Generating master and wrapper keys for connected devices in a key generation scheme
US-10237061-B2 · Mar 19, 2019 · US
Device data protection based on network topology
US11270005B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11270005-B2 |
| Application number | US-201916430663-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 4, 2019 |
| Priority date | Jun 4, 2019 |
| Publication date | Mar 8, 2022 |
| Grant date | Mar 8, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments of the disclosure provide for a fast device installation and replacement (DI&R) service in a network while simultaneously providing confidentiality and integrity protection for sensitive device data. In one embodiment, this protection is provided by using certain characterization data associated with each device in a network to generate a passphrase. This passphrase can be related to the topology of the devices. In one embodiment, the passphrase is a concatenation of certain device characterization data with respect to the topology. In embodiments, the concatenation includes arranging the characterization data based on an order of each device with respect to the topology. Cryptographic keys are derived based on the passphrase. The cryptographic keys are used to automatically encrypt and decrypt the sensitive device data without user intervention. In one embodiment, the cryptographic keys are used to automatically decrypt the sensitive device data to configure a replacement device for the network.
First claim
Opening claim text (preview).
What is claimed is: 1. A controller device for device data protection based on network topology, comprising: a memory to store a plurality of configuration data; and a processing logic, operatively coupled to the memory, to: identify a replacement device associated with at least one device of a plurality of devices in a network; determine characterization data to characterize each of the plurality of devices and the replacement device; determine a topology comprising the plurality of devices and the replacement device; generate a passphrase by concatenating the characterization data for each device within the determined topology in a predefined arrangement; execute a key derivation function utilizing the passphrase as an input to produce a cryptographic key that can be divided into two keys comprising an encryption key and a hash key; and encrypt, using the produced encryption key, configuration data associated with a replacement of the at least one device with the replacement device and hash the configuration data with the produced hash key to assure the configuration data is not tampered with after being encrypted. 2. The controller device of claim 1 , wherein the processing logic is further to: query each of the plurality of devices for the characterization data; and responsive to the query, receive a unique identifier for each of the plurality of devices and a sequence order of the plurality of devices. 3. The controller device of claim 2 , wherein the predefined arrangement is based on an order of each device of the plurality of devices with respect to the topology. 4. The controller device of claim 1 , wherein the processing logic is further to: configure the replacement device to operate as the replacement of the at least one device based on the configuration data. 5. The controller device of claim 4 , wherein the processing logic is further to: detect an event associated with the replacement, wherein the event comprises at least one of: a configuration change event, an operator command event, an error notification event, a reboot event or a scheduling event. 6. A method for device data protection based on network topology, comprising: receiving characterization data characterizing each device of a plurality of devices in a network; deriving, by a controller device, a passphrase related to a topology of the plurality of devices based on the characterization data, comprising: determining the topology comprising the plurality of devices and a replacement device; and generating the passphrase by concatenating the characterization data for each device within the determined topology in a predefined arrangement; producing, by the controller device, a cryptographic key based at least on the passphrase that can be divided into two keys comprising an decryption key and a hash key; and decrypting, using the produced decryption key, configuration data to configure the replacement device in the network and validating the configuration data with the produced hash key to assure the configuration data is not tampered with after being encrypted. 7. The method of claim 6 , further comprising: configuring the replacement device to operate as a replacement of the controller device based on the configuration data. 8. The method of claim 7 , further comprising: detecting an event associated with the replacement, wherein the event comprises at least one of: a configuration change event, an operator command event, an error notification event, a reboot event or a scheduling event. 9. The method of claim 6 , wherein the predefined arrangement is based on an order of each device of the plurality of devices with respect to the topology. 10. The method of claim 6 , further comprising: validating decrypted configuration data for the replacement device based on a computed hash value associated with the plurality of devices. 11. The method of claim 10 , wherein validating further comprises: comparing the computed hash value with a hash value extracted from the decrypted configuration data. 12. A non-transitory computer-readable storage medium comprising executable instructions for device data protection based on network topology that when executed, by a controller device, cause the controller device to: receive characterization data characterizing each device of a plurality of devices in a network; determine, by the controller device, a topology of the plurality of devices; generate, by the controller device, a passphrase by concatenating the characterization data for each device within the determined topology in a predefined arrangement; produce a cryptographic key based at least on the passphrase that can be divided into two keys comprising an decryption key and a hash key; and decrypting, using the produced decryption key, configuration data to configure the replacement device in the network and validating the configuration data with the produced hash key to assure the configuration data is not tampered with alter being encrypted. 13. The non-transitory computer-readable storage medium of claim 12 , wherein the controller device is further to: configure the replacement device to operate as a replacement of the controller device based on the configuration data. 14. The non-transitory computer-readable storage medium of claim 13 , wherein the controller device is further to: detect an event associated with the replacement, wherein the event comprises at least one of: a configuration change event, an operator command event, an error notification event, a reboot event or a scheduling event. 15. The non-transitory computer-readable storage medium of claim 12 , wherein the predefined arrangement is based on an order of each device of the plurality of devices with respect to the topology. 16. The non-transitory computer-readable storage medium of claim 12 , wherein the controller device is further to: validate decrypted configuration data for the replacement device based on a computed hash value associated with the plurality of devices. 17. The non-transitory computer-readable storage medium of claim 16 , wherein to validate, the controller device is further to: compare the computed hash value with a hash value extracted from the decrypted configuration data.
Assignees
Inventors
Classifications
Hash functions, e.g. MD5, SHA, HMAC or f9 MAC · CPC title
Topology update or discovery · CPC title
wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for symmetric key encryption H04L9/06) · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
- G06F21/602Primary
Providing cryptographic facilities or services · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11270005B2 cover?
- Embodiments of the disclosure provide for a fast device installation and replacement (DI&R) service in a network while simultaneously providing confidentiality and integrity protection for sensitive device data. In one embodiment, this protection is provided by using certain characterization data associated with each device in a network to generate a passphrase. This passphrase can be related t…
- Who is the assignee on this patent?
- Schneider Electric Usa Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 08 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).