WO2021239249A1 - Dispositifs et procédés de provisionnement sans intervention dans un réseau de communication - Google Patents

Dispositifs et procédés de provisionnement sans intervention dans un réseau de communication Download PDF

Info

Publication number
WO2021239249A1
WO2021239249A1 PCT/EP2020/064978 EP2020064978W WO2021239249A1 WO 2021239249 A1 WO2021239249 A1 WO 2021239249A1 EP 2020064978 W EP2020064978 W EP 2020064978W WO 2021239249 A1 WO2021239249 A1 WO 2021239249A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
network
manager
secret
anchor
Prior art date
Application number
PCT/EP2020/064978
Other languages
English (en)
Inventor
Oleg Pogorelik
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to CN202080096286.1A priority Critical patent/CN115136634A/zh
Priority to PCT/EP2020/064978 priority patent/WO2021239249A1/fr
Publication of WO2021239249A1 publication Critical patent/WO2021239249A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present disclosure relates to telecommunication in general. More specifically, the present disclosure relates to devices and methods for zero touch provisioning of network devices in a communication network, in particular a wireless communication network.
  • loT The Internet of Things
  • Zero Touch Provisioning aims to support an easy and error-free installation of a new network device and its connection to a management system.
  • ZTP Zero Touch Provisioning
  • the user just has to physically install the network device in place and power it up.
  • the remaining provisioning steps will be done automatically by the network device itself and the supporting management system.
  • ZTP aims to avoid any complicated, time-consuming and error-prone manual operations for provisioning a network device.
  • ZTP can be especially beneficial for communication networks and domains where mass device provisioning and re-provisioning is a regular practice, such as smart homes, smart cities, industrial applications, and the like.
  • the network device to be provisioned is configured to find and establish an initial connection with a trusted management service based on, for instance, a Service Set Identifier (SSID), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP) and the like.
  • SSID Service Set Identifier
  • DNS Domain Name System
  • DHCP Dynamic Host Configuration Protocol
  • establishing this initial connection between the network device and the management system usually requires different security measures to be fulfilled in order to make sure that the network device can trust the management system before accepting to be controlled and operated thereby. This is because secure provisioning procedures will have to be able to operate in complex environments with several available management systems and to withstand attempts to hijack a yet un-provisioned network device by an adversarial third party operating a malicious management system.
  • Some of the security measures for assessing the security credibility of a management system comprise the use of digital certificates, an adjustment of the management system per network device (e.g. emulating SSID) and/or a few manual operations, such as scanning a QR code associated with the network device to be provisioned, pressing one or more buttons of the network device for a specific time period, pre-configuring the network device during a staging operation, and the like.
  • the disclosure provides devices and methods for zero touch provisioning of a network device in a communication network, in particular a wireless communication network.
  • embodiments of the disclosure enable a completely zero touch provisioning (CZTP) of a network device in environments with several legitimate, i.e. non-adversarial network device managers, wherein each network device manager may control one or more network devices of a large set of network devices.
  • CZTP completely zero touch provisioning
  • embodiments of the disclosure enable a given, yet un-provisioned network device to discover with high probability the network device manager that is suitable and/or supposed to manage the given network device.
  • embodiments of the disclosure allow the yet un- provisioned network device to assess the trust, i.e. the security credibility of a given network device manager before accepting control by the network device manager.
  • embodiments of the disclosure provide schemes for a network device for recovering from an association with a wrong or a malicious network device manager.
  • the disclosure relates to a network device for establishing a secure management connection with a network device manager in a communication network, in particular a wireless communication network.
  • the network device is configured to provide a share of a plurality of shares of a secret of the network device to an anchor network device of a plurality of anchor network devices, wherein the plurality of anchor network devices have an already established secure management connection with the network device manager. At least two of the plurality of shares of the secret of the network device are required for reconstructing the secret of the network device.
  • the network device manager can reconstruct the secret of the network device, the network device will establish itself a secure management connection with the network device manager for being further provisioned and managed by the network device manager.
  • the network device is configured to establish a secure management connection with the network device manager without any manual operations by a user, i.e. complete zero touch provisioning. This allows saving manual labour, reducing operation and maintenance complexity and benefiting from better security and an improved manageability experience.
  • the network device is further configured to provide information to the network device manager for identifying the plurality of anchor network devices. This allows the network device to efficiently identify the anchor network devices already having established a secure management connection with the network device manager in the communication network.
  • the network device is further configured to provide one share of the plurality of shares of the secret of the network device to the network device manager. This allows the network device manager to more efficiently retrieve the plurality of shares of the secret of the network device and, thus, to reconstruct the secret of the network device faster.
  • the network device is further configured to determine the plurality of shares by dividing the secret of the network device into the plurality of shares.
  • the network device may be configured to divide the secret into the plurality of shares in accordance with Shamir's Secret Sharing scheme. This allows to efficiently divide the secret into the plurality of shares.
  • the secret and its shares could be pre-configured in the network device.
  • the network device is further configured to select the network device manager from a plurality of available network device managers based on information received by the network device from the plurality of available network device managers over the communication network.
  • the network device may implement an IFTTT logic for selecting the network device manager from the plurality of available network device managers.
  • IFTTT logic for selecting the network device manager from the plurality of available network device managers.
  • the information received by the network device from the plurality of available network device managers comprises at least one of: an identifier of an available network device manager, identifiers of anchor network devices having an already established secure management connection with a respective available network device manager, a service area of an available network device manager, and a network device type that is manageable by an available network device manager.
  • this allows the network device to select the most suitable network device manager based on the retrieved information.
  • the network device is further configured to select the plurality of anchor network devices from a plurality of network devices having an already established secure management connection with the network device manager. This allows the network device to efficiently select the most suitable anchor network devices.
  • the number of secret shares and, thus, the number of anchor network devices may be set or adjusted based on the desired security level with a larger number of anchor network devices providing a higher security level.
  • the network device is further configured to provide the share to the respective anchor network device using a public key of the respective anchor network device. This allows to increase the security of the shares. This is because a malicious party intercepting a respective share cannot decrypt this share unless it has access to the private key of the respective anchor network device.
  • all of the plurality of shares of the secret of the network device are required for reconstructing the secret of the network device.
  • this provides an improved security.
  • the secret of the network device is a public key of a pair including the public key and a private key of the network device.
  • this allows an efficient establishment of the secure management connection between the network device and the network device manager, because, once the network device manager has reconstructed the public key of the network device, the network device manager can use the public key of the network device for secure communication with the network device.
  • the network device becomes a potential anchor network device itself.
  • the network device is further configured to broadcast the public key over the communication network, after the secure management connection with the network device manager has been established.
  • this allows the network device to act as an anchor network device for a further yet un-provisioned network device in the communication network.
  • the network device is further configured to broadcast an identifier of the network device manager, after the secure management connection with the network device manager has been established. This allows a further yet un-provisioned network device to efficiently identify potential anchor network devices having an already established secure management connection with a selected network device manager.
  • the network device is further configured, in response to receiving a recovery signal for manual provisioning, to terminate the secure management connection with the network device manager and to establish another secure management connection with another network device manager. For instance, a user of the network device may generate the recovery signal by manually pressing a button of the network device.
  • the disclosure relates to a method of establishing a secure management connection with a network device manager in a communication network, in particular a wireless communication network.
  • the method comprises the step of providing, by a network device, a share of a plurality of shares of a secret of the network device to an anchor network device of a plurality of anchor network devices, wherein the plurality of anchor network devices have an already established secure management connection with the network device manager. At least two of the plurality of shares of the secret of the network device are required for reconstructing the secret of the network device.
  • the disclosure relates to a network device manager for managing a plurality of network devices in a communication network, in particular a wireless communication network.
  • the network device manager is configured to obtain a share of a plurality of shares of a secret of a network device from an anchor network device of a plurality of anchor network devices, wherein the plurality of anchor network devices have an already established secure management connection with the network device manager.
  • the network device manager is configured to reconstruct the secret of the network device based on the plurality of shares of the secret of the network device and to establish a secure management connection with the network device.
  • the network device manager is configured to establish a secure management connection with the network device without any manual operations by a user of the network device, i.e. complete zero touch provisioning. This allows saving manual labour, reducing operation and maintenance complexity and benefiting from better security and an improved manageability experience.
  • the network device manager is further configured to receive information from the network device for identifying the plurality of anchor network devices.
  • this allows the network device manager to efficiently identify the anchor network devices selected by the network device.
  • the secret of the network device is a public key of the network device.
  • this allows an efficient establishment of the secure management connection between the network device and the network device manager, because, once the network device manager has reconstructed the public key of the network device, the network device manager can use the public key of the network device for secure communication with the network device.
  • the network device manager is further configured to receive one share of the plurality of shares of the secret from the network device.
  • this allows the network device manager to efficiently reconstruct the secret of the network device.
  • the network device manager is further configured to broadcast information over the communication network, wherein the information comprises at least one of: an identifier of the network device manager, identifiers of anchor network devices having an already established secure management connection with the network device manager, i.e. being managed by the network device manager, a service area of the network device manager, and a network device type that is manageable by the network device manager.
  • the information comprises at least one of: an identifier of the network device manager, identifiers of anchor network devices having an already established secure management connection with the network device manager, i.e. being managed by the network device manager, a service area of the network device manager, and a network device type that is manageable by the network device manager.
  • this allows yet un-provisioned network devices to select the most suitable network device manager.
  • the disclosure relates to a method of operating a network device manager for managing a plurality of network devices in a communication network, in particular a wireless communication network.
  • the method comprises the steps of: obtaining a share of a plurality of shares of a secret of a network device from an anchor network device of a plurality of anchor network devices, the plurality of anchor network devices having an already established secure management connection with the network device manager; reconstructing the secret of the network device based on the plurality of shares of the secret; and establishing a secure management connection with the network device.
  • the method according to the fourth aspect of the disclosure can be performed by the network device manager according to the third aspect of the disclosure.
  • further features of the method according to the fourth aspect of the disclosure result directly from the functionality of the network device manager according to the third aspect of the disclosure and its different implementation forms described above and below.
  • the disclosure relates to a computer program product comprising a non-transitory computer-readable storage medium carrying program code which causes a computer or a processor to perform the method according to the second aspect or the method according to the fourth aspect when the program code is executed by the computer or the processor.
  • FIG. 1 is schematic diagram illustrating components of an exemplary communication network, including a network device according to an embodiment and a network device manager according to an embodiment;
  • Fig. 2 is a schematic diagram illustrating components of a further exemplary communication network, including a network device according to an embodiment and a network device manager according to an embodiment;
  • Fig. 3 shows a schematic diagram illustrating aspects of the establishment of a secure management connection between a network device according to an embodiment and a network device manager according to an embodiment
  • Fig. 4 shows a schematic diagram illustrating aspects of the establishment of a secure management connection between a network device according to an embodiment and a network device manager according to an embodiment
  • Fig. 5 is a schematic diagram of a network device according to an embodiment in communication with a network device manager according to an embodiment
  • Fig. 6 shows a schematic diagram illustrating aspects of the establishment of a secure management connection between a network device according to an embodiment and a network device manager according to an embodiment
  • Fig. 7 is a flow diagram illustrating a method for operating a network device according to an embodiment.
  • Fig. 8 is a flow diagram illustrating a method for operating a network device manager according to an embodiment.
  • a disclosure in connection with a described method may also hold true for a corresponding device or system configured to perform the method and vice versa.
  • a corresponding device may include one or a plurality of units, e.g. functional units, to perform the described one or plurality of method steps (e.g. one unit performing the one or plurality of steps, or a plurality of units each performing one or more of the plurality of steps), even if such one or more units are not explicitly described or illustrated in the figures.
  • a specific apparatus is described based on one or a plurality of units, e.g.
  • a corresponding method may include one step to perform the functionality of the one or plurality of units (e.g. one step performing the functionality of the one or plurality of units, or a plurality of steps each performing the functionality of one or more of the plurality of units), even if such one or plurality of steps are not explicitly described or illustrated in the figures. Further, it is understood that the features of the various exemplary embodiments and/or aspects described herein may be combined with each other, unless specifically noted otherwise.
  • Figure 1 is a schematic diagram illustrating electronic devices communicating over a communication network 107, including a network device 101 according to an embodiment, a network device manager 103 according to an embodiment, and an anchor network device 105.
  • the communication network 107 is a wireless communication network 107, such as a cellular or a WiFi communication network.
  • the communication network 107 may be or comprise a wired network, such as an Ethernet network.
  • the network device 101 is configured to establish a secure management connection 110 (illustrated by the two-headed arrow with dashed lines in figure 1) with the network device manager 103.
  • the network device 101 is configured to provide a respective share of a plurality of shares of a secret of the network device 101 to a plurality of anchor network devices 105 (e.g. via the communication channel 130 shown in figure 1), such as the exemplary anchor network device 105 illustrated in figure 1 , wherein at least two of the plurality of shares of the secret of the network device 101 are required for reconstructing the secret of the network device 101.
  • the plurality of anchor network devices 105 have already a respective established secure management connection 120 with the network device manager 103, such as the exemplary anchor network device 105 illustrated in figure 1 (illustrated by the two-headed arrow with solid lines in figure 1). In other words, the exemplary anchor network device 105 has already been provisioned by the network device manager 103.
  • the network device manager 103 is configured to provision and manage a plurality of network devices, including the un provisioned network device 101 illustrated in figure 1, via the wireless communication network 107. To this end, the network device manager 103 is configured to obtain a respective share of the plurality of shares of the secret of the network device 101 from a respective anchor network device of a plurality of anchor network devices, such as the anchor network device 105 illustrated in figure 1. As described above, the plurality of anchor network devices 105 have an already established secure management connection 120 with the network device manager 103.
