Secure network address provisioning
First Claim
1. A method of operating a networked device coupled to a network comprising a credential server that provides network credentials in accordance with a protocol comprising a plurality of messages, each message comprising a plurality of fields prescribed by the protocol, with a first portion of the plurality of fields having content prescribed by the protocol and a second portion of the plurality of fields having content that is not prescribed by the protocol, the method comprising:
- sending a first message of the plurality of messages, the first message comprising at least a first field in the second portion of the plurality of fields, the first field containing an indication of a set of encryption mechanisms supported by the device;
receiving a second message of the plurality of messages, the second message comprising a second field in the second portion of the plurality of fields, the second field containing an indication of a selected encryption mechanism from the set of encryption mechanisms; and
sending a third message of the plurality of messages, the third message comprising at least a third field in the second portion of the plurality of fields containing content encrypted with the selected encryption mechanism, wherein the content of the third field comprises a statement of health concerning the device,wherein;
the second message comprises a server certificate; and
the method further comprises validating the certificate as corresponding to a server authorized by an administrator of the network to provide network credentials.
2 Assignments
0 Petitions
Accused Products
Abstract
A network in which a client receives a network credential, such as a valid network address, following an exchange of messages with a credential server that includes security information. The security information may validate the credential, avoiding rogue devices inadvertently or maliciously distributing credential information that can interfere with clients attempting to connect to the network or with the network itself. If obtaining a network credential requires an exchange of information about the configuration of the client that could reveal security vulnerabilities, the security information may be used to ensure the confidentiality of that configuration information. The security information may be incorporated into messages according to a known protocol, such as by incorporating it into options fields of DHCP messages.
26 Citations
20 Claims
-
1. A method of operating a networked device coupled to a network comprising a credential server that provides network credentials in accordance with a protocol comprising a plurality of messages, each message comprising a plurality of fields prescribed by the protocol, with a first portion of the plurality of fields having content prescribed by the protocol and a second portion of the plurality of fields having content that is not prescribed by the protocol, the method comprising:
-
sending a first message of the plurality of messages, the first message comprising at least a first field in the second portion of the plurality of fields, the first field containing an indication of a set of encryption mechanisms supported by the device; receiving a second message of the plurality of messages, the second message comprising a second field in the second portion of the plurality of fields, the second field containing an indication of a selected encryption mechanism from the set of encryption mechanisms; and sending a third message of the plurality of messages, the third message comprising at least a third field in the second portion of the plurality of fields containing content encrypted with the selected encryption mechanism, wherein the content of the third field comprises a statement of health concerning the device, wherein; the second message comprises a server certificate; and the method further comprises validating the certificate as corresponding to a server authorized by an administrator of the network to provide network credentials. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A tangible computer-readable storage medium comprising computer-executable instructions adapted for execution on a networked device coupled to a network comprising a credential server that provides network credentials in accordance with a protocol comprising a plurality of messages, each message comprising a plurality of fields prescribed by the protocol, with a first portion of the plurality of fields having content prescribed by the protocol and a second portion of the plurality of fields having content that is not prescribed by the protocol, the computer-executable instructions, when executed, for:
-
sending a first message of the plurality of messages, the first message comprising at least a first field in the second portion of the plurality of fields, the first field containing an indication of a set of encryption mechanisms supported by the device; receiving a second message of the plurality of messages, the second message comprising a second field in the second portion of the plurality of fields, the second field containing an indication of a selected encryption mechanism from the set of encryption mechanisms; and sending a third message of the plurality of messages, the third message comprising at least a third field in the second portion of the plurality of fields containing content encrypted with the selected encryption mechanism, wherein the content of the third field comprises a statement of health concerning the device, wherein; the second message comprises a server certificate; and the method further comprises validating the certificate as corresponding to a server authorized by an administrator of the network to provide network credentials. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method of operating a network comprising a networked device and a credential server that provides network credentials in accordance with a protocol comprising a plurality of messages, each message comprising a plurality of fields prescribed by the protocol, with a first portion of the plurality of fields having content prescribed by the protocol and a second portion of the plurality of fields having content that is not prescribed by the protocol, the method comprising:
-
sending from the networked device to the credential server a first message of the plurality of messages, the first message comprising, in the second portion of the plurality of fields, a certificate of the networked device, wherein the device certificate has an associated device public key; sending, from the credential server to the networked device a second message of the plurality of messages, the second message comprising, in the second portion of the plurality of fields, a server certificate; at the networked device; validating the identity of the server using the server certificate; and obtaining a server public key based on the identity of the server; and sending from the networked device a third message of the plurality of messages, the third message comprising, in the second portion of the plurality of fields, content encrypted with the server public key, the content including configuration information about the networked device. - View Dependent Claims (18, 19, 20)
-
Specification