US9270653B2ActiveUtilityA1

Carrier network security interface for fielded devices

96
Assignee: MARIA ARTUROPriority: May 11, 2011Filed: May 11, 2011Granted: Feb 23, 2016
Est. expiryMay 11, 2031(~4.8 yrs left)· nominal 20-yr term from priority
Inventors:Arturo Maria
H04L 12/06H04L 12/1403H04L 63/062H04L 12/14H04L 63/08H04L 63/0442H04L 63/20H04L 63/105H04L 63/0428H04L 63/0869H04W 12/088
96
PatentIndex Score
34
Cited by
45
References
20
Claims

Abstract

The disclosed subject matter provides carrier-side security services for fielded devices. In contrast to conventional authentication systems for fielded devices, wherein an end-to-end communications pathway is typically established for authentication of a fielded device by a back-end service provider, authentication and security services can be moved into the carrier network. A security service monitor component can be at the carrier network and can authenticate field components without establishing a communications pathway to the back-end service provider. Further, security service monitor component can provide security services for communications with an authenticated field component. In an aspect, this can allow for centralization of security elements from the periphery of back-end service providers into the carrier network. In a further aspect, security service monitor component can host a security services platform for back-end service providers.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A network device, comprising:
 a processor; and 
 a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising:
 receiving service information that facilitates communication between a field device and a service device via a communication link at a second security level associated with a second security service, wherein the service device is not associated with a network operator identity associated with the network device; 
 receiving field device information associated with the field device for use in connection with operating the communication link using the network device; 
 determining identification information associated with the field device from the field device information; 
 selecting a first security service based on the identification information to facilitate communication with the field device via the communication link at a first security level associated with the first security service; 
 in response to selecting the first security service associated with permissive use of the network device for the communication link with the field device, receiving security information related to the field device accessing the second security service via the network device based on the service information without authentication of the field device via the service device; 
 adapting the communication link to convey data at the second security level after the communication link is determined to be successfully established at the first security level, wherein the adapting comprises encrypting the data to be unreadable by network devices associated with the network operator identity; and 
 conveying the data at the second security level between the field device and the service device, as endpoint devices of the communication link, via the network device for decryption at one of the endpoint devices. 
 
 
     
     
       2. The network device of  claim 1 , wherein the determining the identification information further facilitates an authentication of the field device to the network device based on the identification information. 
     
     
       3. The network device of  claim 1 , wherein the receiving the security information comprises receiving the security information from a data store co-located with the network device. 
     
     
       4. The network device of  claim 1 , wherein the receiving the security information comprises receiving the security information from a data store remotely located from the network device. 
     
     
       5. The network device of  claim 1 , wherein the security information related to accessing the second security service is received based on programming input to the service device. 
     
     
       6. The network device of  claim 1 , further comprising authenticating the communication via the network device based on the field device information, the service information and the second security service. 
     
     
       7. The network device of  claim 1 , wherein the receiving the service information comprises receiving the service information from a device associated with a public utility provider identity and the receiving the field device information comprises receiving the field device information from a metering device associated with the public utility provider identity. 
     
     
       8. The network device of  claim 1 , further comprising a wireless interface that interfaces to the field device. 
     
     
       9. The network device of  claim 8 , further comprising a femtocell device. 
     
     
       10. The network device of  claim 8 , wherein the field component is a vehicle computer device. 
     
     
       11. The network device of  claim 8 , wherein the field component is a metering device. 
     
     
       12. The network device of  claim 8 , wherein the field component is a traffic light controller device. 
     
     
       13. The network device of  claim 8 , wherein the field component is an electric vehicle charging station device. 
     
     
       14. The network device of  claim 8 , further comprising an access point device. 
     
     
       15. A method, comprising:
 receiving, by a network device comprising a processor, service information associated with a service device, wherein the service device is not one of the network devices and wherein the service information is stored by the network device as stored service information to enable communication between a field device and the service device via a service authentication protocol; 
 receiving, by the network device, an indication of the service authentication protocol associated with the service device, wherein the indication of the service authentication protocol is stored by the network device as stored service authentication protocol information; 
 receiving, by the network device, first identification information from an unauthenticated field device; 
 authenticating, by the network device, the unauthenticated field device to a network devices of a network comprising the network device based on the first identification information; 
 in response to authenticating the field device to the network devices of the network, authenticating, by the network device, the field device to the service device based on the stored service information and the stored service authentication protocol information without authenticating the field device via the service device; and 
 carrying, by the network device, encrypted data via a communication link between the field device and the service device comprising the network device, wherein the encrypted data is encrypted in accordance with the service authentication protocol and is decryptable by the field device. 
 
     
     
       16. The method of  claim 15 , wherein the encrypted data is decryptable by the service device. 
     
     
       17. The method of  claim 15 , wherein the receiving the indication of the service authentication protocol comprises receiving the indication of the service authentication protocol from a data store accessible by the service device. 
     
     
       18. A non-transitory machine-readable storage medium, comprising executable instructions that, when executed by a processor, facilitate performance of operations, comprising:
 receiving an identifier associated with a field device accessing the network device, wherein the network device is one of a set of network devices of a network; 
 authenticating, by the network device, the field device according to a first security profile related to accessing the network device based on the identifier; 
 authenticating, by the network device in response to determining that the field device is authenticated to the network device in accordance with the first security profile, the field device according to a second security profile stored by the network device, without authentication of the field device via the service device, based on the identifier, wherein the second security profile is associated with a service device and the set of network devices does not comprise the service device; 
 establishing a communication link based on the second security profile, wherein the communication link facilitates encryption of communication between the field device and the service device; and 
 conveying data encrypted in accordance with the second security profile between the field device and the service device, as endpoint devices of the communication link, via the network device for decryption at one of the endpoint devices, wherein the data is unreadable by the set of network devices. 
 
     
     
       19. The non-transitory computer readable medium of  claim 18 , wherein the first security profile is generated by the set of network devices and the second security profile is not generated by the set of network devices. 
     
     
       20. The computer readable storage medium of  claim 18 , further comprising, receiving and storing, at the network device, security information related to authenticating the field device according to the second security profile.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.