  • the network device manager 103 is configured to reconstruct the secret of the network device 101 based on the plurality of shares of the secret of the network device 101 retrieved from the plurality of anchor network devices 105 and to establish the secure management connection 110 with the network device 101 based on the reconstructed secret of the network device 101.
  • the network device 101 may comprises a processor 111 for processing data, a non-transitory memory 113 for storing and retrieving data, and a communication interface 115 for exchanging data with the network device manager 103 and the plurality of anchor network devices 105 over the wireless communication network 107.
  • the processor 111 may be implemented in hardware and/or software.
  • the hardware may comprise digital circuitry, or both analog and digital circuitry.
  • the digital circuitry may comprise components such as application-specific integrated circuits (ASICs), field- programmable arrays (FPGAs), digital signal processors (DSPs), or general-purpose processors.
  • the non-transitory memory 113 may store executable program code which, when executed by the processor 111, causes the network device 101 to perform the functions and methods described herein.
  • the communication interface 115 may comprise one or more communication ports and/or antennas for exchanging data over the wireless communication network 107.
  • the network device manager 103 may comprises a processor 121 for processing data, a non-transitory memory 123 for storing and retrieving data and a communication interface 125 for exchanging data with the network device 101 and the anchor network devices 105 over the wireless communication network 107.
  • each anchor network device 105 may comprises a processor 131 for processing data, a non-transitory memory 133 for storing and retrieving data and a communication interface 135 for exchanging data with the network device 101 and the network device manager 103 over the wireless communication network 107.
  • the network device 101 and one or more of the anchor network devices 105 may be similar or identical devices with the only difference that the one or more anchor network devices 105 already have the established secure management connection 120 with the network device manager 103, i.e. are already provisioned and being managed by the network device manager 103, whereas the network device 101 is in the process of establishing the secure management connection 110 with the network device manager 103, i.e. is in the process of being provisioned.
  • the wireless communication network 107 may comprise more than the one network device manager 103 illustrated in figure 1.
  • the wireless communication network 107 may comprise a wireless router (not illustrated in figure).
  • the wireless router may be implemented as a component of the network device manager 103 or be associated therewith.
  • FIG 2 is a schematic diagram illustrating an implementation of the wireless communication network 107 as a smart home network, including the yet un-provisioned network device 101 in the form of a surveillance camera device, the network device manager 103 for provisioning and managing the surveillance camera device 101 and a plurality of anchor network devices 105 already provisioned by the network device manager 103.
  • the plurality of anchor network devices 105 include different types of HDTV devices, HVAC devices, LED lighting devices, motion sensor devices, temperature/humidity/luminosity sensor devices, and further surveillance camera devices (for the sake of clarity, not all of these anchor network devices have been provided with a reference number in figure 2).
  • the network device manager(s) 103 may be configured to advertise, i.e. broadcast, the types and/or locations of the network devices 101 they can manage.
  • an already provisioned network device 105 may broadcast, for instance, a device identifier, an identifier of the network device manager 103 that controls the network device 105, a public key of the network device 105.
  • the yet un-provisioned network device 101 may select a suitable network device manager 103 from a plurality of available network device managers 103, as well as a plurality of anchor network devices 105, i.e. a subset of the plurality of network devices 105 already having established a secure management connection with the selected network device manager 103.
  • the yet un-provisioned surveillance camera device 101 may detect, based on the advertised information, that other surveillance cameras 105 in the wireless communication network are already controlled by a specific network device manager 103 and, therefore, may select this network device manager 103.
  • the network device 101 is configured to use the advertised public keys for a secure communication with the selected anchor network devices 105.
  • the yet un-provisioned network device 101 is configured to assess the security credibility, i.e. "trust" of the network device manager 103 before transferring control to the network device manager 103.
  • embodiments of the disclosure employ a validation of the security credibility of the network device manager 103.
  • Embodiments of the disclosure implement the validation of the security credibility of the network device manager 103 using cryptographic schemes for sharing an electronic secret.
  • the yet un- provisioned network device 101 is configured to generate a secret public key or a nonce that must be reconstructed by the network device manager 103 to prove its security credibility and, if successfully reconstructed, is used for establishing a secure management connection between the network device 101 and the network device manager 103.
  • the network device 101 does not send the public key directly to the network device manager 103, but is configured to split the public key into the plurality of shares and send the shares to the selected anchor network devices 105.
  • the network device 101 may use the public key of the respective anchor network device 105.
  • one share of the secret public key may be sent to the network device manager 103 directly.
  • the network device manager 103 has to retrieve at least a subset, preferably all of the plurality of shares of the secret public key of the network device 101.
  • the communication network 107 may comprise a Management Advertising Network (MAN) component 107 to allow both the network device manager(s) 103 and the network device(s) 101 to advertise information.
  • MAN Management Advertising Network
  • the communication between the now provisioned network device 101 and the network device manager 103 may be over an operational network component 107 of the communication network 107.
  • the yet un-provisioned network device 101 may wait for a pre-defined timeout period in order to allow manual provisioning operations to take place. For instance, the network device 101 may be configured to wait for a timeout period of about 60 seconds before performing the following steps.
