Authentication for devices located in cable networks

US 7,865,727 B2
Filed: 08/24/2006
Issued: 01/04/2011
Est. Priority Date: 08/24/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving at a Cable Modem Termination System (CMTS) a proactively generated and transmitted authentication request from a cable modem, said authentication request including an attribute specifying a physical address of the cable modem and initiating an authentication process involving the cable modem, the CMTS, and a centralized server, wherein the authentication process is initiated by the cable modem generating and transmitting the authentication request;

as part of the authentication process initiated by the cable modem, forwarding at least a portion of said authentication request to the centralized server to cause a network certificate to be received by the cable modem;

as part of the authentication process initiated by the cable modem, after the network certificate is received by the cable modem, receiving at the CMTS an authorization response from the cable modem, wherein the authorization response includes an authentication criterion for the cable modem;

as part of the authentication process initiated by the cable modem, extracting a forwarding message from the authorization response and sending the forwarding message to the centralized server;

as part of the authentication process initiated by the cable modem, receiving back a communication to establish a session key on the cable modem and forwarding a representation of the communication to the cable modem for establishment of the session key on the cable modem;

completing ranging with the cable modem before sending a certificate request that elicits the authorization response; and

registering the cable modem after the authentication process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An extensible authentication framework is used in cable networks such as Data Over Cable Service Interface Specification (DOCSIS) cable networks. The authentication scheme allows for centralized authentication of cable modems, as well as authentication of the cable network by cable modems. Additionally, the authentication scheme allows a Cable Modem Termination System (CMTS) to authenticate devices downstream from cable modems, such as Customer Premise Equipment (CPE) devices.

Citations

13 Claims

1. A method, comprising:
- receiving at a Cable Modem Termination System (CMTS) a proactively generated and transmitted authentication request from a cable modem, said authentication request including an attribute specifying a physical address of the cable modem and initiating an authentication process involving the cable modem, the CMTS, and a centralized server, wherein the authentication process is initiated by the cable modem generating and transmitting the authentication request;
  
  as part of the authentication process initiated by the cable modem, forwarding at least a portion of said authentication request to the centralized server to cause a network certificate to be received by the cable modem;
  
  as part of the authentication process initiated by the cable modem, after the network certificate is received by the cable modem, receiving at the CMTS an authorization response from the cable modem, wherein the authorization response includes an authentication criterion for the cable modem;
  
  as part of the authentication process initiated by the cable modem, extracting a forwarding message from the authorization response and sending the forwarding message to the centralized server;
  
  as part of the authentication process initiated by the cable modem, receiving back a communication to establish a session key on the cable modem and forwarding a representation of the communication to the cable modem for establishment of the session key on the cable modem;
  
  completing ranging with the cable modem before sending a certificate request that elicits the authorization response; and
  
  registering the cable modem after the authentication process.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. The method of claim 1, further comprising:
    - receiving a request for the authentication criterion from the centralized server, the request including the network identity; and
      
      forwarding a representation of the request for the authentication criterion to the cable modem to elicit the authorization response.
  - 4. The method of claim 3, further comprising:
    - identifying a Remote Authentication Dial In User Service (RADIUS) message included in the request for the authentication criterion before forwarding the representation of the request, the RADIUS message containing an Extensible Authentication Protocol (EAP) packet that contains the network identity;
      
      extracting the EAP packet;
      
      formatting the EAP packet; and
      
      sending the formatted EAP packet containing the network identity to the cable modem.
  - 5. The method of claim 4, further comprising:
    - cryptographically computing an authentication key using the session key; and
      
      sending the authentication key to a Dynamic Host Configuration Protocol (DHCP) server.
  - 6. The method of claim 1, further comprising:
    - receiving a downstream device credential request from the centralized server, the downstream device credential request including the network identity;
      
      forwarding the downstream device credential request to a downstream device operating behind the cable modem; and
      
      receiving back a downstream device response from the downstream device that includes authentication credentials associated with the downstream device.
  - 7. The method of claim 6, further comprising:
    - stripping a Data Over Cable Service Interface Specification (DOCSIS) frame from the downstream device response;
      
      forwarding a remaining portion of the downstream device response to the centralized server; and
      
      receiving back an authentication success for the downstream device.
  - 8. The method of claim 1, wherein the authorization response includes a DOCSIS frame containing an Ethernet frame that contains an 802.1x packet.

2. The method of claim h further comprising forwarding an acknowledgement to the centralized server, the acknowledgement indicating that the cable modem successfully established the session key using private credentials stored on the cable modem.

9. A Cable Modem Termination System (CMTS), comprising;
- a processing device; and
  
  a memory coupled to the processing device comprising instructions executable by the processing device, the processing device operable when executing the instructions to;
  
  receive at the CMTS a proactively generated and transmitted authentication request from a remote device over the cable network, said authentication request initiating an authentication process involving the remote device, the CMTS, and a centralized server, wherein the authentication process is initiated by the remote device generating and transmitting the authentication request;
  
  as part of the authentication process initiated by the remote device, forward at least a portion of said authentication request to the centralized server to cause a network certificate to be received by the remote device;
  
  as part of the authentication process initiated by the remote device, receive an authorization response over the cable network, wherein the authorization response includes a device identification for the remote device and an authentication criterion;
  
  as part of the authentication process initiated by the remote device, extract a forwarding message from the authorization response and send the forwarding message to the centralized server; and
  
  as part of the authentication process initiated by the remote device, receive back an authorization message to establish a session key on the remote device and forward a representation of the authorization message to the remote device;
  
  wherein the remote device is a cable modem, and wherein the processing device is operable when executing the instructions to;
  
  complete ranging with the remote device before sending a certificate request that elicits the authorization response; and
  
  register the remote device as an authenticated cable modem after authenticating the remote device.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The CMTS of claim 9, wherein the processing device is operable when executing the instructions to forward an acknowledgement indicating that the remote device successfully established the session key using private credentials stored on the remote device.
  - 11. The CMTS of claim 9, wherein the processing device is operable when executing the instructions to remove a Remote Authentication Dial In User Service (RADIUS) or Diameter header from the authorization message before sending the representation of the authorization message to the remote device.
  - 12. The CMTS of claim 9, wherein the processing device is operable when executing the instructions to:
    - extract both the session key and an Extensible Authentication Protocol (EAP) success from the authorization message;
      
      computationally compute a Hashed Message Authentication Code (HMAC) key using the session key;
      
      integrity-protect the EAP success using the HMAC key; and
      
      send the integrity-protected EAP success to the remote device.
  - 13. The CMTS of claim 9, wherein the processing device is operable when executing the instructions to authenticate a Customer Premise Equipment (CPE) device operating behind the cable modem.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Frazier, Jason, Zeng, Shengyou, Littlefield, Joshua B., Salowey, Joseph A.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
LEWIS, LISA C

Application Number

US11/467,002
Publication Number

US 20080065883A1
Time in Patent Office

1,594 Days
Field of Search

713/168, 725/111, 726 2- 7
US Class Current

713/168
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/0892   by using authentication-aut...

H04L 63/162   at the data link layer

Authentication for devices located in cable networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication for devices located in cable networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links