USRE49012EActiveUtilityPatentIndex 81
Secure configuration of a headless networking device
Est. expiryMar 1, 2033(~6.7 yrs left)· nominal 20-yr term from priority
Inventors:HARKINS DANIEL N
G09C 5/00H04L 63/061H04L 9/0841H04W 12/77H04L 63/18H04L 63/0428H04L 63/08H04L 9/006G06F 9/4411
81
PatentIndex Score
7
Cited by
15
References
62
Claims
Abstract
The secure configuration of a headless networking device is described. A label associated with the headless networking device is scanned and a public key is determined. scanning a label associated with a networking device. A configuration process is initiated for the networking device using the public key associated with the networking device that was determined based on the scanned label.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A non-transitory computer-readable medium comprising instructions which, when executed by one or more hardware processors, cause the one or more hardware processors to:
determine a public key associated with a networking device using an external label associated with the networking device; authenticate the networking device based upon a determination as to whether the networking device possesses a private key analog to the public key associated with the networking device; and initiate a configuration process for the networking device after the networking device is authenticated, wherein the configuration process facilitates access by the networking device to a secure network, and wherein the configuration process includes sending a domain parameter to provide configuration information for the configuration process and an address for a domain name server to the networking device.
2. The non-transitory computer-readable medium of claim 1 , wherein to authenticate the networking device, the instructions are further to cause the one or more hardware processors to:
generate a shared secret using the public key associated with the networking device and send the shared secret to the networking device; encrypt a first information with the shared secret and send the encrypted first information to the networking device; and receive a second information from the networking device that indicates that the networking device possesses the private key analog to the public key associated with the networking device.
3. The non-transitory computer-readable medium of claim 2 , wherein to authenticate the networking device, the instructions are further to cause the one or more hardware processors to integrity protect the encrypted first information prior to sending the encrypted first information to the networking device.
4. The non-transitory computer-readable medium of claim 2 , wherein the instructions are further to cause the one or more hardware processors to send assurance to the networking device before initiating the configuration process by encrypting a third information with the shared secret and sending the encrypted third information to the networking device.
5. The non-transitory computer-readable medium of claim 2 , wherein to authenticate the networking device, the instructions are further to cause the one or more hardware processors to receive an indication from the networking device possessing the shared secret that the networking device possesses the private key analog to the public key associated with the network device.
6. The non-transitory computer-readable medium of claim 2 , wherein to generate the shared secret, the instructions are further to cause the one or more hardware processors to perform a static ephemeral Diffie-Hellman key exchange.
7. The non-transitory computer-readable medium of claim 2 , wherein to encrypt the first information, the instructions are further to cause the one or more hardware processors to wrap a first nonce in the shared secret.
8. The non-transitory computer-readable medium of claim 7 , wherein to receive the second information, the instructions are further to cause the one or more hardware processors to receive two encrypted nonces and wherein to determine that the networking device possesses the shared secret, the instructions are further to cause the one or more hardware processors to determine whether the encryption of the two nonces is valid.
9. The non-transitory computer-readable medium of claim 8 , wherein to receive the second information, the instructions are further to cause the one or more hardware processors to receive two nonces encrypted with the shared secret from the networking device, and decrypt and verify the two nonces.
10. An apparatus comprising:
one or more hardware processors; a memory on which is stored instructions that are to cause the one or more hardware processors to:
determine a public key associated with a networking device using an external label associated with the networking device;
authenticate the networking device based upon a determination as to whether the networking device possesses a private key analog to the public key associated with the networking device; and
initiate a configuration process for the networking device after the networking device has been authenticated, wherein the configuration process facilitates access by the networking device to a secure network, and wherein the configuration process includes sending a domain parameter to provide configuration information for the configuration process and an address for a domain name server to the networking device.
11. The apparatus of claim 10 , wherein to authenticate the networking device, the instructions are further to cause the one or more hardware processors to:
generate a shared secret using the public key associated with the networking device and send the shared secret to the networking device; encrypt a first information with the shared secret and send the encrypted first information to the networking device; and receive a second information from the networking device that indicates that the networking device possesses the private key analog to the public key associated with the networking device.
12. The apparatus of claim 11 , wherein to authenticate the networking device, the instructions are further to cause the one or more hardware processors to integrity protect the encrypted first information prior to sending the encrypted first information to the networking device.
13. The apparatus of claim 11 , wherein the instructions are further to cause the one or more hardware processors to send assurance to the networking device before initiating the configuration process by encrypting a third information with the shared secret and sending the encrypted third information to the networking device wherein the networking device does not accept configuration unless the networking device can decrypt the third information using the shared secret.
14. The apparatus of claim 11 , wherein to authenticate the networking device, the instructions are further to cause the one or more hardware processors to receive an indication from the networking device possessing the shared secret that the networking device possesses the private key analog to the public key determined associated with the networking device.
15. The apparatus of claim 11 , wherein to generate the a shared secret, the instructions are further to cause the one or more hardware processors to perform a static ephemeral Diffie-Hellman key exchange.
16. The apparatus of claim 11 , wherein to encrypt the first information, the instructions are further to cause the one or more hardware processors to wrap a first nonce in the shared secret.
17. The apparatus of claim 16 , wherein to receive the second information, the instructions are further to cause the one or more hardware processors to receive two encrypted nonces and wherein to determine that the networking device possesses the shared secret, the instructions are further to cause the one or more hardware processors to determine whether the encryption of the two nonces is valid.
18. The apparatus of claim 17 , wherein to receive the second information, the instructions are further to cause the one or more hardware processors to receive two nonces encrypted with the shared secret from the networking device, and decrypt and verify the two nonces.
19. An apparatus comprising:
an external key label associated with a public key; an internal secure key storage to store a private key; a network interface to receive an authentication request from an external device connected to the network, the request including the public key; internal processing logic to authenticate the apparatus to the external device using the request by proving that it possesses the private key and to configure the apparatus to the network after authenticating, the configuring including receiving a domain parameter and a domain name server from the external device and using the received domain parameter and domain name server to configure the apparatus.
20. The apparatus of claim 19 , wherein the network interface further receives assurance from the external device, the assurance including an information encrypted with a shared secret, and wherein the processing logic configures the apparatus only if it can decrypt the information using the shared secret.
21. A method for authenticating devices, the method comprising:
receiving, by a configuring device, a public key associated with a headless device, wherein receiving the public key initiates an authentication process for the headless device to access a network; deriving, by the configuring device, based on a cryptographic technique, an ephemeral public key and an ephemeral private key based on the public key associated with the headless device; transmitting, by the configuring device, the ephemeral public key to the headless device; receiving, by the configuring device, an encrypted message from the headless device, wherein the encrypted message is generated by the headless device based in part on the ephemeral public key; transmitting, by the configuring device, an authentication to the headless device based on the encrypted message, wherein the authentication indicates that the headless device has been authenticated to access the network; and configuring, by the configuring device, the headless device to access the network by transmission of network parameters to the headless device, wherein the network parameters allow the headless device to access the network.
22. The method of claim 21, wherein the cryptographic technique includes at least discrete logarithm cryptography.
23. The method of claim 21, further comprising:
generating, by the configuring device, a first random nonce with which to encapsulate a first message; and transmitting, by the configuring device, the encapsulated message and the ephemeral public key to the headless device.
24. The method of claim 23, wherein the encrypted message is generated by the headless device based on the encapsulated first message and the ephemeral public key.
25. The method of claim 23, wherein the encrypted message from the headless device comprises a shared private key encapsulated by a concatenation of the first random nonce of the encapsulated first message and a second random nonce generated by the headless device, and wherein the shared private key is generated based on the ephemeral public key and a private key associated with the headless device based on the cryptographic technique.
26. The method of claim 25, wherein transmitting the authentication to the headless device based on the encrypted message comprises:
recovering the shared private key from the encrypted message; generating a second message to be encrypted with the shared private key; and transmitting the encrypted second message to the headless device.
27. The method of claim 21, wherein the ephemeral public key and the ephemeral private key are a Diffie-Hellman public/private key pair.
28. A configuring device comprising:
a processor; and a memory storing instructions that, when executed by the processor, cause the configuring device to perform a method comprising:
receiving a public key associated with a headless device, wherein receiving the public key initiates an authentication process for the headless device to access a network;
deriving, based on a cryptographic technique, an ephemeral public key and an ephemeral private key based on the public key associated with the headless device;
transmitting the ephemeral public key to the headless device;
receiving an encrypted message from the headless device, wherein the encrypted message is generated by the headless device based in part on the ephemeral public key;
transmitting an authentication to the headless device based on the encrypted message, wherein the authentication indicates that the headless device has been authenticated to access the network; and
configuring the headless device to access the network by transmission of network parameters to the headless device, wherein the network parameters allow the headless device to access the network.
29. The configuring device of claim 28, wherein the cryptographic technique includes at least discrete logarithm cryptography.
30. The configuring device of claim 28, wherein the instructions, when executed, further cause the configuring device to perform:
generating a first random nonce with which to encapsulate a first message; and transmitting the encapsulated first message and the ephemeral public key to the headless device.
31. The system of claim 30, wherein the encrypted message is generated by the headless device based on the encapsulated first message and the ephemeral public key.
32. The configuring device of claim 30, wherein the encrypted message from the headless device comprises a shared private key encapsulated by a concatenation of the first random nonce of the encapsulated first message and a second random nonce generated by the headless device, and wherein the shared private key is generated based on the ephemeral public key and a private key associated with the headless device based on the cryptographic technique.
33. The configuring device of claim 32, wherein transmitting the authentication to the headless device based on the encrypted message comprises:
recovering the shared private key from the encrypted message; generating a second message to be encrypted with the shared private key; and transmitting the encrypted second message to the headless device.
34. The system of claim 28, wherein the ephemeral public key and the ephemeral private key are a Diffie-Hellman public/private key pair.
35. A non-transitory storage medium of a configuring device storing instructions that, when executed by a processor of the configuring device, configure the configuring device to perform a method comprising:
receiving a public key associated with a headless device, wherein receiving the public key initiates an authentication process for the headless device to access a network; deriving, by the configuring device, based on a cryptographic technique, an ephemeral public key and an ephemeral private key based on the public key associated with the headless device; transmitting the ephemeral public key to the headless device; receiving an encrypted message from the headless device, wherein the encrypted message is generated by the headless device based in part on the ephemeral public key; transmitting an authentication to the headless device based on the encrypted message, wherein the authentication indicates that the headless device has been authenticated to access the network; and configuring the headless device to access the network by transmission of network parameters to the headless device, wherein the network parameters allow the headless device to access the network.
36. The non-transitory storage medium of claim 35, wherein the cryptographic technique includes at least discrete logarithm cryptography.
37. The non-transitory storage medium of claim 35, wherein the instructions, when executed, further cause the configuring device to perform:
generating a first random nonce with which to encapsulate a first message; and transmitting the encapsulated first message and the ephemeral public key to the headless device.
38. The non-transitory storage medium of claim 37, wherein the encrypted message is generated by the headless device based on the encapsulated first message and the ephemeral public key.
39. The non-transitory storage medium of claim 37, wherein the encrypted message from the headless device comprises a shared private key encapsulated by a concatenation of the first random nonce of the encapsulated first message and a second random nonce generated by the headless device, and wherein the shared private key is generated based on the ephemeral public key and a private key associated with the headless device based on the cryptographic technique.
40. The non-transitory storage medium of claim 39, wherein transmitting the authentication to the headless device based on the encrypted message comprises:
recovering the shared private key from the encrypted message; generating a second message to be encrypted with the shared private key; and transmitting the encrypted second message to the headless device.
41. The non-transitory storage medium of claim 35, wherein the ephemeral public key and the ephemeral private key are a Diffie-Hellman public/private key pair.
42. A method for authenticating devices, the method comprising:
initiating an authentication process for a headless device to access a network based on providing, by the headless device, a public key associated with the headless device to a configuring device; receiving, by the headless device, an ephemeral public key from the configuring device, wherein the ephemeral public key is generated by the configuring device based on the public key associated with the headless device; deriving, by the headless device, an encrypted message based on a cryptographic technique, wherein the encrypted message is based in part on the ephemeral public key; transmitting, by the headless device, the encrypted message to the configuring device; and receiving, by the headless device, an authentication from the configuring device.
43. The method of claim 42, wherein the cryptographic technique includes at least discrete logarithm cryptography.
44. The method of claim 42, comprising:
receiving, by the headless device, an encapsulated message from the configuring device, wherein the encapsulated message comprises a first random nonce encapsulating a first message, wherein the first random nonce is generated by the configuring device.
45. The method of claim 44, wherein the encrypted message is derived based on the ephemeral public key and the encapsulated message.
46. The method of claim 45, wherein the encrypted message is derived based in part on the ephemeral public key comprises:
generating a shared private key based on the ephemeral public key and a private key associated with the headless device based on the cryptographic technique; generating a second random nonce; and encapsulating the shared private key by a concatenation of the first random nonce of the encapsulated message and the second random nonce.
47. The method of claim 42, wherein the authentication allows the configuring device to configure the headless device to access the network.
48. The method of claim 42, wherein the ephemeral public key is a part of a Diffie-Hellman public/private key pair derived by the configuring device.
49. A headless device comprising:
a processor; and a memory storing instructions that, when executed by the processor, cause the headless device to perform a method comprising:
initiating an authentication process for the headless device to access a network based on providing, by the headless device, a public key associated with the headless device to a configuring device;
receiving an ephemeral public key from the configuring device, wherein the ephemeral public key is generated by the configuring device based on the public key associated with the headless device;
deriving an encrypted message based on a cryptographic technique, wherein the encrypted message is based in part on the ephemeral public key;
transmitting the encrypted message to the configuring device; and
receiving an authentication from the configuring device.
50. The headless device of claim 49, wherein the cryptographic technique includes at least discrete logarithm cryptography.
51. The headless device of claim 49, wherein the instructions, when executed, further cause the headless device to perform:
receiving an encapsulated message from the configuring device, wherein the encapsulated message comprises a first random nonce encapsulating a first message, wherein the first random nonce is generated by the configuring device.
52. The headless device of claim 51, wherein the encrypted message is derived based on the ephemeral public key and the encapsulated message.
53. The headless device of claim 52, wherein the encrypted message is derived based in part on the ephemeral public key comprises:
generating a shared private key based on the ephemeral public key and a private key associated with the headless device based on the cryptographic technique; generating a second random nonce; and encapsulating the shared private key by a concatenation of the first random nonce of the encapsulated message and the second random nonce.
54. The headless device of claim 49, wherein the authentication allows the configuring device to configure the headless device to access the network.
55. The headless device of claim 49, wherein the ephemeral public key is a part of a Diffie-Hellman public/private key pair derived by the configuring device.
56. A non-transitory medium of a headless device storing instructions that, when executed by a processor of the headless device, cause the headless device to perform a method comprising:
Initiating an authentication process for the headless device to access a network based on providing, by the headless device, a public key associated with the headless device to a configuring device; receiving an ephemeral public key from the configuring device, wherein the ephemeral public key is generated by the configuring device based on the public key associated with the headless device; deriving an encrypted message based on a cryptographic technique, wherein the encrypted message is based in part on the ephemeral public key; transmitting the encrypted message to the configuring device; and receiving an authentication from the configuring device.
57. The medium of claim 56, wherein the cryptographic technique includes at least discrete logarithm cryptography.
58. The medium of claim 56, wherein the instructions, when executed, further cause the headless device to perform:
receiving an encapsulated message from the configuring device, wherein the encapsulated message comprises a first random nonce encapsulating a first message, wherein the first random nonce is generated by the configuring device.
59. The medium of claim 58, wherein the encrypted message is derived based on the ephemeral public key and the encapsulated message.
60. The medium of claim 59, wherein the encrypted message is derived based in part on the ephemeral public key comprises:
generating a shared private key based on the ephemeral public key and a private key associated with the headless device based on the cryptographic technique; generating a second random nonce; and encapsulating the shared private key by a concatenation of the first random nonce of the encapsulated message and the second random nonce.
61. The medium of claim 56, wherein the authentication allows the configuring device to configure the headless device to access the network.
62. The medium of claim 56, wherein the ephemeral public key is a part of a Diffie-Hellman public/private key pair derived by the configuring device.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.