Secure certificate or key distribution
US-2021273817-A1 · Sep 2, 2021 · US
Device provisioning and authentication
US11246032B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-11246032-B1 |
| Application number | US-202017083679-A |
| Country | US |
| Kind code | B1 |
| Filing date | Oct 29, 2020 |
| Priority date | Oct 29, 2020 |
| Publication date | Feb 8, 2022 |
| Grant date | Feb 8, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Among other things, techniques are described for provisioning and authentication of devices in vehicles. In one aspect, a device in a vehicle establishes a communication session with a network server that manages provisioning of devices corresponding to an enterprise associated with the vehicle. The device receives instructions from the network server to generate cryptographic keys, and in response, generates a public and private key pair. The device sends, to the network server, a certificate signing request that includes the public key and an identifier of the device. In response, the device receives a digital security certificate for the device, and a security certificate of a signing certificate authority. The device authenticates the security certificate of the certificate authority using a known enterprise root certificate, and upon successful authentication, stores the device security certificate and the security certificate of the signing certificate authority.
First claim
Opening claim text (preview).
What is claimed is: 1. A method performed by a device in a vehicle, the method comprising: determining, using at least one processor, whether one or more valid security credentials are available in a storage communicatively coupled to the device upon powering up the device; in response to determining that one or more valid security credentials are not available, establishing, using a transceiver and the at least one processor, a communication session with a network server that is configured to manage provisioning of devices corresponding to an enterprise associated with the vehicle, wherein establishing the communication session includes authenticating, using the at least one processor, the network server by using an enterprise security certificate of the enterprise that is available to the device; upon establishing the communication session with the network server, receiving, from the network server using the at least one processor, instructions to generate cryptographic keys; in response to receiving the instructions, generating, using the at least one processor, a key pair comprising a public key and a corresponding private key; storing, using the at least one processor, the private key in the storage communicatively coupled to the device; sending, to the network server using the at least one processor, a certificate signing request that includes the public key and an identifier of the device; receiving, from the network server using the at least one processor, at least one of a device security certificate corresponding to the public key, or a security certificate of a signing certificate authority that signed the device security certificate, wherein the signing certificate authority is associated with the enterprise; authenticating, using the at least one processor, the security certificate of the signing certificate authority using the enterprise security certificate available to the device; and upon successfully authenticating the security certificate of the signing certificate authority, storing, using the at least one processor, at least one of the device security certificate or the security certificate of the signing certificate authority in the storage communicatively coupled to the device. 2. The method of claim 1 , wherein provisioning a particular device in the vehicle comprises providing the particular device with at least one cryptographic key or security certificate, wherein the particular device is configured to perform authenticated communication with at least one other entity associated with the enterprise using the at least one cryptographic key or security certificate. 3. The method of claim 1 , further comprising: receiving, using the network server, the certificate signing request from the device; determining, using the network server, whether the certificate signing request is a valid request; in response to determining that the certificate signing request is a valid request, sending, using the network server, the certificate signing request to the signing certificate authority; receiving, using the network server from the signing certificate authority, at least one of the device security certificate, or the security certificate of the signing certificate authority; storing, using the network server, the device security certificate in storage coupled to the network server; and sending, using the network server to the device, at least one of the device security certificate, or the security certificate of the signing certificate authority. 4. The method of claim 3 , wherein determining whether the certificate signing request is a valid request comprises: obtaining the identifier of the device from the certificate signing request; determining, using the identifier, whether the device is registered with the enterprise as an active device; upon determining that the device is registered with the enterprise as an active device, determining whether an existing device security certificate is available to the network server; and upon determining that an existing device security certificate is not available to the network server, determining that the certificate signing request is a valid request. 5. The method of claim 4 , further comprising: determining that the certificate signing request is not a valid request upon determining that the device is not registered with the enterprise as an active device; and in response to determining that the device is not registered with the enterprise as an active device: generating an audit log entry, and terminating the communication session with the device. 6. The method of claim 4 , further comprising: determining that the certificate signing request is not a valid request upon determining that an existing device security certificate is available to the network server; and in response to determining that an existing device security certificate is available to the network server: revoking the existing device security certificate, generating an audit log entry, and terminating the communication session with the device. 7. The method of claim 1 , further comprising: receiving, from a management service corresponding to the enterprise, a connection request; authenticating the management service using the enterprise security certificate of the enterprise; upon successfully authenticating the management service, establishing the connection with the management service; receiving, from the management service, instructions to deprovision the device; and in response to receiving the instructions to deprovision the device: deleting, from the storage communicatively coupled to the device, at least one of the device security certificate or the security certificate of the signing certificate authority, and rebooting the device. 8. The method of claim 7 , further comprising: receiving, using the signing certificate authority from the management service, instructions to deprovision the device, the instructions including the identifier of the device; and in response to receiving the instructions to deprovision the device, revoking, by the signing certificate authority, the device security certificate. 9. The method of claim 8 , further comprising: receiving, using the network server from the management service, instructions to deprovision the device, the instructions including the identifier of the device and revocation information for the device security certificate; in response to receiving the instructions to deprovision the device, determining, by the network server using the identifier of the device obtained from the instructions, the device security certificate from storage coupled to the network server; and deleting, using the network server, the device security certificate from the storage coupled to the network server. 10. The method of claim 1 , further comprising: receiving, using the network server from a management service corresponding to the enterprise, instructions to decommission the device, the instructions including the identifier of the device and revocation information for the device security certificate; in response to receiving the instructions to decommission the device, determining, by the network server using the identifier of the device obtained from the instructions, the device security certificate from storage coupled to the network server; deleting, using the network server, the device security certificate from the storage coupled to the network server; and recording, using the network server, the identifier of the device as corresponding to a decommissioned device. 11. The method of claim 1 , further comprising: receiving, from a management service correspondin
Assignees
Inventors
Classifications
- H04L67/141Primary
Setup of application sessions (admission control or resource allocation in data switching networks H04L47/70) · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for public-key encryption H04L9/30) · CPC title
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
involving digital signatures · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11246032B1 cover?
- Among other things, techniques are described for provisioning and authentication of devices in vehicles. In one aspect, a device in a vehicle establishes a communication session with a network server that manages provisioning of devices corresponding to an enterprise associated with the vehicle. The device receives instructions from the network server to generate cryptographic keys, and in resp…
- Who is the assignee on this patent?
- Motional Ad Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L67/141. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 08 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).