Supporting differentiated secure communications among heterogeneous electronic devices

US 9,380,044 B2
Filed: 09/10/2014
Issued: 06/28/2016
Est. Priority Date: 09/10/2014
Status: Active Grant

First Claim

Patent Images

1. A gateway apparatus supporting differentiated secure communications among heterogeneous electronic devices, the gateway apparatus comprising:

a first communication port configured to communicate via an associated first communication network of a first network type with a first associated device having a first secure communication capability, the first communication port further being configured to communicate via an associated second communication network of a second network type different than the first network type with a second associated device having a second secure communication capability different than the first secure communication capability; and

gateway logic operatively coupled with the first communication port;

wherein the gateway logic selectively authenticates the first associated device for group membership into a first Secure Communication Group (SCG);

wherein the gateway logic selectively authenticates the second associated device for group membership into the first SCG;

wherein the gateway logic selectively communicates Secure Communication Group Keys (SCGKs) to the first associated device having the first secure communication capability and to the second associated device having the second secure communication capability for generating session keys by the first and second associated devices for mutual secure communication in accordance with the group membership of the first and second associated devices in the first SCG.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway apparatus supports differentiated secure communications among heterogeneous electronic devices. A communication port communicates via communication networks of different types with two or more associated devices having diverse secure communication capabilities. The gateway logic selectively authenticates the associated devices for group membership into a Secure Communication Group (SCG), and selectively communicates Secure Communication Group Keys (SCGKs) to the devices having the diverse secure communication capabilities for selectively generating session keys locally by the associated devices for mutual secure communication in accordance with the group membership of the associated devices in the SCG.

38 Citations

View as Search Results

21 Claims

1. A gateway apparatus supporting differentiated secure communications among heterogeneous electronic devices, the gateway apparatus comprising:
- a first communication port configured to communicate via an associated first communication network of a first network type with a first associated device having a first secure communication capability, the first communication port further being configured to communicate via an associated second communication network of a second network type different than the first network type with a second associated device having a second secure communication capability different than the first secure communication capability; and
  
  gateway logic operatively coupled with the first communication port;
  
  wherein the gateway logic selectively authenticates the first associated device for group membership into a first Secure Communication Group (SCG);
  
  wherein the gateway logic selectively authenticates the second associated device for group membership into the first SCG;
  
  wherein the gateway logic selectively communicates Secure Communication Group Keys (SCGKs) to the first associated device having the first secure communication capability and to the second associated device having the second secure communication capability for generating session keys by the first and second associated devices for mutual secure communication in accordance with the group membership of the first and second associated devices in the first SCG.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The gateway apparatus according to claim 1, wherein:
    - the gateway logic selectively authenticates the first associated device for group membership into the first SCG according to the first authentication capability by a unidirectional communication from the first associated device; and
      
      wherein the gateway logic selectively authenticates the second associated device for group membership into the first SCG according to the second authentication capability by a bidirectional communication with the second associated device.
  - 3. The gateway apparatus according to claim 2, wherein:
    - wherein the gateway logic selectively authenticates the first associated device for group membership into the first SCG according to the first authentication capability by;
      
      receiving key data from the first associated device via the first communication port, the key data being representative of a root credential of the first associated device; and
      
      verifying the key data relative to a predetermined set of authorization key data stored in a non-transient memory of the gateway apparatus; and
      
      wherein the gateway logic selectively authenticates the second associated device for group membership into the first SCG according to the second authentication capability by bidirectional cryptographic communication between the gateway logic and the second associated device.
  - 4. The gateway apparatus according to claim 3, wherein:
    - the gateway logic selectively distributes to the second associated device the key data of the first associated device as session keys of the first associated device for use by the second associated device together with session keys of the second associated device to establish secure communication with the first associated device.
  - 5. The gateway apparatus according to claim 4, wherein:
    - the gateway logic selectively authenticates a third associated device for group membership into the first SCG;
      
      the gateway logic selectively communicates SCGKs of the third associated device to the second associated device;
      
      the gateway logic selectively communicates the SCGKs of the second associated device having a bidirectional communication capability to the third associated device;
      
      the gateway logic selectively communicates the session keys of the first associated device having a unidirectional communication capability to the third associated device.
  - 6. The gateway apparatus according to claim 5, wherein:
    - the gateway logic receives an encrypted message from the third associated device directed to the second associated device;
      
      the gateway logic selectively decrypts the encrypted message from the third associated device using session keys of the third associated device and encrypts the message as a re-encrypted message using session keys of the second associated device;
      
      and the gateway logic sends the re-encrypted message to the second associated device.
  - 7. The gateway apparatus according to claim 6, wherein:
    - the first communication port is configured to communicate via the associated first communication network of the first network type wherein the first network type is a CAN network type; and
      
      the second communication port is configured to communicate via the associated second communication network of the second network type, wherein the second network type is an Ethernet network type.

8. A method of supporting differentiated secure communications among heterogeneous electronic devices, the method comprising:
- communicating by a communication port of a gateway apparatus via an associated first communication network of a first network type with a first associated device having a first secure communication capability;
  
  communicating by the communication port of the gateway apparatus via an associated second communication network of a second network type different than the first network type with a second associated device having a second secure communication capability different than the first secure communication capability;
  
  selectively authenticating by the gateway logic the first associated device for group membership into a first Secure Communication Group (SCG);
  
  selectively authenticating by the gateway logic the second associated device for group membership into the first SCG;
  
  selectively communicating by the gateway logic Secure Communication Group Keys (SCGKs) to the first associated device having the first secure communication capability and to the second associated device having the second secure communication capability for locally generating by the first and second associated devices session keys for mutual secure communication in accordance with the group membership of the first and second associated devices in the first SCG.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method according to claim 8, wherein:
    - the selectively authenticating the first associated device comprises selectively authenticating the first associated device for group membership into the first SCG according to the first authentication capability by a unidirectional communication from the first associated device; and
      
      the selectively authenticating the second associated device comprises selectively authenticating the second associated device for group membership into the first SCG according to the second authentication capability by a bidirectional communication with the second associated device.
  - 10. The method according to claim 9, wherein:
    - the selectively authenticating the first associated device comprises;
      
      receiving key data from the first associated device via the first communication port, the key data being representative of a root credential of the first associated device; and
      
      verifying the key data relative to a predetermined set of authorization key data stored in a non-transient memory of the gateway apparatus; and
      
      the selectively authenticating the second associated device comprises bidirectional cryptographic communication between the gateway logic and the second associated device.
  - 11. The method according to claim 10, further comprising:
    - selectively distributing, by the gateway logic to the second associated device, the key data of the first associated device as session keys of the first associated device for use by the second associated device together with session keys of the second associated device to establish secure communication with the first associated device.
  - 12. The method according to claim 11, further comprising:
    - selectively authenticating a third associated device for group membership into the first SCG;
      
      selectively communicating SCGKs of the third associated device to the second associated device;
      
      selectively communicating the SCGKs of the second associated device having a bidirectional communication capability to the third associated device; and
      
      selectively communicating the session keys of the first associated device having a unidirectional communication capability to the third associated device.
  - 13. The method according to claim 12, further comprising:
    - receiving by the gateway logic an encrypted message from the third associated device directed to the second associated device;
      
      selectively decrypting by the gateway logic the encrypted message from the third associated device using session keys of the third associated device and encrypting the message as a re-encrypted message using session keys of the second associated device;
      
      sending, by the gateway logic the re-encrypted message to the second associated device.
  - 14. The method according to claim 13, wherein:
    - the communicating via the associated first communication network of the first network type comprises communicating via a CAN network type; and
      
      the communicating via the associated second communication network of the second network type comprises communicating via an Ethernet network type.

15. Logic encoded in one or more tangible non-transient computer readable media for execution by an associated processor and when executed by the associated processor the logic being operable to:
- communicate by a communication port of a gateway apparatus via an associated first communication network of a first network type with a first associated device having a first secure communication capability;
  
  communicate by the communication port of the gateway apparatus via an associated second communication network of a second network type different than the first network type with a second associated device having a second secure communication capability different than the first secure communication capability;
  
  selectively authenticate by the gateway logic the first associated device for group membership into a first Secure Communication Group (SCG);
  
  selectively authenticate by the gateway logic the second associated device for group membership into the first SCG;
  
  selectively communicate by the gateway logic Secure Communication Group Keys (SCGKs) to the first associated device having the first secure communication capability and to the second associated device having the second secure communication capability for locally generating by the first and second associated devices session keys for mutual secure communication in accordance with the group membership of the first and second associated devices in the first SCG.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The logic according to claim 15, wherein:
    - the logic is operable to selectively authenticate the first associated device for group membership into the first SCG according to the first authentication capability by a unidirectional communication from the first associated device; and
      
      the logic is operable to selectively authenticate the second associated device for group membership into the first SCG according to the second authentication capability by a bidirectional communication with the second associated device.
  - 17. The logic according to claim 16, wherein:
    - the logic selectively authenticating the first associated device comprises;
      
      the logic being operable to receive key data from the first associated device via the first communication port, the key data being representative of a root credential of the first associated device; and
      
      the logic being operable to verifyg the key data relative to a predetermined set of authorization key data stored in a non-transient memory of the gateway apparatus; and
      
      the logic being operable to selectively authenticate the second associated device comprises the logic being operable to execute bidirectional cryptographic communication between the gateway logic and the second associated device.
  - 18. The logic according to claim 17, being further operable to:
    - selectively distribute, by the gateway logic to the second associated device, the key data of the first associated device as session keys of the first associated device for use by the second associated device together with session keys of the second associated device to establish secure communication with the first associated device.
  - 19. The logic according to claim 18, being further operable to:
    - selectively authenticate a third associated device for group membership into the first SCG;
      
      selectively communicate SCGKs of the third associated device to the second associated device;
      
      selectively communicate the SCGKs of the second associated device having a bidirectional communication capability to the third associated device; and
      
      selectively communicate the session keys of the first associated device having a unidirectional communication capability to the third associated device.
  - 20. The logic according to claim 19, being further operable to:
    - receive by the gateway logic an encrypted message from the third associated device directed to the second associated device;
      
      selectively decrypt by the gateway logic the encrypted message from the third associated device using session keys of the third associated device and encrypting the message as a re-encrypted message using session keys of the second associated device; and
      
      send, by the gateway logic the re-encrypted message to the second associated device.
  - 21. The logic according to claim 20, wherein:
    - the communicating via the associated first communication network of the first network type comprises communicating via a CAN network type; and
      
      the communicating via the associated second communication network of the second network type comprises communicating via an Ethernet network type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zhang, Tao, Antunes, Helder, Lung, Aaron, Patel, Chintan, Thrivikramannair, Ajith, Singhal, Akshay
Primary Examiner(s)
Song, Hosuk

Application Number

US14/482,052
Publication Number

US 20160072781A1
Time in Patent Office

657 Days
Field of Search

380/277, 380/44, 713/168, 713/169, 713/171, 726 2- 26
US Class Current

1/1
CPC Class Codes

H04L 2209/84   Vehicles

H04L 63/0464   using hop-by-hop encryption...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 67/1044   Group management mechanisms...

H04L 67/56   Provisioning of proxy servi...

H04L 9/0833   involving conference or gro...

Supporting differentiated secure communications among heterogeneous electronic devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Supporting differentiated secure communications among heterogeneous electronic devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links