End-to-end service layer authentication

US 10,129,031 B2
Filed: 10/30/2015
Issued: 11/13/2018
Est. Priority Date: 10/31/2014
Status: Active Grant

First Claim

Patent Images

1. A method for securing a message to be transmitted from a first application entity to a target one of a plurality of service layer entities over a network, the method comprising:

requesting, by the first application entity from a trusted third party entity on the network, first credentials to be used for end-to-end authentication of the message by the first application entity and the target service layer entity;

wherein the first application entity is implemented on a first apparatus of the network and the plurality of service layer entities are implemented on respective other apparatuses of the network;

wherein the message is transmitted on a path through the network that traverses one or more intermediate service layer entities between the first application entity and the target service layer entity;

receiving, from the trusted third party on the network, the first credentials;

generating, by the first application entity based on the first credentials and at least some information associated with the message, an authentication code for authenticating the message;

transmitting, by the first application entity to a first intermediate service layer entity on the path to the target service layer entity, via a secure tunnel established between the first application entity and the first intermediate service layer entity using credentials that are different from the first credentials, the message and the authentication code;

wherein the message and the authentication code are securely transmitted thereafter from intermediate service layer entity-to-intermediate service layer entity along the path until they reach the target service layer entity, and wherein each transmission from one intermediate service layer entity to a next intermediate service layer entity along the path is secured using credentials that are different from the first credentials; and

wherein the target service layer entity, upon receiving the message and the authentication code, uses the authentication code and the first credentials to authenticate the message at the target service layer entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A variety of mechanisms to perform End-to-End authentication between entities having diverse capabilities (E.g. processing, memory, etc.) and with no prior security associations are used. Security provisioning and configuration process is done such that appropriate security credentials, functions, scope and parameters may be provisioned to an Entity. Mechanisms to distribute the security credentials to other entities which could then use the credentials to perform an End-to-End authentication at the Service Layer or the Session Layer and using Direct or Delegated modes are developed.

143 Citations

18 Claims

1. A method for securing a message to be transmitted from a first application entity to a target one of a plurality of service layer entities over a network, the method comprising:
- requesting, by the first application entity from a trusted third party entity on the network, first credentials to be used for end-to-end authentication of the message by the first application entity and the target service layer entity;
  
  wherein the first application entity is implemented on a first apparatus of the network and the plurality of service layer entities are implemented on respective other apparatuses of the network;
  
  wherein the message is transmitted on a path through the network that traverses one or more intermediate service layer entities between the first application entity and the target service layer entity;
  
  receiving, from the trusted third party on the network, the first credentials;
  
  generating, by the first application entity based on the first credentials and at least some information associated with the message, an authentication code for authenticating the message;
  
  transmitting, by the first application entity to a first intermediate service layer entity on the path to the target service layer entity, via a secure tunnel established between the first application entity and the first intermediate service layer entity using credentials that are different from the first credentials, the message and the authentication code;
  
  wherein the message and the authentication code are securely transmitted thereafter from intermediate service layer entity-to-intermediate service layer entity along the path until they reach the target service layer entity, and wherein each transmission from one intermediate service layer entity to a next intermediate service layer entity along the path is secured using credentials that are different from the first credentials; and
  
  wherein the target service layer entity, upon receiving the message and the authentication code, uses the authentication code and the first credentials to authenticate the message at the target service layer entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein authentication of the message at the target service layer entity comprises:
    - verifying, using the authentication code, that the message received at the target service layer entity originated from the first application entity.
  - 3. The method of claim 2, wherein authentication of the message at the target service layer entity further comprises:
    - verifying, using the authentication code, the integrity of the message received at the target service layer entity.
  - 4. The method of claim 1, wherein the authentication code comprises one or more of:
    - at least a part of the message;
      
      the first credentials;
      
      a nonce; and
      
      a timestamp of when the message was created.
  - 5. The method of claim 1, wherein the request to the third party entity for the first credentials comprises an identifier of the target service layer entity.
  - 6. The method of claim 1, wherein requesting the first credentials comprises:
    - establishing a secure tunnel with the first intermediate service layer entity; and
      
