System for cryptographic key sharing among networked key servers

US 9,871,653 B2
Filed: 07/18/2013
Issued: 01/16/2018
Est. Priority Date: 07/18/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a network interface configured to enable communications over one or more networks; and

a processor of a key server coupled to the network interface and a memory encoded with instructions that, when executed by the processor, cause the processor to;

store cryptographic keys and an associated authentication and cryptographic policy on behalf of the key server;

provide the cryptographic keys and the associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to;

authenticate and integrity check the messages with the keys; and

authenticate and integrity check the messages received from other device groups with other keys; and

act as a proxy for other key servers, including;

determining the other key servers from which the other keys are to be requested based on a service discovery protocol;

requesting the other keys to decrypt encrypted messages from the determined other key servers over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks;

receiving the other keys together with respective associated authentication and cryptographic policies from the other key servers over the wide area network; and

providing the other keys and associated authentication and cryptographic policies to the device group over the local area network to decrypt the encrypted messages.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for key sharing among multiple key servers connected to one another over a communication network is provided herein. Each key sever of the multiple key servers stores respective cryptographic keys, and provides the keys to a local device group connected with the key server, to enable the device group to encrypt messages with the keys. Each key server acts as a proxy for the other key servers in order to receive other keys from the other key servers over the network, and provide the other keys to the device group for use to decrypt messages received from other local device groups respectively connected with the other key servers that were encrypted with the other keys and to check message integrity. The multiple key servers may share keys with each other directly, or alternatively, indirectly through a central key server, as needed to support secure communications between their respective device groups.

Citations

18 Claims

1. An apparatus comprising:
- a network interface configured to enable communications over one or more networks; and
  
  a processor of a key server coupled to the network interface and a memory encoded with instructions that, when executed by the processor, cause the processor to;
  
  store cryptographic keys and an associated authentication and cryptographic policy on behalf of the key server;
  
  provide the cryptographic keys and the associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to;
  
  authenticate and integrity check the messages with the keys; and
  
  authenticate and integrity check the messages received from other device groups with other keys; and
  
  act as a proxy for other key servers, including;
  
  determining the other key servers from which the other keys are to be requested based on a service discovery protocol;
  
  requesting the other keys to decrypt encrypted messages from the determined other key servers over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks;
  
  receiving the other keys together with respective associated authentication and cryptographic policies from the other key servers over the wide area network; and
  
  providing the other keys and associated authentication and cryptographic policies to the device group over the local area network to decrypt the encrypted messages.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein the processor is further configured to request the other keys in response to requests for the other keys from the device group.
  - 3. The apparatus of claim 1, further comprising a power utility substation including the key server and the device group connected with the key server, wherein the device group includes controller-based sensors to monitor power devices.
  - 4. The apparatus of claim 1, wherein the processor is further configured to generate and refresh the keys that are provided to the device group connected with the key server.
  - 5. The apparatus of claim 1, wherein the processor is further configured to store a data structure specifying the device group, an identity number, the authentication and cryptographic policy, and communication state information.

6. A method comprising:
- at a key server connected to one or more networks;
  
  storing cryptographic keys and an associated authentication and cryptographic policy on behalf of the key server;
  
  providing the keys and the associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to;
  
  authenticate and integrity check messages with the keys; and
  
  authenticate and integrity check messages received from other device groups with other keys; and
  
  acting as a proxy for other key servers, wherein acting as a proxy includes;
  
  determining the other key servers from which the other keys are to be requested based on a service discovery protocol;
  
  requesting the other keys to decrypt encrypted messages from the other key servers over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks;
  
  receiving the other keys together with respective associated authentication and cryptographic policies from the other key servers over the wide area network; and
  
  providing the other keys and the associated authentication and cryptographic policies to the device group over the local area network to decrypt the encrypted messages.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, further comprising, at the key server, generating and refreshing the keys that are provided to the device group connected with the key server.
  - 8. The method of claim 6, further comprising storing a data structure that specifies the device group, an identity number, the authentication and cryptographic policy, and communication state information.
  - 9. The method of claim 6, further comprising:
    - requesting the other keys in response to requests for the other keys from the device group.
  - 10. The method of claim 6, wherein a power utility substation includes the key server and the device group connected with the key server, and wherein the device group includes controller-based sensors to monitor power devices.

