wherein the at least one controller is configured to decrypt the received first data and encrypt the first decrypted data at one or more of:
    - a MAC layer and a network layer in the wireless routing node.
  - 9. The wireless routing node of claim 6, wherein the wireless routing node and the third wireless routing node are configured to use a same encryption key to communicate with one or more leaf nodes in the wireless network.
  - 10. The wireless routing node of claim 6, wherein the at least one controller is further configured to receive second data via the at least one transceiver, the second data associated with at least one of:
    - a sensor and an actuator in the industrial control and automation system.

11. A method comprising:
- receiving at a first wireless node a digital signature from a trust authority, wherein the digital signature is received prior to the first wireless node joining a wireless network via an isolated connection, and wherein the first wireless node is a leaf node;
  
  verifying the first encryption key by the first wireless node using the digital signature of the trust authority;
  
  generating first data at the first wireless node, the data associated with an industrial control and automation system;
  
  encrypting the first data using a first encryption key; and
  
  transmitting the first data to multiple second wireless nodes in the wireless network, wherein the second wireless nodes are infrastructure nodes and are capable of using the same first encryption key to decrypt the first data.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, further comprising:
    - decrypting the first data at each of the second wireless nodes using the first encryption key to produce decrypted data;
      
      encrypting the decrypted data at each of the second wireless nodes, each second wireless node using a different second encryption key to produce encrypted data; and
      
      communicating the encrypted data at each of the second wireless nodes.
  - 13. The method of claim 11, further comprising:
    - receiving second data at the first wireless node from at least one of the second wireless nodes; and
      
      decrypting the second data using the encryption key.
  - 14. The method of claim 11, wherein encrypting the first data using the first encryption key comprises performing a single cryptographic operation to encrypt the first data for communication to the multiple second wireless nodes.
  - 15. The method of claim 11, wherein verifying the first encryption key by the first wireless node using the digital signature of the trust authority comprises:
    - verifying, at the first wireless node, whether a digital certificate provided by one of the second wireless nodes is signed using the digital signature associated with the trust authority; and
      
      exchanging encryption keys with one of the second wireless nodes based on the verification, the exchanged encryption keys including the first encryption key.
  - 16. The method of claim 15, further comprising:
    - exchanging encryption keys at the first wireless node with any wireless node having (i) an active link with the first wireless node and (ii) a certificate signed by the trust authority.
  - 17. The method of claim 11, wherein encrypting the first data is performed at one or more of:
    - a Medium Access Control (MAC) layer and a network layer in the first wireless node.
  - 18. The method of claim 11, wherein the first wireless node is at least one of:
    - a sensor and an actuator in the industrial control and automation system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Budampati, Ramakrishna S., Kolavennu, Soumitri N., Kune, Denis Foo
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US12/020,180
Publication Number

US 20090060192A1
Time in Patent Office

1,712 Days
Field of Search

713/171, 713/153, 713182-193, 713/170, 380/277, 380/270, 380/37, 709203-206, 726 2- 4
US Class Current

380/270
CPC Class Codes

H04L 63/0464   using hop-by-hop encryption...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04W 12/03   Protecting confidentiality,...

H04W 12/04   Key management, e.g. using ...

H04W 12/069   using certificates or pre-s...

H04W 84/12   WLAN [Wireless Local Area N...

Y02D 30/70   in wireless communication n...

Method and apparatus for providing security in wireless communication networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

99 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing security in wireless communication networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links