Authentication of devices having unequal capabilities

US 9,215,228 B1
Filed: 06/17/2014
Issued: 12/15/2015
Est. Priority Date: 06/17/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus for authentication of in-vehicle network devices comprising:

a first communication port configured to receive via an associated communication network a first authentication request from at least one network device of a first set of associated network devices having a first authentication capability, and a second authentication request from at least one network device of a second set of associated network devices having a second authentication capability different than the first authentication capability, wherein the second authentication request is unidirectional message data; and

a connected vehicle gateway portion of a selected in-vehicle device implemented as an onboard authentication proxy logic operatively coupled with the first communication port;

wherein the authentication proxy logic is configured to;

selectively authenticate at least one of the first set of associated network devices based on the first authentication request in accordance with the first authentication capability, wherein selectively authenticating the at least one of the first set of associated network devices comprises selectively generating a first cryptographic key set;

selectively authenticate at least one of the second set of associated network devices based on the second authentication request in accordance with the second authentication capability, wherein selectively authenticating the at least one of the second set of associated network devices comprises selectively generating a second cryptographic key set; and

distribute the first and second cryptographic key sets to the first set of associated network devices, without distributing the first and second cryptographic key sets to the second set of associated network devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system authenticates in-vehicle electronic devices having unequal capabilities such as having varying different communication and processing capabilities. A Connected Vehicle Gateway portion of a selected in-vehicle device acts as an onboard authentication proxy and onboard key server functionality for other in-vehicle devices, and serves as an interface between an in-vehicle network and one or more associated external networks, thereby eliminating the need for explicit peer discovery protocol and the requirement of devices to perform key establishment with each individual communication peer. Instead, each in-vehicle device establishes the group keys as a result of its authentication with the onboard key server and uses the group keys to locally generate and update its session keys. The onboard key server selectively obtains the keys from one or more off-board authentication servers and distributes them to selected in-vehicle devices.

Citations

12 Claims

1. An apparatus for authentication of in-vehicle network devices comprising:
- a first communication port configured to receive via an associated communication network a first authentication request from at least one network device of a first set of associated network devices having a first authentication capability, and a second authentication request from at least one network device of a second set of associated network devices having a second authentication capability different than the first authentication capability, wherein the second authentication request is unidirectional message data; and
  
  a connected vehicle gateway portion of a selected in-vehicle device implemented as an onboard authentication proxy logic operatively coupled with the first communication port;
  
  wherein the authentication proxy logic is configured to;
  
  selectively authenticate at least one of the first set of associated network devices based on the first authentication request in accordance with the first authentication capability, wherein selectively authenticating the at least one of the first set of associated network devices comprises selectively generating a first cryptographic key set;
  
  selectively authenticate at least one of the second set of associated network devices based on the second authentication request in accordance with the second authentication capability, wherein selectively authenticating the at least one of the second set of associated network devices comprises selectively generating a second cryptographic key set; and
  
  distribute the first and second cryptographic key sets to the first set of associated network devices, without distributing the first and second cryptographic key sets to the second set of associated network devices.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus according to claim 1, further comprising:
    - a second communication port operatively coupled with the authentication proxy logic, the second communication port being configured to communicate via an associated authentication network with an associated authentication processor;
      
      wherein the authentication proxy logic selectively forwards the first authentication request data to the associated authentication processor by the second communication port via the associated authentication network responsive to the authentication proxy logic failing to locally authenticate the at least one of the first set of associated network devices based on the first authentication request data in accordance with the first authentication capability.
  - 3. The apparatus according to claim 2, wherein:
    - the authentication proxy logic selectively receives a first cryptographic key set by the second communication port via the associated authentication network responsive to the associated authentication processor authenticating the at least one of the first set of associated network devices based on the first authentication request data; and
      
      the authentication proxy logic selectively distributes the first cryptographic key set to the first set of associated network devices.
  - 4. The apparatus according to claim 3, wherein:
    - the authentication proxy logic selectively forwards the second authentication request data to the associated authentication processor by the second communication port via the associated authentication network responsive to the authentication proxy logic failing to locally authenticate the at least one of the second set of associated network devices based on the second authentication request data in accordance with the second authentication capability;
      
      the authentication proxy logic selectively receives a second cryptographic key set by the second communication port via the associated authentication network responsive to the associated authentication processor authenticating the at least one of the second set of associated network devices; and
      
      the authentication proxy logic selectively distributes the second cryptographic key set to the first set of associated network devices.

5. A method for authentication of in-vehicle network devices comprising:
- receiving a first signal by a first communication port configured to communicate via an associated communication network with first and second sets of associated network devices having first and second authentication capabilities respectively, the first signal comprising a first authentication request from at least one of the first set of associated network devices having the first authentication capability;
  
  receiving a second signal by the first communication port, the second signal comprising a second authentication request from at least one of the second set of associated network devices having the second authentication capability, wherein the second authentication request is unidirectional message data;
  
  selectively authenticating by a connected vehicle gateway portion of a selected in-vehicle device implemented as an onboard authentication proxy processor the at least one of the first set of associated network devices based on the first authentication request data in accordance with the first authentication capability, wherein selectively authenticating the at least one of the first set of associated network devices comprises selectively generating a first cryptographic key set;
  
