End-to-end service layer authentication

US 10,601,594 B2
Filed: 10/10/2018
Issued: 03/24/2020
Est. Priority Date: 10/31/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, from a first service layer entity performing delegated authentication on behalf of a second service layer entity, a request for one or more security credentials;

accessing a security profile associated with the second service layer entity, wherein the security profile comprises an indication of one or more security requirements associated with the second service layer entity, and wherein the one or more security requirements comprise an indication of at least one of a security level and a type of security protection mechanism associated with the second service layer entity;

generating, based on the security profile, the one or more security credentials; and

sending, to the first service layer entity, the one or more security credentials,wherein the one or more security credentials enable the first service layer entity to establish a security association with at least one other service layer entity over a network,wherein the first service layer entity is implemented on an apparatus of the network and the other service layer entity is implemented on another apparatus of the network, andwherein the first service layer entity and the other service layer entity are interconnected to one another by one or more intermediate service layer entities.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A variety of mechanisms to perform End-to-End authentication between entities having diverse capabilities (E.g. processing, memory, etc.) and with no prior security associations are used. Security provisioning and configuration process is done such that appropriate security credentials, functions, scope and parameters may be provisioned to an Entity. Mechanisms to distribute the security credentials to other entities which could then use the credentials to perform an End-to-End authentication at the Service Layer or the Session Layer and using Direct or Delegated modes are developed.

158 Citations

20 Claims

1. A method comprising:
- receiving, from a first service layer entity performing delegated authentication on behalf of a second service layer entity, a request for one or more security credentials;
  
  accessing a security profile associated with the second service layer entity, wherein the security profile comprises an indication of one or more security requirements associated with the second service layer entity, and wherein the one or more security requirements comprise an indication of at least one of a security level and a type of security protection mechanism associated with the second service layer entity;
  
  generating, based on the security profile, the one or more security credentials; and
  
  sending, to the first service layer entity, the one or more security credentials,wherein the one or more security credentials enable the first service layer entity to establish a security association with at least one other service layer entity over a network,wherein the first service layer entity is implemented on an apparatus of the network and the other service layer entity is implemented on another apparatus of the network, andwherein the first service layer entity and the other service layer entity are interconnected to one another by one or more intermediate service layer entities.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the security profile is received as part of a service enablement and security configuration process.
  - 3. The method of claim 2, wherein the security profile is based on a type of service to be provided by the second service layer entity.
  - 4. The method of claim 1, wherein the one or more security credentials are further generated based on a device profile associated with the second service layer entity, wherein the device profile comprises an indication of one or more capabilities of the second service layer entity.
  - 5. The method of claim 1, wherein the one or more security credentials are further generated based on an entity profile associated with the second service layer entity, wherein the entity profile comprises an indication of one or more of a class of service, a type of service, a security level, and a privacy level associated with the second service layer entity.
  - 6. The method of claim 1, wherein the one or more security credentials comprise one or more keys.
  - 7. The method of claim 6, wherein a size of the one or more keys is determined based on the at least one of the security level and the type of security protection mechanism associated with the second service layer entity.

8. A device comprising a processor and a memory, the memory storing computer-executable instructions which, when executed by the processor, cause the device to perform operations comprising:
- receiving, from a first service layer entity performing delegated authentication on behalf of a second service layer entity, a request for one or more security credentials;
  
  accessing a security profile associated with the second service layer entity, wherein the security profile comprises an indication of one or more security requirements associated with the second service layer entity, and wherein the one or more security requirements comprise an indication of at least one of a security level and a type of security protection mechanism associated with the second service layer entity;
  
  generating, based on the security profile, the one or more security credentials; and
  
  sending, to the first service layer entity, the one or more security credentials,wherein the one or more security credentials enable first service layer entity to establish a security association with at least one other service layer entity over a network,wherein the first service layer entity is implemented on an apparatus of the network and the other service layer entity is implemented on another apparatus of the network, andwherein the first service layer entity and the other service layer entity are interconnected to one another by one or more intermediate service layer entities.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The device of claim 8, wherein the security profile is received as part of a service enablement and security configuration process.
  - 10. The device of claim 9, wherein the security profile is based on a type of service to be provided by the second service layer entity.
  - 11. The device of claim 8, wherein the one or more security credentials are further generated based on a device profile associated with the second service layer entity, wherein the device profile comprises an indication of one or more capabilities of the second service layer entity.
  - 12. The device of claim 8, wherein the one or more security credentials are further generated based on an entity profile associated with the second service layer entity, wherein the entity profile comprises an indication of one or more of a class of service, a type of service, a security level, and a privacy level associated with the second service layer entity.
  - 13. The device of claim 8, wherein the one or more security credentials comprise one or more keys.
  - 14. The device of claim 13, wherein a size of the one or more keys is determined based on the at least one of the security level and the type of security protection mechanism associated with the second service layer entity.

15. A computer-readable storage medium comprising computer-executable instructions which, when executed by a processor of a device, cause the device to perform operations comprising:
- receiving, from a first service layer entity performing delegated authentication on behalf of a second service layer entity, a request for one or more security credentials;
  
  accessing a security profile associated with the second service layer entity, wherein the security profile comprises an indication of one or more security requirements associated with the second service layer entity, and wherein the one or more security requirements comprise an indication of at least one of a security level and a type of security protection mechanism associated with the second service layer entity;
  
  generating, based on the security profile, the one or more security credentials; and
  
  sending, to the first service layer entity, the one or more security credentials,wherein the one or more security credentials enable the first service layer entity to establish a security association with at least one other service layer entity over a network,wherein the first service layer entity is implemented on an apparatus of the network and the other service layer entity is implemented on another apparatus of the network, andwherein the first service layer entity and the other service layer entity are interconnected to one another by one or more intermediate service layer entities.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable storage medium of claim 15, wherein the security profile is received as part of a service enablement and security configuration process.
  - 17. The computer-readable storage medium of claim 16, wherein the security profile is based on a type of service to be provided by the second service layer entity.
  - 18. The computer-readable storage medium of claim 15, wherein the one or more security credentials are further generated based on a device profile associated with the second service layer entity, wherein the device profile comprises an indication of one or more capabilities of the second service layer entity.
  - 19. The computer-readable storage medium of claim 15, wherein the one or more security credentials comprise one or more keys.
  - 20. The computer-readable storage medium of claim 19, wherein a size of the one or more keys is determined based on the at least one of the security level and the type of security protection mechanism associated with the second service layer entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Convida Wireless LLC
Original Assignee
Convida Wireless LLC
Inventors
Choyi, Vinod Kumar, Seed, Dale N., Mladin, Catalina M., Wang, Chonggang
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen T

Application Number

US16/156,396
Publication Number

US 20190123909A1
Time in Patent Office

531 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0281   Proxies

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0478   applying multiple layers of...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0884   by delegation of authentica...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 9/0833   involving conference or gro...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3242   involving keyed hash functi...

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

H04W 4/70   Services for machine-to-mac...

End-to-end service layer authentication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

158 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

End-to-end service layer authentication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

158 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links