US20190089696A1 - Authenticating a networked camera using a certificate having device binding information - Google Patents
Authenticating a networked camera using a certificate having device binding information Download PDFInfo
- Publication number
- US20190089696A1 US20190089696A1 US16/137,961 US201816137961A US2019089696A1 US 20190089696 A1 US20190089696 A1 US 20190089696A1 US 201816137961 A US201816137961 A US 201816137961A US 2019089696 A1 US2019089696 A1 US 2019089696A1
- Authority
- US
- United States
- Prior art keywords
- certificate
- camera
- information
- management device
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000004891 communication Methods 0.000 claims abstract description 63
- 238000000034 method Methods 0.000 claims abstract description 50
- 230000004044 response Effects 0.000 claims abstract description 14
- 238000007726 management method Methods 0.000 description 144
- 230000008569 process Effects 0.000 description 18
- 230000006870 function Effects 0.000 description 7
- 238000010200 validation analysis Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- 238000012795 verification Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000009434 installation Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 239000004065 semiconductor Substances 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000000295 complement effect Effects 0.000 description 2
- 229910044991 metal oxide Inorganic materials 0.000 description 2
- 150000004706 metal oxides Chemical class 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/18—Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
Definitions
- Apparatuses and methods consistent with the exemplary embodiments of the inventive concept relate to authenticating a networked camera using a certificate having device binding information.
- Digital certificates of a public key infrastructure (PKI) system are widely used for protected communications over a public network, such as Internet, in which a plurality of entities can access.
- An entity that wants to be assured as a trustworthy party by other entities in a network communication generates a public key and provides the public key to a certificate authority, and the certificate authority issues a certificate for the entity which contains a digital signature of the certificate authority.
- the other entities of the network communication can authenticate the entity by validating the certificate issued for the entity, and prevent an unauthorized access based on the authentication result to protect the network communication.
- a simple validation of a certificate chain proves that a specific certificate is issued by a trusted certificate authority. However the chain validation is not enough to confirm whether a specific certificate was originally issued for a specific server to which a connection will be established. Thus, if a network host has a certificate that contains a domain name of the network host, a network client can check whether the domain name used to connect to the network host is the same as a domain name contained in the certificate received from the network host.
- certificate pinning may be used to prevent a risk of certificate change in the network host, where the network client uses pre-stored information about the certificate.
- the certificate pinning method is used as a measure preventing a risk of certificate change, in which the network host receives a certificate with a domain name from a trusted certificate authority and registers information about the certificate combined with the domain name in advance for a future authentication process.
- this certificate pinning method is not applicable to a network host or a device operating without any domain name assigned.
- This certificate pinning method also has a risk that other devices with the same domain name of one device can use a certificate issued for the device because, under a domain name system which is a logical addressing system, a domain name can be assigned to a plurality of devices, and therefore, a device is allowed to use the same domain name that was used for another device.
- Exemplary embodiments of the inventive concept provide device authentication methods and related devices.
- a device authentication method which may include: connecting to a device such as a camera through a network; receiving, from the device, a certificate of the device including device binding information about the device; sending, to the device, a device management message for administration level authentication; receiving, from the device, device information about the device in response to the administration level authentication being successful; determining whether the certificate is valid based on the device binding information and the device information; and establishing a protected communication session with the device in response to the certificate being determined to be valid.
- the device information may include identification information about the device for identifying the device from other devices.
- the device binding information may represent that the certificate was issued for the device identified by the device information.
- the device information may include at least a part of a Medium Access Control (MAC) address of a communication interface of the device.
- the device information may include information about a component constituting the device.
- the determining whether the certificate is valid may include: determining whether the device binding information includes the device information; and determining whether a digital signature of a certificate authority issuing the certificate is valid.
- the determining whether the certificate is valid may include: generating pinning information about the certificate received from the device; and determining whether the generated pining information matches pre-stored pinning information about the device.
- system configuration information about the device may be received.
- a camera authentication method which may include: receiving, from a management device, a request to connect to a camera; receiving, from the management device, a device management message for administration level authentication; sending, to the management device, device information about the camera corresponding to an access class allowed to read system configuration information about the camera in response to the administration level authentication being successful; sending, to the management device, a certificate comprising device binding information about a camera; and establishing a protected communication session with the management device based on a result of determining whether the certificate is valid at the management device.
- a management device for a camera which may include: a communication interface configured to communicate with the camera; a storage configured to store device information about the camera; and a controller configured to control the communication interface to establish a protected communication session with the camera based on a result of checking a validity of a certificate received from the camera, wherein the controller is further configured to determine whether the certificate is valid based on the device information stored in the storage and the device binding information included in the certificate.
- the controller may be configured to: determine whether the device binding information comprises the device information stored in the storage; and validate the certificate by determining whether a digital signature of a certificate authority issuing the certificate is valid.
- the certificate may be expressed in the form of X.509v3, and the device binding information may be included in a SubjectPublickeyInfo field or an extension field.
- the storage may be configured to pre-store pinning information about the camera, and the controller may be further configured to generate pinning information about the certificate received from the camera, and determine whether the generated pinning information about the certificate matches the pre-stored pinning information about the camera.
- the control unit may be further configured to control the communication interface establish the protected communication session via SSL (Secure Socket Layer) protocols in response to validating the certificate.
- SSL Secure Socket Layer
- a camera which may include: a communication interface configured to communicate with a management device; an image sensor configured to capture image data; a storage configured to store a certificate comprising device binding information generated based on device information about the camera, and store a public key included in the certificate and a private key generated to have a cryptographic relation with the public key; and a controller configured to control the communication interface to: receive a connection request from the management device; send the certificate to the management device; and establish a protected communication session with the management device according to a result of determining that the certificate of the camera is valid at the management device based on the device binding information and the device information.
- the device information may include identification information about the camera to identify the camera from other devices.
- the device information comprises at least a part of a MAC address of the communication interface of the camera.
- the determining that the certificate of the camera is valid may be performed by: determining whether the device binding information comprises the device information; determining whether a digital signature of a certificate authority issuing the certificate is valid; and determining whether pinning information about the certificate matches pre-stored pinning information about the camera.
- the devices when devices on a network wish to establish a protected communication session with other devices, the devices may use a certificate issued for a specific device to authenticate other devices, which will reduce a possible risk that a single certificate can be used for multiple devices.
- a device on a network may detect if a device specific certificate which is issued for a particular device is used on other devices based on information about a device binding certificate.
- a management device may support issuance of the device binding certificate for a network camera, and may store certificate pinning information and install the device binding certificate in the network camera.
- FIG. 1 illustrates a network camera management system according to an exemplary embodiment.
- FIG. 2 is a flowchart illustrating an operation of the network camera management system of FIG. 1 , according to an exemplary embodiment.
- FIG. 3 is a flowchart showing a method for installing a certificate including device binding information in a camera, according to an exemplary embodiment.
- FIG. 4 is a flowchart showing a method for installing a certificate including device binding information in a camera, according to an exemplary embodiment.
- FIG. 5 is a flowchart showing a method for installing a certificate including device binding information in a network camera according to another embodiment.
- FIG. 6 illustrates steps to authenticate a camera, according to an exemplary embodiment.
- FIG. 7 is a block diagram of a camera according to an exemplary embodiment.
- FIG. 8 is a block diagram of a management device according to an exemplary embodiment.
- the technical terms used in the present disclosure are used only to describe specific embodiments and are not intended to limit the technical idea disclosed in the present disclosure.
- the technical terms used in the present disclosure should be construed in a sense that is generally understood by those having ordinary skill in the art to which the technology disclosed in the present disclosure belongs, and should not be construed in an excessively broad sense, or in an excessively narrow sense.
- the technical term used in the present disclosure is a misleading technical term that does not accurately describe the technical idea disclosed in the present disclosure
- the technical term should be understood to be replaced by technical term that can be understood by those having ordinary skill in the art to which the technology disclosed in the present disclosure belongs.
- the general terms used in the present disclosure should be construed in accordance with the predefined or prior context, and should not be construed in an excessively narrow sense.
- first, second, or the like may be used to describe various configuration elements, but the configuration elements should not be limited by the terms. The terms are used only for the purpose of distinguishing one configuration element from another configuration element.
- a first configuration element may be referred to as a second configuration element without departing from the scope of the present disclosure, and similarly, the second configuration element may also be referred to as the first configuration element.
- FIG. 1 illustrates a network camera management system according to an exemplary embodiment.
- the network camera management system 100 may include a camera 110 and a management device 120 , and the camera 110 may include one or more camera devices 110 a , 110 b , and 110 c.
- the camera 110 may be connected to a network 130 wiredly or wirelessly to perform communication with other devices.
- the camera 110 according to the present embodiment described herein may be referred to as a surveillance camera or a closed-circuit television (CCTV), and may capture and transmit an image to the management device 120 through the network 130 .
- the camera 110 may include a lens and an image sensor.
- the lens may be a lens group comprising one or more lenses.
- the image sensor can convert an image input through the lens into an electrical signal.
- the image sensor may be a semiconductor device capable of converting an optical signal into an electrical signal (hereinafter referred to as an image) such as a charge-coupled device (CCD) or a complementary metal oxide semiconductor (CMOS).
- the surveillance camera may be a camera that provides images represented by RGB color models, infrared images or distance images containing distance information, and the like.
- the management device 120 may store and manage images transmitted from the camera 110 .
- the management device 120 may include one or more management devices.
- the management device 120 may be implemented by any one of a video management system (VMS), a central management system (CMS), a network video recorder (NVR), and a digital video recorder (DVR).
- the management device 120 may be implemented by a personal computer, a server or a portable device such as a smartphone, a notebook computer or a tablet.
- a device is capable of receiving multimedia objects from one or more camera devices ( 110 a , 110 b , 110 c , etc.) and displaying and/or storing them, it may be work as the management device 120 as described herein.
- the network 130 may be a wireless network, a wired network, a public network such as Internet, a private network, a global system for mobile communication network (GSM) network, a general packet wireless network a packet radio network (GPRS), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a cellular network, a public switched telephone network PSTN, a personal area network, Bluetooth, Wi-Fi Direct, Near Field Communication (NFC), UltraWide band, a combination thereof, or any other network, and but it is not limited thereto.
- GSM global system for mobile communication network
- GPRS packet wireless network
- LAN local area network
- WAN wide area network
- MAN metropolitan area network
- PSTN public switched telephone network
- personal area network Bluetooth, Wi-Fi Direct, Near Field Communication (NFC), UltraWide band, a combination thereof, or any other network, and but it is not limited thereto.
- the network 130 may be a private network different from a public network.
- the private network may not be connected to other networks or may be configured with a limited access so that the network camera management system 100 operates in an environment isolated from other devices.
- an authentication method for the camera 110 according to the exemplary embodiments presented herein can prevent a risk that an unauthorized device can be connected to the network 130 .
- FIG. 2 is a flowchart illustrating an operation of the network camera management system of FIG. 1 , according to an exemplary embodiment.
- the management device 120 authenticates the camera 110 in the network 130 to determine whether the camera 110 is authorized to communicate with the management device 120 through the network 130 , and to this end the management device 120 determines whether a device binding certificate is valid, which will be described later herein.
- Communication protocols for a communication between the camera 110 and the management device 120 may include, for examples, Transmission Control Protocol (TCP)/Internet Protocol (IP) or Secure Socket Layer (SSL)/Transport Layer Security (TLS), but not limited thereto.
- TCP Transmission Control Protocol
- IP Internet Protocol
- SSL Secure Socket Layer
- TLS Transport Layer Security
- the camera 110 and the management device 120 can communicate with each other via a web service-based protocol which can be used for interworking with other devices or media on the network 130 .
- the camera 110 and the management device 120 may use the web service-based protocol to perform functions such as a discovery of other devices on a network, a network configuration, a device management, an event handling, etc.
- the camera 110 and the management device 120 may exchange a device management message which may be represented in Web Services Description Language (WSDL).
- WSDL Web Services Description Language
- the management device 120 may establish a connection to the camera 110 .
- the management device 120 may establish a connection by sending a connection request to a web server running on the camera 110 .
- the management device 120 as a client performs a TCP session set-up process, TLS process and HTTP handshake process to connect to the camera 110 as a server.
- FIG. 2 describes that the management device 120 initiates a TCP/TLS connection.
- the camera 110 may send a connection request first to the management 120 to set up a connection therebetween.
- the connection request of the management device 120 may be an initiation process of a TLS handshake with the camera.
- the management device 120 may authenticate a web service of the camera 110 , and in this case, step 151 may include, for example, an operation in which the management device 120 transmits a “client hello” message to request set-up of an SSL session.
- the client hello message may include various information required for setting up an SSL session, for example, an SSL version number of the management device 120 , cipher settings of a cryptographic algorithm, and other session-specific data.
- the SSL version number of the management device 120 may be a random number randomly generated by the management device 120 .
- Step 153 after accepting the connection request, the camera 110 may send a certificate to the management device 120 .
- Step 153 may include, for example, an operation in which the camera 110 transmits a “server hello” message in response to the client hello message on the TLS handshake.
- the server hello message may also include various information, for example, an SSL version number of the camera 110 , password settings, and other detailed data on the SSL session.
- the SSL version number of the camera 110 may also be a random number generated randomly by the camera 110 .
- the camera 110 may include its certificate in the server hello message sent to the management device 120 , or send the certificate to the management device separately from the server hello message.
- the certificate sent from the camera 110 to the management device 120 may include device binding information, according to an exemplary embodiment.
- the device binding information is related to device information about the camera 110 .
- the device information about the camera 110 corresponds to identification information about the camera 110 to identify the camera 110 from other devices.
- the device information may comprise hardware information that is determined during the manufacture or assembly of the camera 110 to uniquely identify the camera 110 from among other devices.
- the device information may include, for example, at least a part of Medium Access Control (MAC) address of a communication interface of the camera 110 , which is known as a hardware address and relatively unique among network interface cards (NICs).
- MAC Medium Access Control
- the device information may include other hardware specific information, such as, information about at least a part of components of the camera 110 such as a controller, a storage, a lens, an image sensor, etc., as long as the device information can identify the camera 110 from other devices.
- other hardware specific information such as, information about at least a part of components of the camera 110 such as a controller, a storage, a lens, an image sensor, etc., as long as the device information can identify the camera 110 from other devices.
- the certificate may be expressed, for example, in the form of an X.509v3 or a variant thereof, and in such a case the device binding information may be included in a field such as SubjectPublickeyInfo or one of extension fields. However, it is not limited thereto and the device binding information may be included in various certificate types or fields.
- the device binding information about the camera 110 may be inserted into the certificate when a certificate authority generates a digital signature at least partially based on the device information such as a MAC address of the camera 110 . If the certificate including the device binding information about the camera 110 is used for a certificate validation process, a peer device may notice that the certificate with the device binding information was originally issued for the camera 110 with which the device binding information is associated. Also, a certificate including device binding information for a specific camera device may be referred to as a device binding certificate, device specific certificate, or device unique certificate. The device binding certificate may be used to determine whether a communication session is securely established with the camera 110 which is identified by the device information during the validation process of the device binding certificate, because the digital signature of the certificate was generated based on the device information about the camera 110 .
- the management device 120 may acquire the device information about the camera 110 in order to verify validity of the certificate.
- the device information may be obtained from the storage of the management device (optionally in step 161 a ).
- the management device 120 may pre-store the device information about the camera 110 in the storage unit in a process of registering the camera 110 .
- the device may request the camera 110 to send the device information to the management device 120 (optionally in step 161 b ).
- step 161 to receive the device information about the camera 110 may be performed after step 151 for the connection establishment with the camera 110 , and may be performed before or after step 153 in different implementations.
- the management device 120 may receive the device information about the camera 110 from the camera 110 before step 151 for the connection establishment is carried out.
- the management device 120 may acquire the device information about the camera 110 through a web service provided by the camera 110 .
- the camera 110 may support various commands for device management functions, such as a device management command, a discovery command, a device capability command, and a device configuration command to provide device information about the camera 110 , and the management device 120 may request the device information about the camera 110 by sending a message including a command to request the device information about the camera 110 to the camera 110 or a command to request identification information that can be used as the device information about the camera 110 .
- a command to obtain the MAC address of the camera 110 GetNetworkInterface, may be included in the message requesting for the device information about the camera 110 .
- the camera 110 may request, for example, user authentication for the request from the device information from the management device 120 .
- the management device 120 may send to the camera 110 user-based authentication information such as a Hypertext Transfer Protocol (HTTP) Basic authentication or digest authentication that can be used at an HTTP level.
- the camera 110 may perform a user-based access control based on the authentication information received from the management device 120 . For example, based on the authentication information, a user may be classified into an administrator, an operator, a user, or anonymous.
- an access class is also classified into system configuration information (READ_SYSTEM), confidential information (READ_SYSTEM_SENSITIVE), etc., and also the camera device 110 may maintain an access policy indicating an authorized access class for each authenticated user. For example, when the request for the device information about the camera 110 is set to a system configuration information (READ_SYSTEM) level according to the access policy, if the user authentication information transmitted from the management device 120 is successful and passed as a request from an administrator, the camera 110 may acquire the device information about the camera 110 classified as the system configuration information and send the acquired device information to the management device 120 . Therefore, in the procedure shown in FIG.
- the management device 120 transmits a device management message for administrator-level authentication as authentication information to the camera 110 in step 161 b - 1 , and the camera 110 determines whether the administrator-level authentication information is correct in step 161 b - 2 , and when the administration-level authentication is successful, the device information about the camera 110 can be read from its system area and transmitted to the management device 120 within a range allowed according to the access policy in step 161 b - 3 .
- step 163 the device 120 verifies whether the certificate 153 received from the camera 110 is valid with reference to the device information obtained as a result of step 161 for obtaining the device information.
- Step 163 for the verification by the management device 120 may be a process of determining whether the certificate is valid, and in this case, it is determined whether the device binding information included in the certificate is generated based on the device information about the camera 110 (in step 163 a ) and whether the certificate is valid (in step 163 b ).
- the management device 120 may compare in step 163 a whether the device information included in the device binding information corresponds to device information acquired by the management device through the step 161 . To this end, the management device 120 can verify the digital signature of the certificate authority with respect to the device binding information, and can also perform certificate chain verification consequently. For example, the management device 120 may determine whether at least a portion of the device information is included in device binding information in the certificate.
- the management device 120 may compare certificate information which is pre-stored with certificate information received from the camera 110 in order to verify whether the certificate is valid.
- the certificate information used in this comparison may include, for example, hash data generated based on at least a part of the certificate.
- Such certificate information to be used in step 163 b may be referred to as pinning information about the certificate or fixing information about the certificate.
- the comparison of the certificate information in step 163 b may be performed simply by comparing hash data of the certificate received from the camera 110 with hash data of the certificate which is pre-stored or pre-registered in order to determine whether data of the certificate itself has been changed maliciously or arbitrarily.
- the management device 120 may store the certificate information about the camera 110 in advance.
- the management device 120 may generate and store the hash data using the certificate received from the camera 110 when initially communicating with the camera 110 .
- the management device 120 may generate the hash data after receiving the certificate of the camera 110 through a separate channel (out of band) or the management device 120 may receive the hash data generated in another device and store it.
- the management device 120 may generate and store the hash data in the process of performing an issuance request and an installation of the certificate on behalf of the camera 110 , which will be described below referring to FIGS. 4 and 5 .
- the management device 120 may determine that the certificate is valid if the hash data of the received certificate is the same as the hash data of the camera 110 that is stored previously. Even if the device binding information in the certificate includes the device information about the camera 110 and the certificate was issued from the trusted certificate authority, it is not necessarily regarded as a valid certificate if the hash data of the certificate is not pre-stored. In such a case, storing the certificate information in the management device 120 in advance to be used for the future authentication may be referred to as pinning of the certificate.
- a result of the authenticating the camera 110 by the management device 120 turns out to be unsuccessful if the device information included in the device binding information is different from the device information acquired by the management device 120 in step 161 (step 163 a ), or if the certificate is not valid (step 163 b ), whereby the authentication of the camera 110 in which the certificate is installed fails, and the camera 110 is not regarded as a legitimate network entity.
- the result of the validation of the certificate by the management device 120 may be determined to be successful if the device binding information included in the certificate includes at least a part of the device information about the camera 110 , the pinning information about the certificate matches pinning information pre-stored in the management device 120 , and other items in the certificate are also valid. Thereafter, the management device 120 may establish a protected session with the camera 110 in step 171 .
- the management device 120 needs to ensure confidentiality within the protected session, and to this end the management device 120 generates a random number to prevent a replay attack, and performs a key derivation function based on the random number to generate a master key or a secret key for securing the SSL session. Thereafter, the management device 120 can encrypt the master key or the secret key based on the public key of the camera 110 , and transmit the encrypted secret key to the camera 110 to share the secret key for the protected session with each other (in step 173 ). A protected communication can then be established on subsequent SSL sessions.
- FIG. 3 is a flowchart of a method of installing a certificate including device binding information in a camera through a deployment device, according to an exemplary embodiment.
- the certificate installation method described below can be performed during a manufacturing process of the camera 110 or when the camera 110 is first registered with the management device 120 .
- a deployment device may issue a certificate for the camera 110 and install it in the camera 110 . To this end, the deployment device acquires the device information about the camera 110 in step 301 . The deployment device may store the device information.
- the device information may be identification information about the camera 110 that can be used to distinguish the camera 110 from other devices.
- the device information may include at least a part of the MAC address of a communication interface included in the camera 110 .
- the device information may be generated based further on at least a portion of components included in the camera such as a controller, a storage, a lens, an image sensor, etc.
- the device information may be information representing hardware features of the camera 110 or information obtained from the components not removable from the camera 110 .
- the deployment device generates a key pair to be installed in the camera 110 in step 303 .
- the key used in the camera authentication method disclosed herein is a key pair that can be used in a Public Key Infrastructure (PKI) based security protocol, and includes a pair of a private key and a public key to perform functions such as encryption/decryption, electronic signature/verification, and the like.
- PKI Public Key Infrastructure
- a public key algorithm can be used to provide confidentiality of data. Namely, if a specific user or device encrypts data using the public key of the specific user or device, only the specific user or device may decrypt the encrypted data using a private key which is cryptographic association with the public key, whereby the encrypted data is only accessible by the specific user or device. Likewise, among the key pairs generated by the public key algorithm, a signature that is signed using the private key of the specific user or device can be verified by a corresponding public key, and digital signature and verification are enabled using such properties of the cryptographic keys.
- the deployment device requests the certificate authority to issue a certificate based on the device information acquired in step 301 and the public key generated in step 303 .
- the certificate authority generates a digital signature on data including the device information so that the certificate including the digital signature can be used only for a specific device associated with the device information.
- the device information included in the generated certificate may be referred to as device binding information because the certificate can be used only for the specific device, i.e., the camera 110 .
- the deployment device receives a certificate including the device information from the certificate authority.
- the certificate received from the certificate authority may be referred to as a device binding certificate.
- the deployment device stores information about the certificate so that it can be used for authenticating the camera 110 in the future. In the authentication process of the camera 110 , this certificate information may be called device pinning information because it can be used only for the specific device, i.e., the camera 110 .
- the deployment device inserts the device pinning information into the camera 110 to install the certificate in the camera 110 in step 311 , so that the device pinning information can be used in the authentication process thereafter.
- the deployment device may be implemented as the management device 120 or the camera device 110 described above referring to FIG. 1 and FIG. 2 .
- the deployment device may be implemented as the management device 120 or a device used during a manufacturing process of the camera 110 which performs installation of the certificate.
- FIG. 4 is a flowchart illustrating a method of installing a certificate including device binding information in a camera, according to an exemplary embodiment.
- the management device 120 may install a key and a certificate at the time of initial registration of the camera 110 .
- the detailed descriptions that are redundant will be omitted.
- the management device 120 acquires device information about the camera 110 and stores the acquired device information in its storage for the camera authentication operation as described with reference to FIG. 2 .
- the management device 120 generates a PKI-based key pair, and, in step 405 , requests a certificate authority 140 to issue a certificate based on the device information and the public key.
- the certificate authority 140 creates the certificate including device binding information by generating a digital signature on data including the device information.
- the management device 120 receives the certificate from the certificate authority, and, in step 411 , stores certificate information about the certificate, which may be, for example, in the form of hash data of the certificate.
- a method of preventing a malicious or arbitrary change of the certificate of the camera 110 in a later authentication process by storing the hash data of the certificate may be referred to as device pinning.
- the hash data of the certificate may be certificate pinning information that pins or fixes the certificate to the camera 110 .
- the management device 120 requests the camera 110 to install the key pair and the certificate in step 413 .
- the camera 110 may install the key pair and certificate in its storage (not shown) in step 415 , so that the certificate can be used when the management device 120 performs a device authentication of the camera 110 for secure communication with the camera 120 .
- the certificate authority 140 is an organization generating a digital signature on data including the device information and the public key of the camera 110 or a server performing such an operation.
- the certificate authority 140 may include a private certificate authority as well as an accredited certificate authority.
- FIG. 5 is a flowchart illustrating a method of installing a certificate including device binding information in a camera, according to an exemplary embodiment. Unlike in the previous exemplary embodiment described with reference to FIG. 4 , the camera generates a key pair in the certificate installation method of FIG. 5 .
- the camera 110 acquires its device information and generates a PKI-based key pair.
- the camera 110 requests the management device 120 to issue a certificate based on the device information and the public key.
- the management device 120 stores the device information for a camera authentication operation in the future in step 506 , and relays the certificate issuance request to the certificate authority 140 in step 507 .
- the certificate authority 140 generates a certificate including device binding information by generating a digital signature on data including the device information in step 509 .
- the management device 120 then receives the certificate from the certificate authority in step 511 , pins or fixes the certificate by storing pinning information about the certificate such as hash data of the certificate in step 513 , and requests the camera 110 to install the key pair and the certificate in step 515 .
- the camera 110 may install the key pair and the certificate in its storage in step 517 so that the certificate can be used when the management device 120 performs device authentication of the camera 120 for secure communication with the camera 120 .
- the deployment device acquires a large amount of device information in advance for a plurality of cameras, generate a large number of key pairs as well, and then sends the keys to a certificate authority for each of the cameras. Thereafter, the deployment device may use a large number of sets of the device information, the certificate and the key pair to install them all at once in the cameras during mass production of the cameras.
- the management device 120 may perform a separate operation of requesting device information for a camera authentication operation. For example, if the management device 120 is not involved in the certificate issuance process unlike in the embodiment of FIG. 5 , the management device 120 may request the camera 110 to send device information before the management device 120 verifies validity of the device binding certificate. Specifically, when the management device 120 receives a device binding certificate in a handshake process to perform a secured communication with the camera 110 such as SSL, the management device may request the camera 110 to send the device information. The management device 120 receives the device information from the camera 110 , and determines the validity of the device binding certificate based on the device information. According to the implementation, the management device 120 may establish a connection with the camera 110 and then request the device information, and may receive the device information in response thereto.
- FIG. 6 illustrates steps to authenticate a camera, according to an exemplary embodiment.
- An authentication method disclosed with reference to FIG. 6 is an example operation of the network camera management system of FIG. 2 , and detailed descriptions that are redundant will be omitted.
- the management device 120 receives device information about the camera 110 from the camera 110 .
- the device information is identification information about the camera 110 to uniquely identify the camera 110 from other devices.
- the device information may include at least some hardware information that is set during a manufacturing and/or assembling process of the camera 110 .
- the device information may include at least a part of, for example, a MAC address of a communication interface included in the camera 110 , and may include information about at least a part of components of the camera 110 .
- the management device 120 receives a device binding certificate from the camera 110 .
- the device binding certificate is data issued to include device information about the camera.
- the device binding certificate may be issued by a certificate authority an include a digital signature on data including device information about the camera.
- step 603 of receiving the device binding certificate may be performed prior to step 601 of receiving the device information about the camera 110 .
- the management device 120 determines whether device binding information in the device binding certificate has been generated based on the device information.
- the management device 120 can verify the device binding certificate based on the device binding information in the device binding certificate and the device information received from the camera 110 . If the device information included in the device binding information does not match the device information received from the camera 110 , the management device 120 may stop an authentication process and send to the camera 110 information about the failure of the authentication process.
- the management device 120 determines whether pinning information about the device binding certificate matches pinning information pre-stored in the management device 120 .
- the management device 120 generates the pinning information about the device binding certificate when acquiring the device binding certificate from the camera 110 , for example, when initially registering or installing the camera 110 in the network 130 , or when receiving the device binding certificate from the camera 110 for the first time, and the management device 120 fixes the device binding certificate to the camera 110 by storing the pinning information in its storage together with identification information or device information about the camera 110 .
- the pinning information about the device binding certificate may be a hash data for the device binding certificate.
- the management device 120 verifies validity of the received device binding certificate by determining whether the device binding certificate received in the authentication process matches the previously stored pinning information.
- the management device 120 establishes a protected session with the camera 110 if it is determined that the pinning information about the device binding certificate matches the pre-stored pinning information.
- the management device 120 may generate a master key or a secret key for communication in a protected session, and encrypt the secret key with a public key of the camera 110 included in the device binding certificate, and transmit the encrypted secret key to the camera 110 .
- FIG. 7 is an exemplary block diagram of a camera according to an exemplary embodiment.
- a camera 700 according to an exemplary embodiment may include a communication interface 710 , a storage 720 , a controller 730 , and an image sensor 740 .
- the camera 700 may be the same as the camera 110 described with reference to FIG. 1 .
- the communication interface 710 may be configured as a wired and/or wireless communication module.
- the communication interface 710 may be a wireless communication module compatible with various mobile networks, Wi-Fi, Bluetooth, Zigbee, near field communication (NFC), or wireless broadband Internet, and/or a wired communication module compatible with LAN/Ethernet, not being limited thereto, to be connected to the network 130 in FIG. 1 .
- the communication interface 710 may perform wired/wireless communication with the management device 120 through the network 130 .
- the storage 720 may store a certificate issued so as to include device binding information generated based on device information, and stores a public key included in the certificate and a private key having a cryptographic relation with the public key.
- the device information corresponds to identification information about the camera 700 to distinguish it from other devices.
- the device information may include at least a part of a Medium Access Control (MAC) address of the communication interface 710 .
- the communication interface 710 may include at least a part of hardware information, hardware address information, and a serial number of the wired or wireless communication module.
- MAC Medium Access Control
- the storage 720 may temporarily or permanently store data processed by the camera 700 .
- the storage may include magnetic storage media or flash storage media, not being limited thereto.
- the storage 720 may be separated into a general storage 721 and a secure storage 723 having a higher security level than the general storage 721 .
- the secure storage 723 may store data to be protected from an external unauthorized access such as a public key, a private key, and a certificate.
- the secure storage 723 can be implemented together with the controller 730 and the storage 720 , collectively in the form of a secure environment.
- a general execution environment in a camera may be referred to as an execution environment with a low security level, for example, a Rich Execution Environment (REE).
- REE Rich Execution Environment
- a security execution environment distinguished from the general execution environment is an execution environment having a high security level, for example, may be called a Trusted Execution Environment (TEE).
- TEE Trusted Execution Environment
- the secure execution environment can, for example, store data requiring a relatively high security level in a secure environment, and perform related operations.
- the camera 700 may, for example, store an encryption key required to perform an encryption function in a secure execution environment, and may execute a cryptographic function such as digital signing, verification, encryption, or decryption using the encryption key in a secure execution environment.
- the secure execution environment of the camera 700 may operate on an application processor included in a device, or may operate on a separate trusted hardware architecture.
- the security execution environment can operate in a security domain, for example, by dividing an application processor or a memory into a general domain and a security domain.
- the security execution environment can be configured such that software or hardware requiring security can be operated only in a security area.
- Applications executed in the general execution environment can access an operation result of the security execution environment through a shared memory for both the general execution environment and the security execution environment, and also through an application programming interface (API) for the security execution environment.
- the secure execution environment may be referred to as, for example, TrustZone, IPT, Secure Enclave, or the like.
- the controller 730 may receive a connection request from the management device 120 of FIG. 1 , transmit the certificate to the management device 120 , and establish a protected session with the management device 120 according to a result of determining that the certificate of the camera 700 is valid at the management device 120 at least partially based on device binding information and device information.
- the controller 730 may include any kind of device capable of processing data, such as a processor.
- processor may refer to a data processing device embedded in hardware, for example, having a circuit physically structured to perform a function represented by a code or an instruction contained in the program.
- An example of the data processing device embedded in hardware may include a microprocessor, a central processing unit (CPU), a processor core, a multiprocessor, an application-specific integrated circuit (ASIC) circuit, and a field programmable gate array (FPGA), but the scope of the present invention is not limited thereto.
- the image sensor 740 may convert the image input by the lens into an electrical signal.
- the image sensor 740 may be a semiconductor device capable of converting an optical signal into an electrical signal such as a charge-coupled device (CCD) or a complementary metal oxide semiconductor (CMOS).
- CCD charge-coupled device
- CMOS complementary metal oxide semiconductor
- the device information about the camera 700 includes at least a part of identification information provided by the secure storage 723 having a high security level, and identification information about the controller 730 , or the image sensor 740 .
- FIG. 8 is a block diagram of a management device according to an exemplary embodiment.
- a management device 800 may be configured to include a communication interface 810 , a storage 820 , and a controller 830 .
- the management device 800 corresponds to the management device 120 described with reference to FIG. 1 .
- the communication interface 810 may perform wired/wireless communication with the camera 110 (or 700 ) through the network 130 .
- the storage 820 may store the device information about the camera 110 .
- the controller 830 is operatively coupled to the communication interface 810 and the storage 820 , and configured to establish a protected session with the camera 110 based on a result of a validity check of a certificate of the camera.
- the controller 830 is configured to receive, from the camera, the certificate of the camera via the communication interface 810 , and determine the certificate is valid at least partially based on the device information stored in the storage 820 and the device binding information included in the certificate. Determining the validity of the certificate of the camera may be performed by determining whether the device binding information includes the device information, determining whether a digital signature of a certificate authority is valid, and determining whether the pining information about the certificate matches pre-stored pinning information about the camera 110 .
- the pinning information about the certificate may include a hash value for the certificate.
- the device authentication method can be implemented as computer-readable codes in a computer-readable storage medium.
- a computer-readable storage medium includes all kinds of storage devices in which data that can be read by a computer system is stored. Examples of the computer-readable storage medium include a read-only memory (ROM), a random access memory (RAM), compact disc (CD)-ROM, magnetic tape, floppy disk, optical data storage, and the like, not being limited thereto.
- the computer-readable storage medium may be distributed over a network-connected computer system so that a computer readable code can be stored and executed in a distributed manner.
- functional programs, codes, and code segments for implementing the exemplary embodiments can be easily deduced by programmers skilled in the art to which the inventive concept pertains.
- inventive concept may be embodied in other specific forms without departing from its spirit or essential characteristics.
- the described exemplary embodiments are to be considered in all respects only as illustrative and not restrictive.
- the scope of the inventive concept is, therefore, indicated by the appended claims rather than by the foregoing descriptions. All changes which come within the meaning and range of equivalency of the claims are to be embraced within the inventive concept.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Power Engineering (AREA)
- Multimedia (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Studio Devices (AREA)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/158,197 US20230164136A1 (en) | 2017-09-21 | 2023-01-23 | Authenticating a networked camera using a certificate having device binding information |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2017-0122089 | 2017-09-21 | ||
KR1020170122089A KR102485857B1 (ko) | 2017-09-21 | 2017-09-21 | 장치 결합 정보를 포함하는 인증서를 이용한 네트워크 카메라 인증 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/158,197 Continuation US20230164136A1 (en) | 2017-09-21 | 2023-01-23 | Authenticating a networked camera using a certificate having device binding information |
Publications (1)
Publication Number | Publication Date |
---|---|
US20190089696A1 true US20190089696A1 (en) | 2019-03-21 |
Family
ID=63720482
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/137,961 Abandoned US20190089696A1 (en) | 2017-09-21 | 2018-09-21 | Authenticating a networked camera using a certificate having device binding information |
US18/158,197 Pending US20230164136A1 (en) | 2017-09-21 | 2023-01-23 | Authenticating a networked camera using a certificate having device binding information |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/158,197 Pending US20230164136A1 (en) | 2017-09-21 | 2023-01-23 | Authenticating a networked camera using a certificate having device binding information |
Country Status (3)
Country | Link |
---|---|
US (2) | US20190089696A1 (ko) |
EP (1) | EP3461100B1 (ko) |
KR (1) | KR102485857B1 (ko) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190116173A1 (en) * | 2017-10-12 | 2019-04-18 | Dell Products L.P. | Context and device state driven authorization for devices |
US20190182477A1 (en) * | 2017-12-11 | 2019-06-13 | Verint Systems, Ltd. | Camera certification for video surveillance systems |
US11121869B1 (en) * | 2020-05-08 | 2021-09-14 | Amazon Technologies, Inc. | Decentralized cryptographic key derivation |
WO2021221871A1 (en) | 2020-04-27 | 2021-11-04 | Sony Group Corporation | Visual enrollment of cameras |
US20220124245A1 (en) * | 2020-10-16 | 2022-04-21 | Hanwha Techwin Co., Ltd. | Software application license management of camera device through mediation device |
EP4008113A4 (en) * | 2019-08-02 | 2023-05-03 | Genetec Inc. | METHOD AND SYSTEM FOR CAMERA AUTHENTICATION USING A VIDEO MANAGEMENT SYSTEM |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230318853A1 (en) * | 2020-09-02 | 2023-10-05 | Ictk Holdings Co., Ltd. | User terminal and authentication execution device for performing pseudonym 2-factor authentication, and operating method therefor |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190104251A1 (en) * | 2016-03-31 | 2019-04-04 | Sony Corporation | Image sensor, image pickup apparatus, image sensor-identifying method, image forgery-preventing method, and image alternation-limiting method |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100789354B1 (ko) * | 2001-04-12 | 2007-12-28 | (주)크립토텔레콤 | 네트워크 카메라, 홈 게이트웨이 및 홈 오토메이션장치에서의 데이터 보안 유지 방법 및 장치 |
KR100947119B1 (ko) * | 2007-12-26 | 2010-03-10 | 한국전자통신연구원 | 인증서 검증 방법, 인증서 관리 방법 및 이를 수행하는단말 |
US8452954B2 (en) * | 2010-04-08 | 2013-05-28 | Intel Corporation | Methods and systems to bind a device to a computer system |
KR20120035299A (ko) * | 2010-10-05 | 2012-04-16 | 한국인터넷진흥원 | 프라이버시 보호를 위한 영상 보호처리 장치와, 그를 이용한 영상 보안 시스템 및 그 방법 |
US9641344B1 (en) * | 2013-09-20 | 2017-05-02 | Mobile Iron, Inc. | Multiple factor authentication in an identity certificate service |
-
2017
- 2017-09-21 KR KR1020170122089A patent/KR102485857B1/ko active IP Right Grant
-
2018
- 2018-09-21 EP EP18195937.0A patent/EP3461100B1/en active Active
- 2018-09-21 US US16/137,961 patent/US20190089696A1/en not_active Abandoned
-
2023
- 2023-01-23 US US18/158,197 patent/US20230164136A1/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190104251A1 (en) * | 2016-03-31 | 2019-04-04 | Sony Corporation | Image sensor, image pickup apparatus, image sensor-identifying method, image forgery-preventing method, and image alternation-limiting method |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190116173A1 (en) * | 2017-10-12 | 2019-04-18 | Dell Products L.P. | Context and device state driven authorization for devices |
US10616207B2 (en) * | 2017-10-12 | 2020-04-07 | Dell Products, L.P. | Context and device state driven authorization for devices |
US11258781B2 (en) * | 2017-10-12 | 2022-02-22 | Dell Products L.P. | Context and device state driven authorization for devices |
US20190182477A1 (en) * | 2017-12-11 | 2019-06-13 | Verint Systems, Ltd. | Camera certification for video surveillance systems |
US10757402B2 (en) * | 2017-12-11 | 2020-08-25 | Verint Systems Ltd. | Camera certification for video surveillance systems |
EP4008113A4 (en) * | 2019-08-02 | 2023-05-03 | Genetec Inc. | METHOD AND SYSTEM FOR CAMERA AUTHENTICATION USING A VIDEO MANAGEMENT SYSTEM |
WO2021221871A1 (en) | 2020-04-27 | 2021-11-04 | Sony Group Corporation | Visual enrollment of cameras |
US11625470B2 (en) * | 2020-04-27 | 2023-04-11 | Sony Group Corporation | Visual enrollment of cameras |
EP4121891A4 (en) * | 2020-04-27 | 2023-08-23 | Sony Group Corporation | VISUAL REGISTRATION OF CAMERAS |
US11121869B1 (en) * | 2020-05-08 | 2021-09-14 | Amazon Technologies, Inc. | Decentralized cryptographic key derivation |
US20220124245A1 (en) * | 2020-10-16 | 2022-04-21 | Hanwha Techwin Co., Ltd. | Software application license management of camera device through mediation device |
Also Published As
Publication number | Publication date |
---|---|
KR102485857B1 (ko) | 2023-01-05 |
US20230164136A1 (en) | 2023-05-25 |
EP3461100A1 (en) | 2019-03-27 |
KR20190033380A (ko) | 2019-03-29 |
EP3461100B1 (en) | 2023-11-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230164136A1 (en) | Authenticating a networked camera using a certificate having device binding information | |
JP6571250B2 (ja) | ある装置を使用して別の装置をアンロックする方法 | |
US10958664B2 (en) | Method of performing integrity verification between client and server and encryption security protocol-based communication method of supporting integrity verification between client and server | |
US9268545B2 (en) | Connecting mobile devices, internet-connected hosts, and cloud services | |
TWI465932B (zh) | 建立行動裝置、載具系統及雲端服務間的信任關係的方法、及其行動裝置與電腦可讀取媒體 | |
EP3602991B1 (en) | Mechanism for achieving mutual identity verification via one-way application-device channels | |
US11336641B2 (en) | Security enhanced technique of authentication protocol based on trusted execution environment | |
TW201534094A (zh) | 網路中的輔助式設備置備 | |
KR101686167B1 (ko) | 사물 인터넷 기기의 인증서 배포 장치 및 방법 | |
JP6012888B2 (ja) | 機器証明書提供装置、機器証明書提供システムおよび機器証明書提供プログラム | |
CN108809907B (zh) | 一种证书请求消息发送方法、接收方法和装置 | |
US10924480B2 (en) | Extended trust for onboarding | |
JP2015536061A (ja) | クライアントをサーバに登録するための方法および装置 | |
US11290434B2 (en) | Communication device, method of controlling communication device, and non-transitory computer-readable storage medium | |
WO2023141876A1 (zh) | 数据传输方法、装置、系统、电子设备及可读介质 | |
US20190379655A1 (en) | Data communication system | |
KR102131871B1 (ko) | 영상 수집 장치, 그리고 서버를 포함하는 인증 시스템 및 이를 이용한 인증 방법 | |
JP7163206B2 (ja) | 通信制御装置 | |
JP6813030B2 (ja) | 通信システム | |
WO2023141864A1 (zh) | 会议数据的传输方法、装置、系统、电子设备及可读介质 | |
Weber et al. | How to Prevent Misuse of IoTAG? | |
US20220109694A1 (en) | Communication system, communication method, and non-transitory computer readable medium storing communication program | |
KR102028906B1 (ko) | 존 통신 시스템 및 방법 | |
KR20240045161A (ko) | 임시 신뢰점 등록 및 디바이스-구속형 공개 키 등록 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: HANWHA TECHWIN CO., LTD., KOREA, REPUBLIC OF Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KIM, YOUNGSAM;REEL/FRAME:047571/0231 Effective date: 20180920 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: ADVISORY ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
ZAAA | Notice of allowance and fees due |
Free format text: ORIGINAL CODE: NOA |
|
ZAAB | Notice of allowance mailed |
Free format text: ORIGINAL CODE: MN/=. |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
AS | Assignment |
Owner name: HANWHA VISION CO., LTD., KOREA, REPUBLIC OF Free format text: CHANGE OF NAME;ASSIGNOR:HANWHA TECHWIN CO., LTD.;REEL/FRAME:064549/0075 Effective date: 20230228 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: NOTICE OF APPEAL FILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |