Dynamic creation of temporary isolated environment in an interactive communication environment
US-2024411860-A1 · Dec 12, 2024 · US
System and method for securing machine-to-machine communications
US2016337354A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016337354-A1 |
| Application number | US-201415109401-A |
| Country | US |
| Kind code | A1 |
| Filing date | Nov 28, 2014 |
| Priority date | Dec 31, 2013 |
| Publication date | Nov 17, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This invention concerns the implementation of end-to-end security for the communication between objects in the domain of the Internet of Things (or Internet of Objects). The purpose of the patent is dealing with the setup of secure authorized information channel between data source (M2M device) and data consumers (consumer entity). According to the present invention, the access to a M2M device by a consumer entity (consumer application) is controlled by a M2M authorization server. The M2M authorization server is the entity in charge of managing access rights for the M2M device and makes the decision regarding the access to the resource by the consumer entity (consumer application). The M2M server is an entity that enforces the decision and enables the access to the M2M device. When a consumer application needs to communicate with a M2M device, the present invention proposes a method for authorizing a consumer application to access a M2M device and for encrypting the communication between the consumer application and the M2M device. The M2M authorization server computes security credentials which are sent to the consumer application.
First claim
Opening claim text (preview).
1 . A method for securing machine-to-machine communications between a M2M consumer application and a M2M resource provider wherein when an access request is initiated: sending a securities credentials request from the M2M consumer application to a M2M authorization server, receiving from the M2M authorization server to the consumer application generated securities credentials which comprises an access token, session encryption keys and an authentication key, transmitting from the M2M consumer application the access token and an authentication message to the M2M resource provider for authenticating the consumer application, transmitting the access request from the M2M consumer application to the M2M resource provider, said access request comprising request parameter encrypted with the session keys to access or control resources, authenticating by the M2M resource provider the M2M consumer application as an authorized one from the authentication message and the content of the access token, retrieving by the M2M resource provider the session keys from the content of the access token, decrypting by the M2M resource provider the encrypted request parameter with the session keys, and sending, from the M2M resource provider, the encrypted response of the request parameter to the M2M consumer application. 2 . The method according to claim 1 , wherein the M2M resource provider is a M2M device or a M2M server. 3 . The method according to claim 1 , wherein the generation of the access token comprises the following steps: generation of a session data by the M2M consumer application, said session data uniquely identifies the current transaction between the M2M consumer application and the M2M resource provider, computation of a cryptographic data from the generated session data, adding the cryptographic data to the securities credentials request, the access token generated by the M2M authorization server comprises the cryptographic data of the securities credentials request, information to retrieve session keys and a generated authentication key. 4 . The method according to claim 1 , wherein the access token is encrypted with a key shared between the M2M authorization server and the M2M resource provider. 5 . The method according the claim 3 , wherein the information to retrieve the session keys comprise either index associated to the session keys in a database of the M2M authorization server, or encrypted session keys with a key shared between the M2M authorization server and the M2M resource provider. 6 . The method according to claim 1 , wherein the authentication of the M2M consumer application by the M2M resource provider comprises the following steps: encrypting the session data with the authentication key, by the M2M consumer application, sending the access token and the encrypted session data from the M2M consumer application to the M2M server, from the authentication key of the access token, decrypting the encrypted session data, from the decrypted session data, computing a cryptographic data, if the comparison of the computed cryptographic data with the cryptographic data of the access token is successful, the M2M consumer application is authenticated. 7 . Method according to claim 1 , wherein the authenticity of the access token is verified by the M2M resource provider either from a signature computed by the M2M authorization server or an authentication data added by the M2M authorization server to the access token. 8 . The method according to claim 1 , wherein the authentication data comprises an incremented value of a counter which is used to perform anti replay management, the M2M resource provider verifies if the received counter value into the authentication data is greater than a previous saved counter value, if this verification is successful the M2M resource provider saves the incoming counter value and delete the previous saved. 9 . The method according to claim 1 , wherein: when the authentication of the M2M consumer application is successful, the M2M resource provider authenticates to the M2M authorization server, If the authentication is successful, retrieving the session keys. 10 . The method according to claim 1 , wherein the access request comprises also the session data encrypted with the session authentication key and the access token. 11 . The method according to claim 1 , wherein a M2M device continuously encrypts data with the session keys to push the data to the M2M resource provider for storage. 12 . The method according to claim 1 , wherein the access token comprises the resource unique identifier (URL) and the list of authorized queries parameters by the M2M consumer application, if the encrypted request parameter is in the list of authorized access, the encrypted query parameter is processed by the M2M resource provider. 13 . The method according to claim 1 , wherein during the authentication of the M2M consumer application by the M2M server a lifetime of the access token is verified. 14 . The method according to claim 13 , wherein when the lifetime of the access token is reached generation of respectively a new session data and/or a new access token, the session keys and/or the authentication key are renewed or maintained. 15 . A M2M communications system, comprising a consumer application, said consumer application being configured to communicate with a M2M resource provider across an access network, wherein access request messages transiting between the consumer application and the M2M device during this communication are secured by a M2M authorization server wherein: the M2M consumer application is programmed to send a securities credentials request from the M2M consumer application to a M2M authorization server, the M2M consumer application is programmed to receive from the M2M authorization server generated securities credentials which comprises an access token, session encryption keys and an authentication key, the M2M consumer application is programmed to transmit from the M2M consumer application the access token and an authentication message to the M2M resource provider for authenticating the consumer application, the M2M consumer application is programmed to transmit the access request from the M2M consumer application to the M2M resource provider, said access request comprising request parameter encrypted with the session keys to access or control resources, the M2M resource provider is programmed to authenticate the M2M consumer application as an authorized one from the authentication message and the content of the access token, the M2M resource provider is programmed to retrieve the session keys from the content of the access token, the M2M resource provider is programmed to decrypt the encrypted request parameter with the session keys, and the M2M resource provider is programmed to send the encrypted response of the request parameter to the M2M consumer application. 16 . The system according to claim 15 wherein the M2M resource provider is a M2M device or a M2M server. 17 . The system according to claim 15 wherein: the M2M consumer application is further programmed to generate a session data, said session data uniquely identifies the current transaction between the M2M consumer application and the M2M resource provider, the M2M consumer application is further programmed to compute a cryptographic data from the generated session data, the M2M consumer application is further programmed to add the cryptographic data to the securities credentials request, and wherein the access token
Assignees
Inventors
Classifications
- H04L63/0884Primary
by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity · CPC title
for key distribution, e.g. centrally by trusted party (cryptographic mechanisms or cryptographic arrangements for key distribution involving a central third party H04L9/0819) · CPC title
Services for machine-to-machine communication [M2M] or machine type communication [MTC] · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
Electricity · mapped topic
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016337354A1 cover?
- This invention concerns the implementation of end-to-end security for the communication between objects in the domain of the Internet of Things (or Internet of Objects). The purpose of the patent is dealing with the setup of secure authorized information channel between data source (M2M device) and data consumers (consumer entity). According to the present invention, the access to a M2M device …
- Who is the assignee on this patent?
- Gemalto Sa
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0884. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Nov 17 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).