Traitement en cours

Veuillez attendre...

Paramétrages

Paramétrages

Aller à Demande

1. WO2020160139 - SERVICE DE DISTRIBUTION DE CONTEXTE DE SÉCURITÉ

Note: Texte fondé sur des processus automatiques de reconnaissance optique de caractères. Seule la version PDF a une valeur juridique

[ EN ]

WE CLAIM:

1. A method, comprising:

receiving, at a security context distribution service, from a first device operating on a first network, a request for a security context for the first device, wherein the request is signed using a private key preconfigured on the first device and wherein the request is encrypted using a public key associated with the security context distribution service;

decrypting the request and validating the request signature;

determining a set of device requirements based on a unique identifier for the first device and device claim information associated with the first device;

generating a response message that contains at least one Transport Layer Security (TLS) certificate associated with the first network, based on the set of device requirements, wherein the response message is encrypted using a public key associated with the first device and signed using a private key associated with the security context distribution service; and

transmitting the response message to the first device.

2. The method of claim 1 , wherein the at least one Transport Layer Security (TLS) certificate further comprises a Certificate Authority (CA) certificate.

3. The method of claim 1 , wherein the generated response message further contains at least one of credentials, service tokens, and privileged endpoints.

4. The method of claim 1 , wherein the request further includes the unique identifier for the first device and a cryptographically secure nonce.

5. The method of claim 1 , wherein the first device is preconfigured with a private key.

6. The method of claim 5, wherein the private key is stored within a secure storage location on the first device.

7. The method of claim 1 , wherein the first device is further preconfigured with a plurality of public keys, inclusive of the public key associated with the security context distribution service, and wherein the first device is configured to select the public key associated with the security context distribution service from the plurality of public keys and to encrypt the request for the security context using the selected public key.

8. The method of claim 1 , wherein the first device is configured to generate and transmit the request for the security context based on at least one of (i) a first boot operation, (ii) a user command, (iii) a scheduled update and (iv) attempting to establish a secure socket connection.

9. The method of claim 1 , wherein generating the response message further comprises:

retrieving the public key associated with the first device from a repository containing a plurality of public keys, based on at least one of (i) the unique identifier for the first device and (ii) the device claim information associated with the first device.

10. The method of claim 1 , wherein a public-private key pair containing the private key associated with the security context distribution service is one of a plurality of public-private key pairs preconfigured on the security context distribution service, and wherein the security context distribution service is configured to rotate usage of the public-private key pairs in the plurality of public-private key pairs according to a rotation schedule.

11. A device, comprising:

one or more computer processors; and

a memory containing computer program code that, when executed by operation of the one or more computer processors, performs an operation comprising:

initiating an operation to configure the device with a security certificate associated with a first network;

retrieving a private key that was preconfigured on the device;

generating a request for a security context for the device, wherein the request is signed using the private key and wherein the request is encrypted using a public key associated with a security context distribution service;

transmitting the request to the security context distribution service, wherein the security context distribution service is configured to decrypt the request message and validate the signature of the request message; receiving a response message from the security context distribution service, wherein the response message contains at least one Transport Layer Security (TLS) certificate associated with the first network, wherein the security context distribution service is configured to sign the response message using a private key associated with the security context distribution service and wherein the security context distribution service is configured to encrypt the response message using a public key associated with the device; and

upon decrypting the response message using the private key preconfigured on the device and validating the signature of the response message, configuring the device to use the received TLS certificate.

12. The system of claim 11 , wherein the security context distribution service, in generating the response message, is configured to determine a set of device requirements for the device based on a unique identifier for the device and device claim information associated with the device, and wherein the security context distribution service is configured to generate the response message based on the set of device requirements.

13. The system of claim 11 , the operation further comprising: generating a cryptographically secure nonce; and

including the cryptographically secure nonce in the generated request for the security context.

14. The system of claim 11 , wherein the device is configured to generate and transmit the request for the security context based on at least one of (i) a first boot operation, (ii) a user command, (iii) a scheduled update, and (iv) attempting to establish a secure socket connection.

15. The system of claim 11 , wherein the at least one Transport Layer Security (TLS) certificate further comprises a Certificate Authority (CA) certificate, and wherein the response message further contains at least one of credentials, service tokens, and privileged endpoints.

16. A non-transitory computer-readable medium containing computer program code that, when executed by operation of one or more computer processors, performs an operation comprising:

receiving, at a security context distribution service, from a first device operating on a first network, a request for a security context for the first device, wherein the request is encrypted using a public key of the security context distribution service;

decrypting the received request using a private key associated with the security context distribution service;

determining a set of device requirements based on a unique identifier for the first device and device claim information associated with the first device;

generating a response message that contains at least one Transport Layer Security (TLS) certificate associated with the first network, based on the set of device requirements, wherein the response message is signed using the private key associated with the security context distribution service; and

transmitting the response message to the first device.

17. The non-transitory computer-readable medium of claim 16, wherein the at least one Transport Layer Security (TLS) certificate further comprises a

Certificate Authority (CA) certificate, and wherein the request further includes the unique identifier for the first device and a cryptographically secure nonce.

18. The non-transitory computer-readable medium of claim 16, wherein the first device is further preconfigured with the public key associated with the security context distribution service, and wherein the first device is configured to encrypt the request for the security context using the public key associated with the security context distribution service.

19. The non-transitory computer-readable medium of claim 16, wherein the first device is configured to generate and transmit the request for the security context based on at least one of (i) a first boot operation, (ii) a user command, (iii) a scheduled update and (iv) attempting to establish a secure socket connection.

20. A device, comprising:

one or more computer processors; and

a memory containing computer program code that, when executed by operation of the one or more computer processors, performs an operation comprising:

initiating an operation to configure the device with a security certificate associated with a first network;

retrieving a public key associated with a security context distribution service;

generating a request for a security context for the first device, wherein the request is encrypted using the public key associated with the security context distribution service;

transmitting the request to the security context distribution service, wherein the security context distribution service is configured to decrypt the request message;

receiving a response message from the security context distribution service, wherein the response message contains at least one Transport Layer Security (TLS) certificate associated with the first network, and wherein the security context distribution service is configured to sign the response message using a private key associated with the security context distribution service; and

upon validating the signature of the response message, configuring the first device to use the received TLS certificate.

21. The device of claim 20, wherein the security context distribution service, in generating the response message, is configured to determine a set of device requirements for the first device based on a unique identifier for the first device and device claim information associated with the first device, and wherein the security context distribution service is configured to generate the response message based on the set of device requirements.

22. The device of claim 20, the operation further comprising:

generating a cryptographically secure nonce; and

including the cryptographically secure nonce in the generated request for the security context.

23. The device of claim 20, wherein the at least one Transport Layer Security (TLS) certificate further comprises a Certificate Authority (CA) certificate, and wherein the device is configured to generate and transmit the request for the security context based on at least one of (i) a first boot operation, (ii) a user command, (iii) a scheduled update, and (iv) attempting to establish a secure socket connection.