  • the network device 101 may comprise a manual provisioning button for generating a recovery signal and be configured to perform a conventional provisioning procedure, if the manual provisioning button is pressed and the recovery signal is received during the timeout period. After the timeout period, the network device 101 is configured to connect to the communication network 107, in particular wireless communication network 107.
  • the network device 101 may start collecting "manageability advertisements", i.e. information about the available network device managers 103 in the communication network 107.
  • the information collected by the network device 101 over the communication network 107 may include information about the capabilities of the respective network device manager 103 and/or the other network devices 105 already associated therewith, i.e. the other network devices 105 already having established a secure, i.e. trusted management connection with the respective device manager 103.
  • the network device 101 may select a suitable network device manager 103, for instance, the network device manager 103 illustrated in figure 3. According to an embodiment, this selection may be based on an IFTTT logic implemented in the network device 101. According to an embodiment, if the IFTTT logic fails and the network device 101 cannot decide on the right network device manager 103, the network device 101 may switch to a regular provisioning mode and advertise it on the communication network 107.
  • the network device 101 may randomly select a subset of the plurality of network devices 105 already associated with the network device manager 103.
  • the network devices of this selected subset of the plurality of network devices 105 already associated with the network device manager 103 are herein referred to as the anchor network devices 105.
  • the network device 101 is configured to securely transmit a respective share of an electronic secret, for instance, a public key of the network device 101 to the selected anchor network devices 105.
  • the network device manager 103 has to retrieve at least a subset, preferably all of the plurality of shares of the secret public key of the network device 101.
  • the network device manager 103 may start control of the network device 101. For instance, the network device 101 may follow further provisioning instructions provided by the network device manager 103 via the secure management connection 110. In an embodiment, the network device 101 may be configured to then change its operational state to a "provisioned state" for preventing a further take over by a different, potentially malicious network device manager and for enabling a re-provisioning. Thereafter, the network device 101 may start operation and advertise periodically information about its associations and device details over the communication network 107 as already described above.
  • the network device 101 may maintain a “no security” connectivity to the MAN component of the wireless communication network 107 (the name could be encoded to reflect owner, location, and the like and may contain information for selecting a suitable network device manager, such as “Light_CONTROL_SEGMENT, Huawei_IOT_CONTROLLER”).
  • a SSID of the MAN component of the wireless communication network 107 may be pre-configured in the network device 101 and/or the network device manager 103 (possibly comprising a wireless router as well).
  • the information retrieved by the network device 101 about a network device manager 103 may be the following: ⁇ Surveillance Controller, VCR; Huawei, Huawei; Floor-1; Building 33 Apt. 12 J. Smith, etc. + Public Key for secure exchange ⁇ .
  • the already provisioned network devices 105 may broadcast information as well, including an identifier of the network device 105, an identifier of the network device manager 103 controlling the network device 105, information about the network device vendor, location, owner and the like.
  • the information retrieved by the network device 101 about a network device 105 may be the following: ⁇ VCR_3F.5A; Surveillance Controller; VCR, Streamer; Huawei; Building 33 Apt. 12 J. Smith, + Public Key for secure exchange ⁇ .
  • the network device 101 is configured to verify that the network device manager 103 is not spoofed.
  • the ability of the network device manager 103 to control K-1 anchor network devices 105 is considered a good enough proof of trust.
  • the yet un-provisioned network device 101 may collect a number of data packets (including advertisements) transmitted by the various devices over the MAN component 107 of the communication network 107.
  • the collected data may be organized in tables for allowing the random selection of the anchor network devices 105.
  • the number of the selected anchor network devices and their type may be determined dynamically by the network device 101 and may vary in accordance with the required security level. The more anchors are involved, the stronger is the proof of trust granted by the validation procedure implemented by embodiments of the disclosure.
  • a validation procedure may involve the selection of 3 to 10 anchor network devices 105 out of 30 to 100 already provisioned network devices 105.
  • the network device 101 is configured to generate the plurality of shares of its electronic secret in accordance with Shamir’s secret sharing scheme. This scheme makes sure that the secret is split by the network device 101 in a way that allows its reconstruction only when the required minimum of shares is obtained by the network device manager 103. As the shares are owned by independent holders, namely the anchor network devices 105, an attacker would have to successfully compromise all of these devices to gain access to the secret.
  • the network device 101 is configured to generate the secret, such as a public key, a nonce or the like, and to split the secret into a plurality of shares. Furthermore, the network device 101 is configured to securely transmit a share of the secret to a respective anchor network device 105 using the public key of the respective anchor network device 105.
  • the only way for the network device manager 103 to reconstruct the secret for continuing the provisioning procedure with the network device 101 is to obtain the plurality of shares from the anchor network devices 105. Only the network device manager 103 that really has control over these anchor network devices 105 will be able to retrieve the shares and unlock the secret.
  • an attacker e.g. a malicious network device manager will not be able to reconstruct the secret of the network device 101 without compromising the plurality of anchor network devices 105.
  • stage [1] the network device 101 generates the secret, such as public key, nonce, and the like, as well as N shares using Shamir's secret sharing algorithm, wherein at least K of the N shares are necessary for reconstructing the secret.
