Secure PKI communications for “machine-to-machine” modules, including key derivation by modules and authenticating public keys
First Claim
1. A method for a hardware module with a radio to use a public key and a private key, the method performed by the hardware module, the method comprising:
- receiving a set of parameters, wherein the set of parameters includes a value for an elliptic curve and a key length;
deriving the private key and the public key using a key pair generation algorithm with the received set of parameters, wherein the hardware module records the derived private key in a nonvolatile memory, wherein the derived private key is used at least, in part, for processing a first module digital signature, and wherein the hardware module authenticates with the first module digital signature;
reading from the nonvolatile memory (i) a module identity, and (ii) a previous module private key;
transmitting via the radio a message from an internet protocol address and port (IP;
port) number, wherein the message includes the derived public key, a module public key identity, and the module identity, wherein the hardware module authenticates the message with a second module digital signature, and wherein the hardware module uses the previous module private key to process the second module digital signature; and
,receiving via the radio a response at the IP;
port number, wherein the response includes a server encrypted data, and wherein the server encrypted data includes a module instruction, and wherein the server encrypted data is decrypted using the derived private key.
4 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for efficient and secure “Machine-to-Machine” (M2M) between modules and servers. A module can communicate with a server by accessing the Internet, and the module can include a sensor and/or actuator. The module and server can utilize public key infrastructure (PKI) such as public keys to encrypt messages. The module and server can use private keys to generate digital signatures for datagrams sent and decrypt messages received. The module can internally derive pairs of private/public keys using cryptographic algorithms and a set of parameters. A server can use a shared secret key to authenticate the submission of derived public keys with an associated module identity. For the very first submission of a public key derived the module, the shared secret key can comprise a pre-shared secret key which can be loaded into the module using a pre-shared secret key code.
189 Citations
21 Claims
-
1. A method for a hardware module with a radio to use a public key and a private key, the method performed by the hardware module, the method comprising:
-
receiving a set of parameters, wherein the set of parameters includes a value for an elliptic curve and a key length; deriving the private key and the public key using a key pair generation algorithm with the received set of parameters, wherein the hardware module records the derived private key in a nonvolatile memory, wherein the derived private key is used at least, in part, for processing a first module digital signature, and wherein the hardware module authenticates with the first module digital signature; reading from the nonvolatile memory (i) a module identity, and (ii) a previous module private key; transmitting via the radio a message from an internet protocol address and port (IP;
port) number, wherein the message includes the derived public key, a module public key identity, and the module identity, wherein the hardware module authenticates the message with a second module digital signature, and wherein the hardware module uses the previous module private key to process the second module digital signature; and
,receiving via the radio a response at the IP;
port number, wherein the response includes a server encrypted data, and wherein the server encrypted data includes a module instruction, and wherein the server encrypted data is decrypted using the derived private key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for a server to receive a server instruction through a local area network (LAN) interface, the server including at least one computer processor for performing the steps of the method, the method comprising:
-
recording (i) a module identity for a module and (ii) a first shared secret key; receiving via the LAN interface a first security token with the module identity; sending via the LAN interface (i) a set of parameters for deriving a module public key and a module private key, (ii) a second security token, and (iii) a first server digital signature, wherein the set of parameters includes a value for an elliptic curve and a key length, wherein the first server digital signature uses the first security token as a nonce; receiving via the LAN interface a first message from a module that includes the module identity, the module public key derived using the set of parameters, wherein the server uses the module identity to select the first shared secret key from a database, and wherein the server authenticates the first message using the selected first shared secret key and the second security token; using the received module public key and a server private key to derive a second shared secret key; receiving at a port number with the LAN interface a second message from the module that includes the module identity, and a module encrypted data ciphered with the second shared secret key, and wherein the module encrypted data includes the server instruction; sending from the port number with the LAN interface to the module a response to the second message, wherein the response includes a server encrypted data, and wherein the server encrypted data includes a module instruction ciphered with the second shared secret key. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A method for a hardware module with a radio to use a public key and a private key, the method performed by the hardware module, the method comprising:
-
receiving a set of parameters, wherein the set of parameters includes a value for an elliptic curve and a key length; deriving the private key and the public key from a key pair generation algorithm and the received set of parameters, wherein the hardware module records the derived private key in a nonvolatile memory, wherein the derived private key is used at least, in part, for processing a module digital signature, and wherein the hardware module authenticates with the module digital signature; reading (i) an identity for the module from a protected memory in the hardware module, and (ii) a shared secret key from the nonvolatile memory; transmitting via the radio a first message, wherein the first message includes the identity and a first module encrypted data, wherein the first module encrypted data includes the derived public key, and wherein the first module encrypted data is encrypted with (a) a symmetric ciphering algorithm and (b) the shared secret key; transmitting via the radio a second message, wherein the second message includes a second module encrypted data and the module identity, wherein the second module encrypted data is encrypted with a symmetric key, wherein the symmetric key is derived at least, in part, from the derived private key; and
,receiving via the radio a response, wherein the response includes a server encrypted data, and wherein the server encrypted data includes a module instruction, and wherein the server encrypted data is decrypted using the symmetric key. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification