Proxy certificate management for nfv environment (pcs)
US-2024275775-A1 · Aug 15, 2024 · US
Certificate validation and channel binding
US9781100B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9781100-B2 |
| Application number | US-201615348392-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 10, 2016 |
| Priority date | Nov 15, 2010 |
| Publication date | Oct 3, 2017 |
| Grant date | Oct 3, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A constrained network entity may determine, via an authentication procedure with a core network entity, the trustworthiness of an endpoint attempting to establish a secure channel with the constrained network entity. The constrained network entity may receive a certificate from the endpoint attempting to establish the secure channel and the constrained network entity may send the certificate asserted by the endpoint to a core network entity for validation. The core network entity may receive the certificate during a key exchange with the constrained network entity and the core network entity may indicate to the constrained network entity the validity of the certificate. The constrained network entity may determine whether to establish the secure channel with the endpoint based on the validity of the certificate.
First claim
Opening claim text (preview).
What is claimed is: 1. A network device comprising a processor, a memory, and communication circuitry for communicating with other network entities, the memory storing computer-executable instructions that, when executed by the processor, cause the network device to perform operations comprising: performing, by an access layer of the network device, an authentication with an access network and establishing secure machine-to-machine communications with the access network; sending, by an application layer of the network device, a certificate associated with a machine-to-machine application server to the access network, using the secure communications established between the access layer of the network device and the access network, to obtain a determination of the validity of the certificate, whereby the network device uses the access network as a proxy for validation of the certificate of the application server; securely receiving, by the application layer of the network device, via the secure communications established between the access layer of the network device and the access network, an indication of the validity of the application server certificate from the access network; performing, by the application layer of the network device, an authentication with the application server based on a successful validation of the application server certificate; and establishing, by the application layer of the network device, secure communications with the application server. 2. The network device of claim 1 , wherein the authentication and secure channel establishment by the application layer of the network device are bound to a successful integrity validation by the network device of one or more of its components, thereby providing assurances of the security of the application layer of the network device to the application server. 3. The network device of claim 1 , wherein a secure channel is established between the network device and the application server only after successful mutual certificate-based authentication. 4. The network device of claim 1 , wherein certificates are exchanged as part of a public key exchange performed to establish a secure channel between the network device and the application server. 5. The network device of claim 1 , wherein certificates are exchanged as part of a public key exchange performed to enable authentication between the network device and the application server. 6. The network device of claim 1 , wherein authentication between the network device and the access network is performed in accordance with an Authentication and Key Agreement (AKA) procedure. 7. The network device of claim 1 , wherein authentication between the network device and the application server is performed in accordance with the Generic Bootstrapping Architecture (GBA) procedure. 8. The network device of claim 1 , wherein an identity of the application server on the application server certificate is verified. 9. The network device of claim 1 , wherein the network device uses an identity of the application server to obtain the application server certificate. 10. The network device of claim 1 , wherein validity of the application server certificate comprises verifying at least: a signature on the certificate; certificate chain of the certificate; revocation status of the certificate, and an expiry date of the certificate. 11. A method for authentication and establishment of a secure channel in a machine-to-machine network, comprising: performing, by an access layer of a network device, an authentication with an access network and establishing secure machine-to-machine communications with the access network; sending, by an application layer of the network device, a certificate associated with a machine-to-machine application server to the access network, using the secure communications established between the access layer of the network device and the access network, to obtain a determination of the validity of the certificate, whereby the network device uses the access network as a proxy for validation of the certificate of the application server; securely receiving, by the application layer of the network device, via the secure communications established between the access layer of the network device and the access network, an indication of the validity of the application server certificate from the access network; performing, by the application layer of the network device, an authentication with the application server based on a successful validation of the application server certificate; and establishing, by the application layer of the network device, secure communications with the application server. 12. The method of claim 10 , wherein the authentication and secure channel establishment by the application layer of the network device are bound to a successful integrity validation by the network device of one or more of its components, thereby providing assurances of the security of the application layer of the network device to the application server. 13. The method of claim 10 , further comprising establishing a secure channel between the network device and the application server after successful mutual certificate-based authentication. 14. The method of claim 10 , further comprising exchanging certificates as part of a public key exchange performed to establish a secure channel between the network device and the application server. 15. The method of claim 10 , further comprising exchanging certificates as part of a public key exchange performed to enable authentication between the network device and the application server. 16. The method of claim 10 , wherein authentication between the network device and the access network is performed in accordance with an Authentication and Key Agreement (AKA) procedure. 17. The method of claim 10 , wherein authentication between the network device and the application server is performed in accordance with the Generic Bootstrapping Architecture (GBA) procedure. 18. The method of claim 10 , further comprising verifying an identity of the application server on the application server certificate is verified. 19. The method of claim 11 , further comprising using an identity of the application server to obtain the application server certificate. 20. The method of claim 10 , wherein validity of the application server certificate comprises verifying at least: a signature on the certificate; certificate chain of the certificate; revocation status of the certificate; and an expiry date of the certificate.
Assignees
Inventors
Classifications
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
using an additional device, e.g. smartcard, SIM or a different communication terminal (cryptographic mechanisms or cryptographic arrangements for entity authentication involving additional secure or trusted devices H04L9/3234) · CPC title
Processing at user equipment or user record carrier · CPC title
by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9781100B2 cover?
- A constrained network entity may determine, via an authentication procedure with a core network entity, the trustworthiness of an endpoint attempting to establish a secure channel with the constrained network entity. The constrained network entity may receive a certificate from the endpoint attempting to establish the secure channel and the constrained network entity may send the certificate as…
- Who is the assignee on this patent?
- Interdigital Patent Holdings Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0823. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 03 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).