System and method for securing machine-to-machine communications

US 9,935,954 B2
Filed: 11/28/2014
Issued: 04/03/2018
Est. Priority Date: 12/31/2013
Status: Active Grant

First Claim

Patent Images

1. A method for securing machine-to-machine communications between a M2M consumer application and a M2M resource provider wherein when an access request is initiated:

sending a securities credentials request from the M2M consumer application to a M2M authorization server,receiving from the M2M authorization server to the consumer application generated securities credentials which comprises an access token, session encryption keys and an authentication key,transmitting from the M2M consumer application the access token and an authentication message to the M2M resource provider for authenticating the consumer application,transmitting the access request from the M2M consumer application to the M2M resource provider, said access request comprising request parameter encrypted with the session keys to access or control resources,authenticating by the M2M resource provider the M2M consumer application as an authorized one from the authentication message and the content of the access token,retrieving by the M2M resource provider the session keys from the content of the access token,decrypting by the M2M resource provider the encrypted request parameter with the session keys, andsending, from the M2M resource provider, the encrypted response of the request parameter to the M2M consumer application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention concerns the implementation of end-to-end security for the communication between objects in the domain of the Internet of Things (or Internet of Objects). The purpose of the patent is dealing with the setup of secure authorized information channel between data source (M2M device) and data consumers (consumer entity). According to the present invention, the access to a M2M device by a consumer entity (consumer application) is controlled by a M2M authorization server. The M2M authorization server is the entity in charge of managing access rights for the M2M device and makes the decision regarding the access to the resource by the consumer entity (consumer application). The M2M server is an entity that enforces the decision and enables the access to the M2M device. When a consumer application needs to communicate with a M2M device, the present invention proposes a method for authorizing a consumer application to access a M2M device and for encrypting the communication between the consumer application and the M2M device. The M2M authorization server computes security credentials which are sent to the consumer application.

9 Citations

View as Search Results

20 Claims

1. A method for securing machine-to-machine communications between a M2M consumer application and a M2M resource provider wherein when an access request is initiated:
- sending a securities credentials request from the M2M consumer application to a M2M authorization server,receiving from the M2M authorization server to the consumer application generated securities credentials which comprises an access token, session encryption keys and an authentication key,transmitting from the M2M consumer application the access token and an authentication message to the M2M resource provider for authenticating the consumer application,transmitting the access request from the M2M consumer application to the M2M resource provider, said access request comprising request parameter encrypted with the session keys to access or control resources,authenticating by the M2M resource provider the M2M consumer application as an authorized one from the authentication message and the content of the access token,retrieving by the M2M resource provider the session keys from the content of the access token,decrypting by the M2M resource provider the encrypted request parameter with the session keys, andsending, from the M2M resource provider, the encrypted response of the request parameter to the M2M consumer application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1, wherein the M2M resource provider is a M2M device or a M2M server.
  - 3. The method according to claim 1, wherein the generation of the access token comprises the following steps:
    - generation of a session data by the M2M consumer application, said session data uniquely identifies the current transaction between the M2M consumer application and the M2M resource provider,computation of a cryptographic data from the generated session data,adding the cryptographic data to the securities credentials request,the access token generated by the M2M authorization server comprises the cryptographic data of the securities credentials request, information to retrieve session keys and a generated authentication key.
  - 4. The method according to claim 1, wherein the access token is encrypted with a key shared between the M2M authorization server and the M2M resource provider.
  - 5. The method according the claim 3, wherein the information to retrieve the session keys comprise either index associated to the session keys in a database of the M2M authorization server, or encrypted session keys with a key shared between the M2M authorization server and the M2M resource provider.
  - 6. The method according to claim 1, wherein the authentication of the M2M consumer application by the M2M resource provider comprises the following steps:
    - encrypting the session data with the authentication key, by the M2M consumer application,sending the access token and the encrypted session data from the M2M consumer application to the M2M server,from the authentication key of the access token, decrypting the encrypted session data,from the decrypted session data, computing a cryptographic data,if the comparison of the computed cryptographic data with the cryptographic data of the access token is successful, the M2M consumer application is authenticated.
  - 7. Method according to claim 1, wherein the authenticity of the access token is verified by the M2M resource provider either from a signature computed by the M2M authorization server or an authentication data added by the M2M authorization server to the access token.
  - 8. The method according to claim 1, wherein the authentication data comprises an incremented value of a counter which is used to perform anti replay management, the M2M resource provider verifies if the received counter value into the authentication data is greater than a previous saved counter value, if this verification is successful the M2M resource provider saves the incoming counter value and delete the previous saved.
  - 9. The method according to claim 1, wherein:
    - when the authentication of the M2M consumer application is successful, the M2M resource provider authenticates to the M2M authorization server,If the authentication is successful, retrieving the session keys.
  - 10. The method according to claim 1, wherein the access request comprises also the session data encrypted with the session authentication key and the access token.
  - 11. The method according to claim 1, wherein a M2M device continuously encrypts data with the session keys to push the data to the M2M resource provider for storage.
  - 12. The method according to claim 1, wherein the access token comprises the resource unique identifier (URL) and the list of authorized queries parameters by the M2M consumer application, if the encrypted request parameter is in the list of authorized access, the encrypted query parameter is processed by the M2M resource provider.
  - 13. The method according to claim 1, wherein during the authentication of the M2M consumer application by the M2M server a lifetime of the access token is verified.
  - 14. The method according to claim 13, wherein when the lifetime of the access token is reachedgeneration of respectively a new session data and/or a new access token,the session keys and/or the authentication key are renewed or maintained.

15. A M2M communications system, comprising a consumer application, said consumer application being configured to communicate with a M2M resource provider across an access network, wherein access request messages transiting between the consumer application and the M2M device during this communication are secured by a M2M authorization server wherein:
- the M2M consumer application is programmed to send a securities credentials request from the M2M consumer application to a M2M authorization server,the M2M consumer application is programmed to receive from the M2M authorization server generated securities credentials which comprises an access token, session encryption keys and an authentication key,the M2M consumer application is programmed to transmit from the M2M consumer application the access token and an authentication message to the M2M resource provider for authenticating the consumer application,the M2M consumer application is programmed to transmit the access request from the M2M consumer application to the M2M resource provider, said access request comprising request parameter encrypted with the session keys to access or control resources,the M2M resource provider is programmed to authenticate the M2M consumer application as an authorized one from the authentication message and the content of the access token,the M2M resource provider is programmed to retrieve the session keys from the content of the access token,the M2M resource provider is programmed to decrypt the encrypted request parameter with the session keys, andthe M2M resource provider is programmed to send the encrypted response of the request parameter to the M2M consumer application.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system according to claim 15 wherein the M2M resource provider is a M2M device or a M2M server.
  - 17. The system according to claim 15 wherein:
    - the M2M consumer application is further programmed to generate a session data, said session data uniquely identifies the current transaction between the M2M consumer application and the M2M resource provider,the M2M consumer application is further programmed to compute a cryptographic data from the generated session data,the M2M consumer application is further programmed to add the cryptographic data to the securities credentials request, andwherein the access token generated by the M2M authorization server comprises the cryptographic data of the securities credentials request, information to retrieve session keys and a generated authentication key.
  - 18. The system according to claim 15 wherein the access token is encrypted with a key shared between the M2M authorization server and the M2M resource provider.
  - 19. The system according to claim 18 wherein the information to retrieve the session keys comprise either index associated to the session keys in a database of the M2M authorization server, or encrypted session keys with a key shared between the M2M authorization server and the M2M resource provider.
  - 20. The system according to claim 15 wherein the resource provider is programmed to authenticate the M2M consumer application by the M2M resource provider by:
    - encrypting the session data with the authentication key, by the M2M consumer application,sending the access token and the encrypted session data from the M2M consumer application to the M2M server,from the authentication key of the access token, decrypting the encrypted session data,from the decrypted session data, computing a cryptographic data,if the comparison of the computed cryptographic data with the cryptographic data of the access token is successful, the M2M consumer application is authenticated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS France SA
Original Assignee
Gemalto SA (Thales SA)
Inventors
Smadja, Philippe, Delsuc, Julien, Ganem, Herve, Ennesser, Francois
Primary Examiner(s)
Goodchild, William J.

Application Number

US15/109,401
Publication Number

US 20160337354A1
Time in Patent Office

1,222 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0884   by delegation of authentica...

H04W 12/069   using certificates or pre-s...

H04W 4/70   Services for machine-to-mac...

System and method for securing machine-to-machine communications

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing machine-to-machine communications

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links