      transmitting the request to the first intermediate service layer entity, wherein the request comprises an identifier of the target service layer entity,wherein the first service layer entity forwards the request to the third party entity, receives a response from the third party entity comprising the requested first credentials, and passes the response to the first application entity.
  - 7. The method of claim 1, wherein the target service layer entity receives the first credentials from the trusted third party prior to receiving the message and the authentication code from a given one of the intermediate service layer entities.
  - 8. The method of claim 1, wherein the target service layer entity requests the first credentials from the trusted third party after receiving the message and the authentication code from a given one of the intermediate service layer entities.
  - 9. The method of claim 1, wherein said each transmission from one intermediate service layer entity to a next intermediate service layer entity along the path is secured using credentials different from the first credentials and different from the credentials used between any other pair of intermediate service layer entities.

10. A first application entity implemented on a first apparatus of a network, the first application entity being configured to secure a message to be transmitted from the first application entity to a target one of a plurality of service layer entities implemented on respective other apparatuses of the network the first application entity being configured to implement a method comprising:
- requesting, by the first application entity from a trusted third party entity on the network, first credentials to be used for end-to-end authentication of the message by the first application entity and the target service layer entity;
  
  wherein the message is transmitted on a path through the network that traverses one or more intermediate service layer entities between the first application entity and the target service layer entity;
  
  receiving, from the trusted third party on the network, the first credentials;
  
  generating, by the first application entity based on the first credentials and at least some information associated with the message, an authentication code for authenticating the message;
  
  transmitting, by the first application entity to a first intermediate service layer entity on the path to the target service layer entity, via a secure tunnel established between the first application entity and the first intermediate service layer entity using credentials that are different from the first credentials, the message and the authentication code;
  
  wherein the message and the authentication code are securely transmitted thereafter from intermediate service layer entity-to-intermediate service layer entity along the path until they reach the target service layer entity, and wherein each transmission from one intermediate service layer entity to a next intermediate service layer entity along the path is secured using credentials that are different from the first credentials; and
  
  wherein the target service layer entity, upon receiving the message and the authentication code, uses the authentication code and the first credentials to authenticate the message at the target service layer entity.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The first application entity of claim 10, wherein authentication of the message at the target service layer entity comprises:
    - verifying, using the authentication code, that the message received at the target service layer entity originated from the first application entity.
  - 12. The first application entity of claim 11, wherein authentication of the message at the target service layer entity further comprises:
    - verifying, using the authentication code, the integrity of the message received at the target service layer entity.
  - 13. The first application entity of claim 10, wherein the authentication code comprises one or more of:
    - at least a part of the message;
      
      the first credentials;
      
      a nonce; and
      
      a timestamp of when the message was created.
  - 14. The first application entity of claim 10, wherein the request to the third party entity for the first credentials comprises an identifier of the target service layer entity.
  - 15. The first application entity of claim 10, wherein requesting the first credentials comprises:
    - establishing a secure tunnel with the first intermediate service layer entity; and
      
      transmitting the request to the first intermediate service layer entity, wherein the request comprises an identifier of the target service layer entity,wherein the first service layer entity forwards the request to the third party entity, receives a response from the third party entity comprising the requested first credentials, and passes the response to the first application entity.
  - 16. The first application entity of claim 10, wherein the target service layer entity receives the first credentials from the trusted third party prior to receiving the message and the authentication code from a given one of the intermediate service layer entities.
  - 17. The first application entity of claim 10, wherein the target service layer entity requests the first credentials from the trusted third party after receiving the message and the authentication code from a given one of the intermediate service layer entities.
  - 18. The first application entity of claim 10, wherein said each transmission from one intermediate service layer entity to a next intermediate service layer entity along the path is secured using credentials different from the first credentials and different from the credentials used between any other pair of intermediate service layer entities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Convida Wireless LLC
Original Assignee
Convida Wireless LLC
Inventors
Choyi, Vinod Kumar, Seed, Dale N., Mladin, Catalina M., Wang, Chonggang
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen

Application Number

US14/928,909
Publication Number

US 20170012778A1
Time in Patent Office

1,110 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0281   Proxies

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0478   applying multiple layers of...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0884   by delegation of authentica...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 9/0833   involving conference or gro...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3242   involving keyed hash functi...

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

H04W 4/70   Services for machine-to-mac...

End-to-end service layer authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

143 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

End-to-end service layer authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links