Authentication and initial key exchange in ethernet passive optical network over coaxial network
US-9270651-B2 · Feb 23, 2016 · US
Configuring connectivity association key and connectivity association name in a media access control security capable device
US10686595B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10686595-B2 |
| Application number | US-201715816400-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 17, 2017 |
| Priority date | Nov 17, 2017 |
| Publication date | Jun 16, 2020 |
| Grant date | Jun 16, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples disclosed herein relate to configuring a connectivity association key and a connectivity association name in a MACsec capable device. In an example, a first MACsec device may receive a MAC address and a device identifier of a second MACsec capable device. First MACsec capable device may authenticate the second MACsec capable device based on the device identifier. First MACsec capable device may generate a CAK, a CKN, and a nonce. The CAK, the CKN, and the nonce may be encrypted using a public key of the second MACsec capable device to generate an encrypted packet. The encrypted packet may be sent to the second MACsec capable device. The first MACsec capable device may receive a decrypted nonce from the second MACsec capable device. In response to a determination that the decrypted nonce matches with the nonce, CAK and CKN may be configured on first MACsec capable device.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method comprising: receiving, by a first Media Access Control Security (MACsec) device, a MAC address and a device identifier of a second MACsec capable device from the second MACsec capable device; authenticating, by the first MACsec capable device, the second MACsec capable device based on the device identifier of the second MACsec capable device; generating, by the first MACsec capable device, a Connectivity Association Key (CAK), a Connectivity Association Name (CKN), and a nonce; encrypting, by the first MACsec capable device, the CAK, the CKN, and the nonce using a public key of the second MACsec capable device to generate an encrypted packet; sending, by the first MACsec capable device, the encrypted packet to the second MACsec capable device, wherein the encrypted packet is useable by the second MACsec capable device to configure the CAK and the CKN on the second MACsec capable device by decrypting the encrypted packet using a private key corresponding to the public key of the second MACsec capable device; receiving, by the first MACsec capable device, a decrypted nonce from the second MACsec capable device, wherein the decrypted nonce is generated by decrypting the encrypted packet using the private key corresponding to the public key of the second MACsec capable device; comparing, by the first MACsec capable device, the decrypted nonce from the second MACsec capable device with the nonce on the first MACsec capable device; and in response to a determination that the decrypted nonce matches with the nonce, configuring, by the first MACsec capable device, the CAK and the CKN on the first MACsec capable device. 2. The method of claim 1 , further comprising: establishing, by the first MACsec capable device, a MACsec session with the second MACsec capable device. 3. The method of claim 1 , further comprising: providing, by the first MACsec capable device, a MAC address and a device identifier of the first MACsec capable device to the second MACsec capable device, wherein the MAC address and the device identifier of the first MACsec capable device is usable by the second MACsec capable device to authenticate the first MACsec capable device. 4. The method of claim 1 , wherein encrypting comprises: extracting, by the first MACsec capable device, the public key from the device identifier of the second MACsec capable device. 5. The method of claim 1 , wherein generating comprises: comparing, by the first MACsec capable device, the MAC address of the first MACsec capable device with the MAC address of the second MACsec capable device; and in response to a determination that the MAC address of the first MACsec capable device is lower than the MAC address of the second MACsec capable device, generating, by the first MACsec capable device, the CAK, the CKN, and the nonce. 6. The method of claim 1 , wherein the device identifier of the first MACsec capable device is a digital certificate of the first MACsec capable device and wherein the device identifier of the second MACsec capable device is a digital certificate of the second MACsec capable device. 