Systems and methods for internet of things security environment
US-12074914-B2 · Aug 27, 2024 · US
Protecting the Integrity of Log Entries in a Distributed System
US2017366342A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2017366342-A1 |
| Application number | US-201515532833-A |
| Country | US |
| Kind code | A1 |
| Filing date | Dec 4, 2015 |
| Priority date | Dec 5, 2014 |
| Publication date | Dec 21, 2017 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, methods, and instrumentalities are disclosed for integrity protecting log entries generated from a first unit in a distributed system. For example, a first secret key may be received or obtained from a central management system and storing the first secret key in non-volatile memory. A second secret key may be calculated where the second secret key may be shared with a plurality of units within the same local communication domain as a unit using a secure key calculation. The second secret key may further be stored in volatile memory. The first and second keys may be used to calculate a first secret integrity protection key and a first broadcast encryption key. A security sensitive log entry may be generated and may be protected using the first integrity key and the first broadcast encryption key. The log entry may be broadcast to the plurality of units within the domain.
First claim
Opening claim text (preview).
1 . A method for protecting an integrity of log entries generated by a first device in a distributed system, the method comprising: receiving, at a first or device associated with a first domain, a first secret key from a central management system; storing, at the first device, the first secret key in non-volatile memory of the first device; generating, at the first device, a second secret key using a secure key calculation, the second secret key configured to be shared with a plurality of devices within the first domain; storing, at the first device, the second secret key in volatile memory of the first device; generating, at the first unit or device, a first integrity protection key based on the first and second keys; generating, at a first device, a first broadcast encryption key based on the second key; generating, at the first device, a security sensitive log entry; generating, at the first device, an integrity protection tag based on the security sensitive log entry using the first integrity protection key; generating, at the first device, a protected log entry based on the security sensitive log entry and the integrity protection tag using the first broadcast encryption key; and broadcasting, at the first unit or device, the protected log entry to the plurality of devices within the first domain. 2 . The method according to claim 1 , wherein a second device in the first domain receives from the first device the protected log entry and stores the protected log entry in non-volatile local memory. 3 . The method according to claim 2 , wherein the first device and the second device use a secret sharing scheme to generate the second secret key. 4 . The method according to claim 1 , wherein the central management system is configured to regularly contact the first device and any other additional device within the domain, collect and verify the integrity and consistency of stored log entries of the first device and any other additional devices within the domain, and store the stored log entries in central protected memory while requesting the first device and any other additional devices in the domain delete locally stored log entries. 5 . The method according to claim 1 , further comprising: receiving one or more shares; broadcasting or sharing the one or more shares with one or more other additional devices within the domain as the first device; using a secret sharing scheme to generate a third key based on the one or more shares; and storing the third key in volatile memory. 6 . The method of claim 5 , wherein the third secret key is configured to replace the second secret key in encryption to protect a security sensitive log entry. 7 . The method of claim 6 , wherein the third secret key is configured to be generated after the first device has a power failure and reboots. 8 . The method of claim 1 , wherein the protected log entry is configured to be broadcast using a broadcast message passing. 9 . The method of claim 1 , wherein generating the integrity protection tag comprises encrypting the security sensitive log entry using the first integrity protection key. 10 . The method of claim 1 , wherein generating the protected log entry comprises encrypting the security sensitive log entry and the integrity protection tag using the first broadcast encryption key. 11 . A device for protecting an integrity of log entries in a distributed system, the device configured at least in part to: receive a first secret key from a central management system; store the first secret key in non-volatile memory of the device; generate a second secret key, the second secret key configured to be shared with a plurality of devices within a domain using a secure key calculation; store the second secret key in volatile memory of the device; generate a first integrity protection key based on the first and second keys; generate a first broadcast encryption key based on the second key; generate a security sensitive log entry; generate an integrity protection tag based on the security sensitive log entry using the first integrity protection key; generate a protected log entry based on the security sensitive log entry and the integrity protection tag using the first broadcast encryption key; and broadcast the protected log entry to the plurality of devices within the domain 12 . The device according to claim 11 , further configured to store the protected log entry in non-volatile local memory. 13 . The device according to claim 12 , wherein the device uses a secret sharing scheme to generate the second secret key. 14 . The device according to claim 11 , wherein the central management system is configured to regularly contact the device and any other additional devices within the domain, collect and verify the integrity and consistency of stored log entries of the device and any other additional devices within the domain, and store the log entries in central protected memory while requesting the device and any other additional devices in the domain to delete locally stored log entries. 15 . The device according to claim 11 , further configured to: receive one or more shares; broadcast or share the one or more shares with one or more other additional devices within the domain; use a secret sharing scheme to generate a third key based on the one or more shares; and store the third key in volatile memory. 16 . The device of claim 15 , wherein the third secret key is configured to replace the second secret key in encryption to protect a security sensitive log entry. 17 . The device of claim 15 , wherein the third secret key is configured to be generated after the device has a power failure and reboots. 18 . The device of claim 11 , wherein the protected log entry is configured to be broadcast using a broadcast message passing. 19 . The device of claim 11 , wherein generating the integrity protection tag comprises encrypting the security sensitive log entry using the first integrity protection key. 20 . The device of claim 11 , wherein generating the protected log entry encrypting the security sensitive log entry and the integrity protection tag using the first broadcast encryption key. 21 . The device of claim 11 , further configured to: receive, at the first device, protected log entries from one of the plurality of devices within the first domain; and provide, at the first device, the received protected log entries from the one of the plurality of devices within the first domain to the central management system. 22 . The device of claim 21 , wherein the device provides the received protected log entries from the one of the plurality of devices within the first domain to the central management system by providing the received protected log entries from the one of the plurality of devices within the first domain to the central management system in an instance the one of the plurality of devices within the domain is unavailable. 23 . The device of claim 22 , further configured to: lose, at the first device, connectivity to the central management system; and reestablish, at the first device, connectivity to the central management system, wherein the device provides the received protected log entries from the one of the plurality of devices within the first domain to the central management system occurs after reestablishing connectivity to the central management system. 24 . The device of clai
Assignees
Inventors
Classifications
- H04W4/70Primary
Services for machine-to-machine communication [M2M] or machine type communication [MTC] · CPC title
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
File encryption · CPC title
specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks · CPC title
for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2017366342A1 cover?
- Systems, methods, and instrumentalities are disclosed for integrity protecting log entries generated from a first unit in a distributed system. For example, a first secret key may be received or obtained from a central management system and storing the first secret key in non-volatile memory. A second secret key may be calculated where the second secret key may be shared with a plurality of uni…
- Who is the assignee on this patent?
- Pcms Holdings Inc
- What technology area does this patent fall under?
- Primary CPC classification H04W4/70. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Dec 21 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).