11. A non-transitory computer readable storage medium encoded with instructions that, when executed by a processor of a key server, cause the key server to:
- store cryptographic keys and an associated authentication and cryptographic policy on behalf of the key server;
  
  provide the keys and the associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to;
  
  authenticate and integrity check messages with the keys; and
  
  authenticate and integrity check messages received from other device groups with other keys; and
  
  act as a proxy for other key servers, wherein acting as a proxy includes;
  
  determining the other key servers from which the other keys are to be requested based on a service discovery protocol;
  
  requesting the other keys to decrypt encrypted messages from the other key servers over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks;
  
  receiving the other keys together with respective associated authentication and cryptographic policies from the other key servers over the wide area network; and
  
  providing the other keys and the associated authentication and cryptographic policies to the device group over the local area network to decrypt the encrypted messages.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable storage medium of claim 11, further comprising instructions to cause the key server to store a data structure that specifies the device group, an identity number, the authentication and cryptographic policy, and communication state information.
  - 13. The non-transitory computer readable storage medium of claim 11, wherein the instructions further cause the key server to request the other keys in response to requests for the other keys from the device group.
  - 14. The non-transitory computer readable storage medium of claim 11, wherein a power utility substation includes the key server and the device group connected with the key server, and wherein the device group includes controller-based sensors to monitor power devices.
  - 15. The non-transitory computer readable storage medium of claim 11, wherein the instructions further cause the key server to generate and refresh the keys that are provided to the device group connected with the key server.

16. A method comprising:
- at a key server connected to one or more networks;
  
  storing cryptographic keys on behalf of the key server;
  
  providing the keys and an associated authentication and cryptographic policy to a device group including multiple devices connected with the key server over a local area network, to enable the device group to encrypt messages with the keys, wherein the device group is configured to;
  
  authenticate and integrity check messages with the keys; and
  
  authenticate and integrity check messages received from other device groups with other keys;
  
  transmitting the keys and the associated authentication and cryptographic policy over the wide area network to a central key server for storage therein along with other keys and respective associated authentication and cryptographic policies transmitted from other key servers to the central key server; and
  
  acting as a proxy for the other key servers, wherein acting as a proxy includes;
  
  requesting the other keys to decrypt encrypted messages from the central key server over a wide area network, the encrypted messages encrypted with the other keys and received from other device groups respectively connected with the other key servers over respective local area networks;
  
  receiving the other keys and the associated authentication and cryptographic policies for the other key servers from the central key server over the wide area network; and
  
  providing the other keys and the associated authentication and cryptographic policies over the local area network to the device group to decrypt the encrypted messages.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, further comprising storing, on the key server, a data structure that specifies the device group, an identity number, communication state information, and a pointer to the central key server connected to the wide area network.
  - 18. The method of claim 16, further comprising storing, on the central key server, a data structure specifying the device group, the authentication and cryptographic policy associated with the key server, and the device groups and the authentication and cryptographic policies associated with the other key servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Weis, Brian Eliot, Seewald, Maik Guenter, Lobo, Ruben Gerald
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Tran, Baotram

Application Number

US13/945,369
Publication Number

US 20170359323A1
Time in Patent Office

1,643 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 67/12   specially adapted for propr...

H04L 67/51   Discovery or management the...

H04L 9/08   Key distribution or managem...

H04L 9/083   involving central third par...

Y04S 40/18   Network protocols supportin...

Y04S 40/20   Information technology spec...

System for cryptographic key sharing among networked key servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System for cryptographic key sharing among networked key servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links