  • stage [2] the network device 101 selects randomly K-1 anchor network devices 105 out of a plurality of network devices already associated with the selected network device manager 103 and provides the secret shares to these anchor network devices 105.
  • stage [3] the network device 101 provides the last share, i.e. the K-th share to the network device manager 103 as well as information, such as a list about the selected anchor network devices 105 for reconstructing the secret.
  • stage [4] the network device manager 103 queries the anchor network devices 105 for the shares, which will release the shares only to the known and trusted network device manager 103.
  • stage [5] the network device manager 103 reconstructs the secret using the plurality of shares.
  • stage [6] a secure management connection 110 between the network device 101 and the network device manager 103 is established based on the reconstructed secret.
  • stage [7] the provisioning of the network device 101 by the network device manager 103 is completed.
  • the validation of the security credibility of the network device manager 103 prevents the network device 101 to be associated with a malicious network device manager 103.
  • the network device 101 may still establish a secure management connection with the "wrong" network device manager 103.
  • two users may have independent VCR management systems broadcasting over the same MAN segment, so that a yet un-provisioned VCR device may pick the first suitable network device manager and connect thereto.
  • the network device 101 and the network device manager 103 may implement an automated manager take-over procedure.
  • the network device manager 103 may be configured to request from another network device manager 103 to re-provision a specific network device 101 via dedicated interfaces between the network device managers (here, it is assumed that legitimate network device managers 103 are trusted and can authenticate each other using regular security tools such as certificates, strong passwords, cloud based checks, and the like).
  • the network device manager 103 may force the specific network device 101 to update its management settings and "migrate" to the network device manager 103.
  • an association of the network device 101 with the wrong network device manager 103 may be detected by the user of the network device 101.
  • the network device 101 may not appear in a dedicated control application running on the "correct" network device manager 103 or data provided by the network device 101, such as camera stream, does not appear in a dedicated output device.
  • the network device 101 may be configured to follow a recovery provisioning procedure. In an embodiment, this recovery procedure may be triggered by the network device 101 receiving a recovery signal generated by pressing a specific button of the network device 101 or scanning a QR code associated with the network device 101.
  • the network device 101 is configured to maintain different operational states, indicated, for instance, by a flag bit, for distinguishing between automated provisioning and recovery provisioning.
  • the recovery provisioning may have precedence over the automated provisioning.
  • FIG. 5 is a schematic diagram of the system architecture of the network device 101 according to an embodiment and the network device manager 103 according to an embodiment.
  • both the network device 101 and the network device manager 103 may comprise a legacy management system 511 and 527, respectively. These legacy management systems 511 and 527 may be implemented to perform legacy provisioning procedures.
  • both the network device 101 and the network device manager 103 may comprise a ZTP module 501 and 521, respectively.
  • the ZTP module 521 of the network device manager 103 may comprise an advertiser 525 configured to broadcast information about capabilities and associations of the network device manager 103 over the wireless communication network 107, as already described above. Regular broadcast techniques and pre-configuring connection settings may be applied. Moreover, the ZTP module 521 of the network device manager 103 may comprise a take over controller 523 configured to implement the recovery procedures described above.
  • the ZTP module 501 of the network device 101 may comprise an advertiser listener 507 and an assessment engine 505.
  • the advertiser listener 507 is configured to collect information about other network devices 105 and network device managers 103 and to select a suitable network device manager 103 (such as an IFTTT like rules engine).
  • the assessment engine 505 is configured to select the anchor network devices 105, generate the shares of the secret and share these with the selected devices, as already described in great detail above.
  • the secret of the network device 101 may be supplied to the legacy management system 511 for further manager authentication.
  • the network device 101 may operate in a provision mode, which, as already described above, is a configuration of the network device 101 for distinguishing between a legacy (not automated take-over) and an automatic provisioning, as provided by embodiments of the disclosure.
  • the anchor flow 513 indicated in figure 5 may be implemented as part of regular management configuration retrieval flows supporting shares set (by peer loT) and retrieval by the network device manager 103.
  • the retrieval by the network device manager 103 may be strongly authenticated and the shares may be secured using a public key infrastructure, where the public key of the respective network device 105 is advertised by the advertiser 509 over the communication network 107.
  • the public keys reconstructed and/or retrieved by the network device manager 103 may be stored in a registry 529, which may be a part of the memory 123 of the network device manager 103. Also, any private keys used by the network device manager 103 may be stored here. Likewise, the network device 101 may store any public keys used for communication with the network device manager 103 and/or the anchor network devices 105 in a management settings database 515, which may be implemented in the memory 113 of the network device 101.
  • Figure 6 shows a signalling diagram illustrating aspects of the establishment of a secure management connection between the network device 101 according to an embodiment and the network device manager 103 according to an embodiment.
  • the yet un-provisioned network device 101 can select between two network device managers 103 as well as K-1 anchor network devices 105. More specifically, figure 6 shows the following steps and processes.
  • the network device 101 is booted (this may include the connection to the wireless network 107) and waits for a timeout period 601a.
  • the timeout period 601a can be, for instance, 30 seconds long.