7. A Media Access Control Security (MACsec) device comprising: a processing resource; and a non-transitory machine readable medium comprising instructions, the instructions executable by a processor to: receive a MAC address and a device identifier of a second MACsec capable device from the second MACsec capable device; authenticate the second MACsec capable device based on the device identifier of the second MACsec capable device; generate a Connectivity Association Key (CAK), a Connectivity Association Name (CKN), and a nonce; encrypt the CAK, the CKN, and the nonce using a public key of the second MACsec capable device to generate an encrypted packet; send the encrypted packet to the second MACsec capable device, wherein the encrypted packet is useable by the second MACsec capable device to configure the CAK and the CKN on the second MACsec capable device by decrypting the encrypted packet using a private key corresponding to the public key of the second MACsec capable device; receive a decrypted nonce from the second MACsec capable device, wherein the decrypted nonce is generated by decrypting the encrypted packet using the private key corresponding to the public key of the second MACsec capable device; compare the decrypted nonce from the second MACsec capable device with the nonce on the MACsec capable device; configure the CAK and the CKN on the MACsec capable device, in response to a determination that the decrypted nonce matches with the nonce; and establish a MACsec session with the second MACsec capable device. 8. The device of claim 7 , wherein the public key is present in the device identifier of the second MACsec capable device. 9. The device of claim 7 , wherein the installation engine is to establish the MACsec session by initiating MACsec key agreement protocol with the second MACsec capable device. 10. The device of claim 7 , wherein the decrypted nonce is received in plain text. 11. The device of claim 7 , wherein the device identifier of the second MACsec capable device is an IDevID certificate. 12. The device of claim 7 , wherein the second MACsec capable device includes one of a network switch and a network router. 13. A non-transitory machine-readable storage medium comprising instructions, the instructions executable by a processor to: receive, by a first Media Access Control Security (MACsec) device, a MAC address and a device identifier of a second MACsec capable device from the second MACsec capable device; authenticate, by the first MACsec capable device, the second MACsec capable device based on the device identifier of the second MACsec capable device; provide, by the first MACsec capable device, a MAC address and a device identifier of the first MACsec capable device to the second MACsec capable device, wherein the MAC address and the device identifier of the first MACsec capable device is usable by the second MACsec capable device to authenticate the first MACsec capable device; generate, by the first MACsec capable device, a Connectivity Association Key (CAK), a Connectivity Association Name (CKN), and a nonce; encrypt, by the first MACsec capable device, the CAK, the CKN, and the nonce using a public key of the second MACsec capable device to generate an encrypted packet; send, by the first MACsec capable device, the encrypted packet to the second MACsec capable device, wherein the encrypted packet is useable by the second MACsec capable device to configure the CAK and the CKN on the second MACsec capable device by decrypting the encrypted packet using a private key corresponding to the public key of the second MACsec capable device; receive, by the first MACsec capable device, a decrypted nonce from the second MACsec capable device, wherein the decrypted nonce is generated by decrypting the encrypted packet using the private key corresponding to the public key of the second MACsec capable device; compare, by the first MACsec capable device, the decrypted nonce from the second MACsec capable device with the nonce on the first MACsec capable device; and in response to a determination that the decrypted nonce matches with the nonce, configure, by the first MACsec capable device, the CAK and the CKN on the first MACsec capable device. 14. The storage medium of claim 13 , wherein the first MACsec capable device and the second MACsec capable device are point-to-point devices. 15. The storage medium of claim 13 , wherein the instructions to generate comprise instructions to:
Assignees
Inventors
Classifications
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
using a predetermined code, e.g. password, passphrase or PIN (network architectures or network communication protocols for supporting authentication of entities using passwords in a packet data network H04L63/083) · CPC title
at the data link layer · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
for achieving mutual authentication (cryptographic mechanisms or cryptographic arrangements for mutual authentication H04L9/3273) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10686595B2 cover?
- Examples disclosed herein relate to configuring a connectivity association key and a connectivity association name in a MACsec capable device. In an example, a first MACsec device may receive a MAC address and a device identifier of a second MACsec capable device. First MACsec capable device may authenticate the second MACsec capable device based on the device identifier. First MACsec capable d…
- Who is the assignee on this patent?
- Hewlett Packard Entpr Dev Lp
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0825. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 16 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).