  selectively authenticating by the authentication proxy processor the at least one of the second set of associated network devices based on the second authentication request data in accordance with the second authentication capability, wherein selectively authenticating the at least one of the second set of associated network devices comprises selectively generating a second cryptographic key set; and
  
  distributing the first and second cryptographic key sets to the first set of associated network devices, without distributing the first and second cryptographic key sets to the second set of associated network devices.
- View Dependent Claims (6, 7, 8)
- - 6. The method according to claim 5, further comprising:
    - selectively forwarding by a second communication port configured to communicate via an associated authentication network with an associated authentication processor the first authentication request data responsive to the authentication proxy logic failing to locally authenticate the at least one of the first set of associated network devices based on the first authentication request data in accordance with the first authentication capability.
  - 7. The method according to claim 6, further comprising:
    - selectively receiving by the authentication proxy logic a first cryptographic key set via the second communication port from the associated authentication network responsive to the associated authentication processor authenticating the at least one of the first set of associated network devices based on the first authentication request data; and
      
      selectively distributing by the authentication proxy logic the first cryptographic key set to the first set of associated network devices.
  - 8. The method according to claim 7, further comprising:
    - selectively forwarding by the second communication port configured to communicate via an associated authentication network with the associated authentication processor the second authentication request data responsive to the authentication proxy logic failing to locally authenticate the at least one of the second set of associated network devices based on the second authentication request data in accordance with the second authentication capability;
      
      selectively receiving by the authentication proxy logic a second cryptographic key set by the second communication port via the associated authentication network responsive to the associated authentication processor authenticating the at least one of the second set of associated network devices; and
      
      selectively distributing by the authentication proxy logic the second cryptographic key set to the first set of associated network devices.

9. Logic for authentication of in-vehicle network devices, the logic being encoded in one or more tangible non-transient computer readable media for execution by an associated processor onboard a vehicle and when executed by the associated processor the logic being operable to:
- receive a first signal by a first communication port configured to communicate via an associated communication network with first and second sets of associated network devices having first and second authentication capabilities respectively, the first signal comprising first authentication request data representative of a request for authentication from at least one of the first set of associated network devices having the first authentication capability;
  
  receive a second signal by the first communication port, the second signal comprising second authentication request data representative of a request for authentication from at least one of the second set of associated network devices having the second authentication capability;
  
  selectively forward by a second communication port configured to communicate via an associated authentication network with an associated authentication processor the first authentication request data responsive to a connected vehicle gateway portion of a selected in-vehicle device implemented as an onboard authentication proxy logic failing to locally authenticate the at least one of the first set of associated network devices based on the first authentication request data in accordance with the first authentication capability;
  
  selectively receive by the authentication proxy logic a first cryptographic key set via the second communication port from the associated authentication network responsive to the associated authentication processor authenticating the at least one of the first set of associated network devices based on the first authentication request data;
  
  selectively forward by the second communication port configured to communicate via an associated authentication network with the associated authentication processor the second authentication request data responsive to the authentication proxy logic failing to locally authenticate the at least one of the second set of associated network devices based on the second authentication request data in accordance with the second authentication capability;
  
  selectively receive by the authentication proxy logic a second cryptographic key set by the second communication port via the associated authentication network responsive to the associated authentication processor authenticating the at least one of the second set of associated network devices; and
  
  selectively distribute by the authentication proxy logic the first and second cryptographic key sets to the first set of associated network devices.
- View Dependent Claims (10, 11, 12)
- - 10. The logic according to claim 9, being further operable to:
    - selectively generate by the authentication proxy logic a first cryptographic key set responsive to the authentication proxy logic authenticating the at least one of the first set of associated network devices based on the first authentication request data in accordance with the first authentication capability; and
      
      selectively distribute by authentication proxy logic the first cryptographic key set to the first set of associated network devices.
  - 11. The logic according to claim 10, being further operable to:
    - selectively generate by the authentication proxy logic a second cryptographic key set responsive to the authentication proxy logic authenticating the at least one of the second set of associated network devices based on the second authentication request data in accordance with the second authentication capability; and
      
      selectively distribute by authentication proxy logic the second cryptographic key set to the first set of associated network devices.
  - 12. The logic according to claim 11, wherein:
    - the receiving the second authentication request data representative of a request for authentication from at least one of the second set of associated network devices comprises intercepting by the authentication proxy logic unidirectional message data transmitted by the at least one of the second set of associated network devices into the associated communication network; and
      
      the distributing the first and second cryptographic key sets to the first set of associated network devices comprises foregoing distributing the first and second cryptographic key sets to the second set of associated network devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zhang, Tao, Antunes, Helder, Lung, Aaron, Patel, Chintan, Thrivikramannair, Ajith, Singhal, Akshay
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US14/306,440
Publication Number

US 20150365389A1
Time in Patent Office

546 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/84   Vehicles

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0869   for achieving mutual authen...

H04L 63/0884   by delegation of authentica...

H04L 67/12   specially adapted for propr...

H04L 9/0833   involving conference or gro...

H04L 9/0861   Generation of secret inform...

H04L 9/0891   Revocation or update of sec...

H04L 9/321   involving a third party or ...

Authentication of devices having unequal capabilities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication of devices having unequal capabilities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links