  • the network device 101 may wait for the timeout period 601a in order to allow manual provisioning operations to take place before starting the automatic provisioning procedure described in the following.
  • the network device 101 collects information advertised by the different network device managers 103 available in the wireless communication network 107, such as the network device manager 103 referred to as "Manager 2" in figure 6 in step 602a. Moreover, the network device 101 collects information advertised by the different network devices 105 already provisioned in the wireless communication network 107, such as the already provisioned network device 105 referred to as "loT 3" in figure 6 in step 602b.
  • the network device 101 Based on the information collected in step 603, the network device 101 selects a suitable network device manager 103. In the exemplary embodiment shown in figure 6, the network device 101 selected the network device manager 103 referred to as "Manager 2" in figure 6, as indicated by 606.
  • the network device 101 Having selected a suitable network device manager 103, the network device 101 generates a secret, such as a public key, and splits this secret into a plurality of shares. 609: The network device 101 selects from the plurality of already provisioned network devices the anchor network devices 105 and provides a respective share of the secret to the selected anchor network devices 105. As illustrated in step 610, the share may be encrypted using the public key of the respective anchor network device 105.
  • a secret such as a public key
  • the network device 101 requests the selected network device manager 103 to provide evidence for its security credibility by providing the selected network device manager with one of the shares of the secret as well as information about the selected anchor network devices 105.
  • the selected network device manager 103 retrieves the plurality of shares of the secret of the network device 101 from the plurality of anchor network devices 105 identified by the request of the network device 101.
  • the selected network device manager 103 can unlock, i.e. reconstruct the secret of the network device 101 using, preferably all of these shares (see step 616a). In case it was not possible for the selected network device manager 103 to retrieve all shares necessary for unlocking the secret (see step 616b), the provisioning process may be terminated with an error message to the network device 101.
  • step 617 Having unlocked the secret in step 616a, the selected network device manager 103 has established a secure management connection 110 with the network device 101 and can complete the provisioning of the network device 101.
  • the network device 101 is a provisioned network device itself (like the selected anchor network devices 105) and can start distributing information about its capabilities over the wireless communication network 107.
  • Figure 7 is a flow diagram of a method 700 of establishing the secure management connection 110 with the network device manager 103 in the wireless communication network 107.
  • the method 700 comprises the step 701 of providing by the network device 101 a share of the plurality of shares of the secret of the network device 101 to a respective anchor network device 105 of the plurality of anchor network devices 105.
  • the plurality of anchor network devices 105 have an already established secure management connection 120 with the network device manager 103 and at least two of the plurality of shares of the secret of the network device 101 are required for reconstructing the secret of the network device 101.
  • Figure 8 is a flow diagram of a method 800 of operating the network device manager 103 for managing a plurality of network devices 101 in the wireless communication network 107.
  • the method 800 comprises the step 801 of obtaining a respective share of the plurality of shares of the secret of the network device 101 from a respective anchor network device 105 of the plurality of anchor network devices 105.
  • the plurality of anchor network devices 105 have an already established secure management connection 120 with the network device manager 103.
  • the method 800 comprises the step 803 of reconstructing the secret of the network device 101 based on the plurality of shares of the secret and the step 805 of establishing the secure management connection 110 with the network device 101 based on the reconstructed secret.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the described apparatus embodiment is merely exemplary.
  • the unit division is merely logical function division and may be other division in actual implementation.
  • a plurality of units or components may be combined or integrated into another system, or some features may be ignored or not performed.
  • the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented by using some interfaces.
  • the indirect couplings or communication connections between the apparatuses or units may be implemented in electronic, mechanical, or other forms.
  • the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • functional units in the embodiments of the invention may be integrated into one processing unit, or each of the units may exist alone physically, or two or more units are integrated into one unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un dispositif de réseau (101) pour établir une connexion de gestion sécurisée (110) avec un gestionnaire de dispositif de réseau (103) dans un réseau de communication (107), en particulier un réseau de communication sans fil (107). Le dispositif de réseau (101) est configuré pour fournir une part, parmi une pluralité de parts, d'un secret du dispositif de réseau (101) à un dispositif de réseau d'ancrage (105) parmi une pluralité de dispositifs de réseau d'ancrage (105). La pluralité de dispositifs de réseau d'ancrage (105) ont une connexion de gestion sécurisée (120) déjà établie avec le gestionnaire de dispositif de réseau (103). Au moins deux parts parmi la pluralité de parts du secret du dispositif de réseau (101) sont nécessaires pour reconstruire le secret du dispositif de réseau (101). De plus, l'invention concerne un gestionnaire de dispositif de réseau (103) correspondant. L'invention permet un provisionnement sans intervention du dispositif de réseau (101) par le gestionnaire de dispositif de réseau (103) dans le réseau de communication (107).
PCT/EP2020/064978 2020-05-29 2020-05-29 Dispositifs et procédés de provisionnement sans intervention dans un réseau de communication WO2021239249A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080096286.1A CN115136634A (zh) 2020-05-29 2020-05-29 用于在通信网络中进行零配置部署的设备和方法
PCT/EP2020/064978 WO2021239249A1 (fr) 2020-05-29 2020-05-29 Dispositifs et procédés de provisionnement sans intervention dans un réseau de communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/064978 WO2021239249A1 (fr) 2020-05-29 2020-05-29 Dispositifs et procédés de provisionnement sans intervention dans un réseau de communication

Publications (1)

Publication Number Publication Date
WO2021239249A1 true WO2021239249A1 (fr) 2021-12-02

Family

ID=70968950

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/064978 WO2021239249A1 (fr) 2020-05-29 2020-05-29 Dispositifs et procédés de provisionnement sans intervention dans un réseau de communication

Country Status (2)

Country Link
CN (1) CN115136634A (fr)
WO (1) WO2021239249A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160044001A1 (en) * 2014-08-11 2016-02-11 Intel Corporation Network-enabled device provisioning
WO2016172492A1 (fr) * 2015-04-24 2016-10-27 Pcms Holdings, Inc. Systèmes, procédés et dispositifs pour la protection de justificatifs d'identité de dispositifs

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160044001A1 (en) * 2014-08-11 2016-02-11 Intel Corporation Network-enabled device provisioning
WO2016172492A1 (fr) * 2015-04-24 2016-10-27 Pcms Holdings, Inc. Systèmes, procédés et dispositifs pour la protection de justificatifs d'identité de dispositifs

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SENCUN ZHU ET AL: "Establishing pairwise keys for secure communication in ad hoc networks: a probabilistic approach", NETWORK PROTOCOLS, 2003. PROCEEDINGS. 11TH IEEE INTERNATIONAL CONFEREN CE ON 4-7 NOV. 2003, PISCATAWAY, NJ, USA,IEEE, 4 November 2003 (2003-11-04), pages 326 - 335, XP010671585, ISBN: 978-0-7695-2024-7, DOI: 10.1109/ICNP.2003.1249782 *

Also Published As

Publication number Publication date
CN115136634A (zh) 2022-09-30

Similar Documents

Publication Publication Date Title
KR102293116B1 (ko) 제어기와 액세서리 사이의 통신을 위한 균일한 통신 프로토콜
US8577044B2 (en) Method and apparatus for automatic and secure distribution of an asymmetric key security credential in a utility computing environment
US8510812B2 (en) Computerized system and method for deployment of management tunnels
US7822982B2 (en) Method and apparatus for automatic and secure distribution of a symmetric key security credential in a utility computing environment
US8307093B2 (en) Remote access between UPnP devices
EP2408140B1 (fr) Procédé, point de commande, appareil et système de communication pour configurer un droit d'accès
US11765164B2 (en) Server-based setup for connecting a device to a local area network
US8438218B2 (en) Apparatus and method for providing accessible home network information in remote access environment
WO2004105333A1 (fr) Reseau prive virtuel securise
CN112737902B (zh) 网络配置方法和装置、存储介质及电子设备
US11838269B2 (en) Securing access to network devices utilizing authentication and dynamically generated temporary firewall rules
JP2005020112A (ja) ネットワーク設定システム、管理装置、端末装置及びネットワーク設定方法
US8302155B2 (en) UPnP apparatus and method for providing remote access service
JP2005286783A (ja) 無線lan接続方法および無線lanクライアントソフトウェア
CN109788528B (zh) 接入点及其上网业务开通方法和系统
WO2020176021A1 (fr) Distribution automatique de clés de protocole de configuration d'hôte dynamique (dhcp) par l'intermédiaire d'un protocole de découverte de couche de liaison (lldp)
WO2014207929A1 (fr) Dispositif de traitement d'informations, terminal, système de traitement d'informations, et procédé de traitement d'informations
US20230254292A1 (en) Private and Secure Chat Connection Mechanism for Use in a Private Communication Architecture
WO2021134562A1 (fr) Procédé et appareil de remplacement de dispositif de configuration, dispositif et support de stockage
US20230107045A1 (en) Method and system for self-onboarding of iot devices
WO2021239249A1 (fr) Dispositifs et procédés de provisionnement sans intervention dans un réseau de communication
WO2018172776A1 (fr) Transfert sécurisé de données entre des dispositifs de l'internet des objets
CN107888383B (zh) 登录认证方法及装置
JP2008244945A (ja) 無線接続環境設定システム、無線接続環境設定サーバ、情報端末、及び、プログラム
US20240214352A1 (en) Securing access to network devices utilizing authentication and dynamically generated temporary firewall rules

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20730013

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20730013

Country of ref document: EP

Kind code of ref document: A1