Automatic provisioning and onboarding of offline or disconnected machines
US-12182236-B2 · Dec 31, 2024 · US
Staged control release in boot process
US9679142B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9679142-B2 |
| Application number | US-201414507205-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 6, 2014 |
| Priority date | Apr 12, 2010 |
| Publication date | Jun 13, 2017 |
| Grant date | Jun 13, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Integrity validation of a network device may be performed. A network device comprising a secure hardware module, may receive a root key. The secure hardware module may also receive a first code measurement. The secure hardware module may provide a first key based on the root key and the first code measurement. The secure hardware module may receive a second code measurement and provide a second key based on the first key and the second code measurement. The release of keys based on code measurements may provide authentication in stages.
First claim
Opening claim text (preview).
What is claimed: 1. A network device comprising: a processor and a memory configured to perform at least one essential function of the device, wherein the at least one essential function comprises one of device authentication to a network, communication stack execution, or transmission or reception of communication signals; and a secure processing environment comprising a trusted environment (TrE) configured to: perform device integrity validation comprising an integrity check of one or more components of the device; gate the performance of the at least one essential function of the device based on a result of the device integrity validation; and in response to a failure of the integrity check of the one or more components of the device, release a first key that enables the device to authenticate with an external network entity and to initiate a request to the external network entity for remediation of the one or more components that failed the integrity check. 2. The network device of claim 1 , wherein the secure processing environment is protected by a hardware-based root of trust. 3. The network device recited in claim 1 , wherein the at least one essential function comprises device authentication to a network, and wherein the secure processing environment gates the performance of that essential function by gating access to one of (a) a secure processing capability within the secure processing environment needed to perform the device authentication to the network or (b) data protected by the secure processing environment that may be needed to perform the secure processing capability. 4. The network device recited in claim 3 , wherein the secure processing capability comprises one or more of cryptographic encryption or decryption, signature generation or verification, random number generation, message authentication, cryptographic key generation, derivation, or management, certificate verification, and computation of secret materials that are needed for authentication of the secure processing environment, the user of the device, or authentication of the device to the network. 5. The network device recited in claim 3 , wherein the secure processing environment gates the performance of the device authentication function by preventing the device authentication function from accessing a second key, the second key being a pre-shared key required for device authentication to the network. 6. The network device recited in claim 3 , wherein the secure processing environment gates the performance of the device authentication function by preventing the device authentication function from accessing a second key, the second key being a private key associated with a device certificate required for device authentication to the network. 7. The network device recited in claim 1 , wherein the external network entity is an operations, administration, and maintenance (OAM) server. 8. The network device recited in claim 1 , wherein the secure processing environment is further configured to execute a cryptographic function using a second key, the second key being released upon a successful integrity check of the one or more components of the device and representing one of a plurality of trustworthy states of the device. 9. A method of binding integrity validation of a network device to other functions of the device, comprising: performing, by a secure processing environment comprising a trusted environment (TrE) within the device, device integrity validation comprising an integrity check of one or more components of the device; gating the performance of at least one essential function of the device based on a result of the device integrity validation, wherein the at least one essential function comprises one of device authentication to a network, communication stack execution, or transmission or reception of communication signals; and in response to a failure of the integrity check of the one or more components of the device, releasing a key that enables the device to authenticate with an external network entity and to initiate a request to the external network entity for remediation of the one or more components that failed the integrity check. 10. The method of claim 9 , wherein the secure processing environment is protected by a hardware-based root of trust. 11. The method recited in claim 9 , wherein the at least one essential function comprises device authentication to a network, and wherein gating the performance of that essential function comprises gating access to one of (a) a secure processing capability within the secure processing environment needed to perform the device authentication to the network or (b) data protected by the secure processing environment that may be needed to perform the secure processing capability. 12. The method recited in claim 11 , wherein the secure processing capability comprises one or more of cryptographic encryption or decryption, signature generation or verification, random number generation, message authentication, cryptographic key generation, derivation, or management, certificate verification, and computation of secret materials that are needed for authentication of the secure processing environment, the user of the device, or authentication of the device to the network. 13. The method recited in claim 11 , wherein gating the performance of the device authentication function comprises preventing the device authentication function from accessing a second key second key being a pre-shared key required for device authentication to the network. 14. The method recited in claim 11 , wherein gating the performance of the device authentication function comprises preventing the device authentication function from accessing a second key, the second key being a private key associated with a device certificate required for device authentication to the network. 15. The method recited in claim 9 , wherein the external network entity is an operations, administration, and maintenance (OAM) server. 16. The method recited in claim 9 , wherein the secure processing environment is further configured to execute a cryptographic function using a second key, the second key being released upon a successful integrity check of the one or more components of the device and representing one of a plurality of trustworthy states of the device.
Assignees
Inventors
Classifications
- G06F21/57Primary
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
Integrity · CPC title
using private Base Stations, e.g. femto Base Stations, home Node B · CPC title
Secure or tamper-resistant housings · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9679142B2 cover?
- Integrity validation of a network device may be performed. A network device comprising a secure hardware module, may receive a root key. The secure hardware module may also receive a first code measurement. The secure hardware module may provide a first key based on the root key and the first code measurement. The secure hardware module may receive a second code measurement and provide a second…
- Who is the assignee on this patent?
- Interdigital Patent Holdings Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/57. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jun 13 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).