WO2023281231A1 - Procede d'etablissement authentifie d'une connexion entre un equipement raccorde a au moins un reseau de communication et un serveur d'un fournisseur de services et dispositifs correspondants - Google Patents
Procede d'etablissement authentifie d'une connexion entre un equipement raccorde a au moins un reseau de communication et un serveur d'un fournisseur de services et dispositifs correspondants Download PDFInfo
- Publication number
- WO2023281231A1 WO2023281231A1 PCT/FR2022/051376 FR2022051376W WO2023281231A1 WO 2023281231 A1 WO2023281231 A1 WO 2023281231A1 FR 2022051376 W FR2022051376 W FR 2022051376W WO 2023281231 A1 WO2023281231 A1 WO 2023281231A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- equipment
- certificate
- server
- digest
- certification token
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000004891 communication Methods 0.000 title claims abstract description 28
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 4
- 238000012545 processing Methods 0.000 description 11
- 238000004364 calculation method Methods 0.000 description 10
- 238000012423 maintenance Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 239000000470 constituent Substances 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 102100039292 Cbp/p300-interacting transactivator 1 Human genes 0.000 description 1
- 101000888413 Homo sapiens Cbp/p300-interacting transactivator 1 Proteins 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000037406 food intake Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004377 microelectronic Methods 0.000 description 1
- 230000009257 reactivity Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Definitions
- TITLE Process for authenticated establishment of a connection between equipment connected to at least one communication network and a server of a service provider and corresponding devices.
- the field of the invention is that of the certification of equipment connected to a communication network. More specifically, the invention relates to a solution making it possible to provide a certificate to equipment in an “edge computing” type environment or computing at the edge of the network.
- edge computing or computing at the edge of the network and consists of processing data at the edge of the network as close as possible to the source of the data.
- Edge computing thus makes it possible to minimize bandwidth requirements between equipment, such as sensors, and data processing centers by undertaking analyzes as close as possible to data sources. This approach requires the mobilization of resources that may not be permanently connected to a network, such as laptops, smartphones, tablets or sensors. Edge computing also has a prominent place in content ingestion and delivery solutions. In this regard, many architectures of content delivery networks or CDN (Content Delivery Network) are based on architectures of the “edge computing” type.
- CDN Content Delivery Network
- a known implementation of such an “edge computing” type architecture is an architecture known by the name Kubernetes.
- the [Fig. 1] presents in a simplified manner the architecture of a cluster of nodes 1 conforming to the Kubernetes solution.
- the cluster of nodes 1 comprises a first node 10 called the management node, or “Kubernetes master”, and N computing nodes, or “worker nodes”, lli, i e ⁇ l,...,N ⁇ , N being an integer natural.
- the management node 10 comprises a controller 101, an API module (Application Programming Interface or application programming interface) 102 and a so-called ETCD database 103 which consists of a dynamic register for configuring the calculation nodes lli.
- API module Application Programming Interface or application programming interface
- ETCD database 103 which consists of a dynamic register for configuring the calculation nodes lli.
- a calculation node lli comprises M containers or “pods” HOj, j e ⁇ l,...,M ⁇ , M being a natural integer.
- Each HOj container is endowed with resources allowing the execution of one or more tasks.
- a task when executed contributes to the implementation of a network service or function, such as a Dynamic Host Configuration Protocol (DHCP) function for example.
- DHCP Dynamic Host Configuration Protocol
- edge computing architectures are most often multi-site architectures in which the nodes making up clusters of nodes can be non-co-located.
- a management node 10 and two calculation nodes 111, 112 of a cluster of nodes 1 are located on a site A while three other calculation nodes 113, 114, 115 are located on a remote site B .
- the https protocol allows a visitor's equipment, such as a personal computer, to verify the identity of a website to which the visitor wishes to access from his equipment.
- the equipment accesses, thanks to a public authentication certificate of the X509 type issued by a third-party authority, reputed to be reliable, to a server providing a service.
- a public authentication certificate of the X509 type issued by a third-party authority, reputed to be reliable.
- Such a certificate guarantees the confidentiality and integrity of the data transmitted by the visitor via its destination to the server providing a service.
- Such a mode of operation cannot meet the needs required by the management of the calculation nodes. Indeed, such management is complex because the computing nodes can be deployed in distributed, even private or even mobile infrastructures, but above all they can be reconfigured, suspended, deleted, reactivated, or even reassigned to another master node in functions needs to be satisfied.
- calculation nodes correspond, from a protocol point of view, to the visitor equipment described in the example described above. We see, therefore, that the application of the https solution to an “edge switching” architecture is not suitable.
- the invention meets this need by proposing a system comprising at least one piece of equipment connected to at least one communication network, at least one network address configuration server, at least one certificate creation module, at least one domain names and at least one server from a service provider.
- Such a system is particular in that:
- the equipment sends, to the configuration server, a request for allocation of at least one network address comprising at least a digest of a physical address of said equipment,
- the configuration server generates a request to create a certificate associated with said equipment comprising the digest of a physical address of said equipment, a certificate associated with said configuration server and at least one network address allocated to said equipment by said configuration server,
- the configuration server transmits said creation request to the certificate creation module
- the certificate creation module generates, from the information included in the creation request, a certificate associated with said equipment and a certification token corresponding to said certificate,
- the certificate creation module transmits, to the domain name server, a request to associate said certificate, said certification token and the digest of said certification token with at least one domain name,
- the domain name server associates, with at least one domain name, the certificate associated with said equipment, the corresponding certification token and the digest of said certification token,
- the equipment receives the certification token and the digest of said certification token from the configuration server.
- the solution that is the subject of the present invention makes it possible, by reusing components already present in a communication network, to authenticate with certainty equipment connected to a network. network but which is not managed by the operator managing the communication network in question by providing it with a certificate whose integrity cannot be called into question since the trusted third party issuing the certificate is the operator managing the network Communication.
- the solution consists in taking advantage of the transmission of a network address allocation request by a device seeking to connect to a communication network to introduce into this request a request to obtain a certificate. .
- a request results in the introduction into the allocation request of a digest or “hash” in English of a physical address of the equipment.
- a configuration server detecting the presence of this digest of a physical address of the equipment in a network address allocation request understands that the equipment wishes to obtain a certificate and then triggers a procedure for creating a certificate with a certificate creation module.
- a certificate creation module can be co-located with the configuration server or with the domain name server, in which an association of said certificate with at least one domain name provided by the configuration server is stored.
- the certificate created is associated with this address pool.
- the service provider's server can simply, from the configuration token, verify the authenticity and integrity of the certificate associated with the equipment and thus authorize the establishment of a connection with the equipment.
- the establishment of such a connection corresponds for example to the integration of the equipment into a Kubernetes architecture as a computing node.
- the server of a service provider can carry out a double certification of the equipment as is the case for connections of the https type.
- An object of the present invention relates more particularly to a method for authenticated establishment of a connection between equipment connected to at least one communication network and a server of a service provider, said method comprising the following steps implemented by said equipment:
- the configuration server is involved in the supply process makes it possible to use the messages exchanged with the equipment during the renewal of the allocation of network addresses to transmit, intended for the certificate creation module, a request for maintenance in force of the certificate associated with said equipment, said maintenance in force request comprising said certificate token and said certificate associated with said configuration server.
- Such a method for authenticated establishment of a connection further comprises the following steps:
- the invention also relates to a method for supplying a certification token associated with equipment connected to at least one communication network for the authenticated establishment of a connection between said equipment and a server of a service provider, said method comprising the following steps implemented by a network address configuration server:
- this method further comprises a step of generating the certificate associated with said equipment and the certification token corresponding to said certificate from the digest of a physical address of said equipment, a certificate associated with said server configuration and at least one network address allocated to said equipment by said configuration server.
- Such a method of providing a certification token further comprises the following steps:
- the configuration server notifies the certificate creation module of the fact that it must maintain in force the association of said certificate, said certification token and the digest of said certification token at least one domain name.
- the invention finally relates to computer program products comprising program code instructions for implementing the methods as described previously, when they are executed by a processor.
- the invention also relates to a recording medium readable by a computer on which are recorded computer programs comprising program code instructions for the execution of the steps of the methods according to the invention as described above.
- Such recording medium can be any entity or device capable of storing the programs.
- the medium may comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or even a magnetic recording means, for example a USB key or a hard disk.
- such a recording medium can be a transmissible medium such as an electrical or optical signal, which can be conveyed via an electrical or optical cable, by radio or by other means, so that the programs computers it contains are executable remotely.
- the programs according to the invention can in particular be downloaded from a network, for example the Internet network.
- the recording medium may be an integrated circuit in which the programs are incorporated, the circuit being suitable for executing or for being used in the execution of the aforementioned methods which are objects of the invention.
- FIG. 1 this figure represents in a simplified way the architecture of a cluster of nodes 1 conforming to the Kubernetes solution
- FIG. 5 this figure represents equipment capable of implementing the method for authenticated establishment of a connection between equipment connected to at least one communication network and a server of a service provider which is the subject of the present invention
- FIG. 6 a configuration server capable of implementing the various methods which are the subject of the present invention.
- the general principle of the invention is based on obtaining a certificate for equipment located in an environment of the “edge computing” type or computing at the edge of the network.
- the data necessary to obtain such a certificate are exchanged via messages usually used when an item of equipment seeks to connect to a communication network.
- the necessary information is entered in existing fields of these messages.
- Such a solution makes it possible not to increase the load on the network because it does not require the transmission of additional messages. Since the data exchanged is introduced into existing fields of existing messages, they are also not too voluminous, which further contributes to not increasing the load on the network.
- Such a solution also has the advantage of being fast, which makes it particularly interesting for architectures requiring frequent dynamic configurations. Indeed, the present solution transmits data necessary for the creation of a certificate from the first message.
- Such a system comprises at least one piece of equipment 10 connected to at least one communication network (not shown in the figures), at least one network address configuration server 11, such as a DHCP server (Dynamic Hosts Configuration Protocol or dynamic host configuration), at least one certificate creation module 12, at least one domain name server 13 such as a DNS server and at least one server of a service provider 14 independent or not, of the communication network operator.
- network address configuration server 11 such as a DHCP server (Dynamic Hosts Configuration Protocol or dynamic host configuration)
- certificate creation module 12 at least one domain name server 13 such as a DNS server
- DNS server Dynamic Hosts Configuration Protocol or dynamic host configuration
- the equipment 10 can equally well be a mobile terminal, a server or a node, or a container according to the Kubernetes solution, or even a sensor. It can also be virtualized equipment.
- the configuration server 11 and the certificate creation module 12 can be co-located in the same equipment 100 as represented in FIG. 2.
- the certificate creation module certificates 12 can be co-located with the domain name server 13 or integrated into it.
- the certificate creation module 12 can be physically separated from the configuration server 11 and from the domain name server 13.
- the equipment 10 seeks to connect to a communication network. To this end, the equipment 10 sends a DHCP Discover request to the configuration server 11 so that the latter allocates one or more network addresses to it, such as IPv4 or IPv6 addresses.
- a step E2 upon receipt of the DHCP Discover request sent by the equipment 10, the configuration server 11 offers, in a conventional manner, one or more network addresses to the equipment 10 via the transmission of a message of the type DHCP offers.
- the configuration server 11 can implement an ACME-STAR type delegation method or a so-called “Delegated Credentials” method upon receipt of the DHCP Discover request sent by the equipment 10. These methods are described in the referenced document Acme-Star RFC 8739 published by the IETF.
- the delegating equipment 10 to receive, here in a DHCP Offer type message, a possibly condensed temporary certificate calculated on the basis of a private key of the delegating configuration server 11
- the equipment 10 validates the network address allocation proposal received during step E2 and transmits, to the configuration server 11, a DHCP Request request validating network addresses among those proposed and comprising parameters relating to the creation of a certificate.
- the equipment 10 adds parameters intended to be used for the generation of a certificate associated with the equipment 10.
- parameters are: a public key PUB_KEY_CPE of the equipment 10, a digest or "hash" HASH_CPE of a physical address of the equipment 10 such as a MAC address (Medium Access Control or media access control) as well as a TYP_HASH parameter on the way in which the HASH_CPE digest is calculated .
- These various parameters can, in another example, be transmitted in the form of a certificate which can be condensed.
- the HASH_CPE digest of a physical address of the equipment 10 can be transmitted from step E1 in the DHCP Discover request.
- the configuration server 11 Upon receipt of the DHCP Request, in a step E4, the configuration server 11 processes the information relating to the allocation of network addresses included in this request in a conventional manner. During the processing of this DHCP Request request, the configuration server 11 detecting the presence of parameters relating to the creation of a certificate in a field of the DHCP Request request, that is to say the public key PUB_KEY_CPE, the digest HASH_CPE or the TYP_HASH parameter extracts this information and generates a request to create a DCC certificate associated with equipment 10.
- the configuration server 11 detecting the presence of parameters relating to the creation of a certificate in a field of the DHCP Request request, that is to say the public key PUB_KEY_CPE, the digest HASH_CPE or the TYP_HASH parameter extracts this information and generates a request to create a DCC certificate associated with equipment 10.
- the request to create a DCC certificate includes: the public key PUB_KEY_CPE of the equipment 10, the HASH_CPE digest of a physical address of the equipment 10, a CertDHCP certificate associated with the configuration server 11, at least one network address IP_CPE allocated to said equipment 10 by the configuration server 11 during step E4 (or a pool of network addresses POOL_IP_CPE allocated to the equipment 10), and finally the TYP_HASH parameter on the way in which the digests HASH_CPE is calculated.
- the request to create a DCC certificate can also include a domain name, for example "CNT.example.com", with which the certificate is intended to be associated.
- the configuration server transmits the request for creation of a DCC certificate to the certificate creation module 12.
- the certificate creation module 12 Upon receipt of the request for creation of a certificate associated with the equipment 10, the certificate creation module 12 generates, during a step E6, a certificate CERT_CPE associated with the equipment 10 from the information included in the DCC creation request.
- Such a certificate CERT_CPE corresponds to a network address allocated to the equipment 10.
- the certificate creation module 12 creates as many certificates CERT_CPE associated with the equipment 10 as the latter has network addresses.
- the certificate creation module 12 creates a single certificate CERT_CPE associated with the equipment 10 which applies to the pool of network addresses POOL_IP_CPE allocated to the equipment 10.
- Such a certificate CERT_CPE includes the values of the physical address of the equipment 10 and of one or more network addresses chosen during step E3 by the equipment 10, in fields of the CERT_CPE certificate such as the Common Name (CN) or SAN fields for example.
- CN Common Name
- the certificate creation module 12 also generates a certification token CNT (Certificate Network Token) corresponding to the certificate CERT_CPE associated with the connectivity of the equipment 10 to the network of 11.
- a certification token CNT is a compact form of the certificate CERT_CPE associated with the equipment 10. More particularly, this certification token CNT comprises information relating to the HASH_CPE digest of the physical address of the equipment 10, to the HASH_CERT_CPE digest of the CERT_CPE certificate associated with the equipment 10, and an identifier CN_CM of the certificate creation module 12.
- This certification token CNT which will be used by the equipment 10 in all the situations where the latter must provide authentication material to access a service.
- This certification token CNT being a compact form of the certificate CERT_CPE associated with the equipment 10, it can be introduced into numerous existing messages without increasing the payload of the latter in a detrimental manner.
- the implementation of the solution that is the subject of the present patent application does not introduce too heavy a load into a communication network.
- the certificate creation module 12 transmits a DAss association request for the CERT_CPE certificate associated with the equipment 10 thus generated with the domain name “CNT.example.com” with which the CERT_CPE certificate is intended for be associated with the destination of the domain name server 13.
- Such a DAss association request comprises: the CERT_CPE certificate associated with the equipment 10, the corresponding certification token CNT, a digest HASH_CNT of the certification token CNT and a parameter TYP_HASH_CNT on the way in which the digest HASH_CNT is calculated.
- the TYP_HASH_CNT parameter on how the HASH_CNT digest is calculated may include a public key from the certificate creation module 12.
- the domain name server 12 can, if it wishes, verify the identity of the configuration server 11 by requesting a certificate corresponding to the configuration server 11 from the certificate creation module 12. Such a step is not shown in Figure 3.
- the domain name server 12 saves all of the information included in the DAss association request in a table and associates it with the domain name “CNT.example.com”.
- the domain name server 12 informs the certificate creation module 12 of this in a step E9.
- the certificate creation module 12 informs the configuration server 11 of the creation of the certificate CERT_CPE associated with the equipment 10 in a step E10.
- the certificate creation module 12 transmits to the configuration server 11 a message MSG1 comprising the corresponding certification token CNT, the digest HASH_CNT of the certification token CNT and the parameter TYP_HASH_CNT on the way in which the digest HASH_CNT is calculated.
- the configuration server 11 sends, in a step Eli, an assignment acknowledgment message of a network address DHCP ack.
- the equipment 10 adds the corresponding CNT certification token, the HASH_CNT digest of the CNT certification token and the TYP_HASH_CNT parameter on the way in which the HASH_CNT digest is calculated.
- the equipment 10 thus has a CNT certification token which will be used by the equipment 10 in all situations where the latter must provide authentication material to access a service.
- the equipment 10 is not in possession of its CERT_CPE certificate and does not know the domain name “CNT.example.com” associated with its CERT_CPE certificate. These two pieces of information are only stored in the domain name server 12.
- the equipment 10 when in a step E12 the equipment 10 sends a DHCP Request 2 message, requesting the extension of the allocation of its network address to the configuration server 11, it adds in an existing field of this DHCP Request 2 message the token of corresponding CNT certification, the HASH_CNT digest of the CNT certification token and the TYP_HASH_CNT parameter on how the HASH_CNT digest is calculated.
- the configuration server 11 On receipt of the DHCP Request 2 message, in a step E13, the configuration server 11 processes the information relating to the renewal of the allocation of network addresses in the conventional manner. During the processing of this DHCP Request 2 message, the configuration server 11 detecting the presence of parameters relating to the maintenance in force of the CERT_CPE certificate in a field of the DHCP Request 2 message, that is to say the token CNT, the digest HASH_CNT or the TYP_HASH_CNT parameter extracts this information and generates a CERT_CPE certificate maintenance request.
- the DMV maintenance request for the CERT_CPE certificate includes: the CNT certification token, the HASH_CNT digest of the CNT certification token, the TYP_HASH_CNT parameter on how the HASH_CNT digest is calculated, and possibly information relating to a deadline for the processing of the DMV maintenance request of the request and the CERT_DHCP certificate of the configuration server 11.
- the configuration server transmits the DMV request to maintain the certificate CERT_CPE in force to the certificate creation module 12.
- the certificate creation module 12 verifies the identity of the configuration server 11 from the certificate CERT_DHCP of the configuration server 11 and verifies the authenticity of the certification token CNT from the digest HASH_CNT of the certification token CNT, and the TYP_HASH_CNT parameter on how the HASH_CNT digest is calculated.
- the certificate creation module 12 transmits to the domain name server 13, in a step E16, a request for extension of the association of the certificate CERT_CPE corresponding to the certification token CNT, with the domain name “CNT.example.com”.
- Such an extension request includes: the CERT_CPE certificate, the CNT certification token, the HASH_CNT digest of the CNT certification token and the TYP_HASH_CNT parameter on how the HASH CNT digest is calculated.
- the domain name server 13 extends the association of the certificate CERT_CPE corresponding to the certification token CNT, with the domain name “CNT.example.com”.
- a confirmation message that the certificate CERT_CPE remains in force is transmitted in cascade from the domain name server 13 through the certificate creation module 12, then from the configuration server 11 to the equipment 10.
- FIG. 4 represents the sequence of steps of the methods which are the subject of the present invention.
- a step G1 the equipment 10 wishing to establish a connection with the server of a service provider 14 transmits to the latter a Hello TLS client message.
- the equipment 10 adds the certification token CNT, the digest HASH_CNT of the certification token CNT and the parameter TYP_HASH_CNT on the way in which the digest H ASH_CNT is calculated.
- the CNT certification token can be transported by any secure exchange protocol such as the QUIC protocol, in a field of any application protocol such as HTTP transported below any combination of protocols guaranteeing the integrity of the exchange, but also in an ln-situ OAM (iOAM) field described in https://datatracker.ietf.org/doc/html/draft-ietf-ippm-ioam-data-17.txt.
- the server of a service provider 14 obtains the public key KEY_PUB_CM from the certificate creation module 12.
- the public key KEY_PUB_CM is for example a public field of the certificate X509 from the certificate creation module 12 obtained, after step Gl or previously, for example through a secure tunnel established between the server of a service provider 14 and the certificate creation module 12.
- the server of a service provider 14 proceeds, in a step G3, to the verification of the authenticity of the certification token CNT by means of the key public PUB_KEY_CM of the certificate creation module 12 and the HASH_CNT digest of the CNT certification token and the TYP_HASH_CNT information on how the HASH_CNT digest is calculated.
- the server of a service provider 14 requests, in a step G4, the domain name server to provide it with the certificate CERT_CPE associated with the certification token CNT that it has just verified. For this, the server of a service provider 14 sends a DNS Query type message comprising, in an existing field, the certification token CNT.
- the domain name server 13 returns the certificate CRT_CPE corresponding to the certification token CNT received.
- the server of a service provider 14 then verifies that the certificate CERT_CPE corresponds to the network address(es) provided in the Hello TLS client message knowing that such a certificate CERT_CPE is issued for one or more network addresses.
- the server of a service provider 14 sends a Server Hello message to the equipment 10 thus finalizing the establishment of the connection between the latter and the server of a service provider 14 in a step G6.
- FIG. 5 represents an item of equipment 10 capable of implementing the method for authenticated establishment of a connection between an item of equipment connected to at least one communication network and a server of a service provider which is the subject of the present invention.
- a piece of equipment 10 can comprise at least one hardware processor 501, one storage unit 502, one interface 503, and at least one network interface 504 which are connected together through a bus 505.
- the processor 501 controls the operations of the equipment 10.
- the storage unit 502 stores at least one program for the implementation of the various methods which are the subject of the invention to be executed by the processor 501, and various data, such as parameters used for calculations performed by the processor 501, intermediate data of calculations performed by the processor 501, etc.
- Processor 501 may be any known and suitable hardware or software, or a combination of hardware and software.
- the processor 801 can be formed by dedicated hardware such as a processing circuit, or by a programmable processing unit such as a Central Processing Unit which executes a program stored in a memory of this one.
- Storage unit 502 may be formed by any suitable means capable of storing the program or programs and data in a computer readable manner. Examples of storage unit 502 include non-transitory computer-readable storage media such as semiconductor memory devices, and magnetic, optical, or magneto-optical recording media loaded into a read and write unit. 'writing.
- Interface 503 provides an interface between equipment 10 and a network address configuration server.
- the network interface 504 for its part provides a connection between the equipment 10 and at least one server of a service provider with which it wishes to establish a connection in an authenticated manner.
- the [Fig. 6] represents a configuration server 11 capable of implementing the various methods which are the subject of the present invention.
- a configuration server 11 can comprise at least one hardware processor 601, one storage unit 602, one interface 603, and at least one network interface 604 which are connected to each other through a bus 605.
- the configuration server further comprises a certificate creation module 12.
- the constituent elements of the configuration server 11 can be connected by means of a connection other than a bus.
- the processor 601 controls the operations of the configuration server 11.
- the storage unit 602 stores at least one program for the implementation of the various methods which are the subject of the invention to be executed by the processor 601, and various data, such as parameters used for calculations performed by the processor 601, intermediate data of calculations performed by the processor 601, etc.
- Processor 601 may be any known and suitable hardware or software, or a combination of hardware and software.
- the processor 601 can be formed by dedicated hardware such as a processing circuit, or by a programmable processing unit such as a Central Processing Unit which executes a program stored in a memory of this one.
- Storage unit 602 may be formed by any suitable means capable of storing the program or programs and data in a computer readable manner. Examples of storage unit 602 include non-transitory computer-readable storage media such as semiconductor memory devices, and magnetic, optical, or magneto-optical recording media loaded into a read-and-write unit. 'writing.
- Interface 603 provides an interface between configuration server 11 and at least one device 10 wishing to connect to a communication network.
- the network interface 604 provides a connection between the configuration server 11 and a domain name server.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/577,490 US20240275776A1 (en) | 2021-07-09 | 2022-07-08 | Method for the authenticated establishment of a connection between an equipment connected to at least one communication network and a server of a service provider, and corresponding devices |
EP22754900.3A EP4367831A1 (fr) | 2021-07-09 | 2022-07-08 | Procede d'etablissement authentifie d'une connexion entre un equipement raccorde a au moins un reseau de communication et un serveur d'un fournisseur de services et dispositifs correspondants |
CN202280048378.1A CN117643014A (zh) | 2021-07-09 | 2022-07-08 | 用于在连接到至少一个通信网络的装备和服务提供商的服务器之间的连接的认证建立的方法、以及相应的设备 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR2107523A FR3125191A1 (fr) | 2021-07-09 | 2021-07-09 | Procédé d’établissement authentifié d’une connexion entre un équipement raccordé à au moins un réseau de communication et un serveur d’un fournisseur de services et dispositifs correspondants. |
FRFR2107523 | 2021-07-09 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023281231A1 true WO2023281231A1 (fr) | 2023-01-12 |
Family
ID=78649352
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR2022/051376 WO2023281231A1 (fr) | 2021-07-09 | 2022-07-08 | Procede d'etablissement authentifie d'une connexion entre un equipement raccorde a au moins un reseau de communication et un serveur d'un fournisseur de services et dispositifs correspondants |
Country Status (5)
Country | Link |
---|---|
US (1) | US20240275776A1 (fr) |
EP (1) | EP4367831A1 (fr) |
CN (1) | CN117643014A (fr) |
FR (1) | FR3125191A1 (fr) |
WO (1) | WO2023281231A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR3145253A1 (fr) * | 2023-01-25 | 2024-07-26 | Orange | Procédé de révocation d’un jeton de certification permettant d’authentifier l’établissement d’une connexion entre deux équipements de communication, dispositifs et programmes d’ordinateur correspondants |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6823454B1 (en) * | 1999-11-08 | 2004-11-23 | International Business Machines Corporation | Using device certificates to authenticate servers before automatic address assignment |
US20210144517A1 (en) * | 2019-04-30 | 2021-05-13 | Intel Corporation | Multi-entity resource, security, and service management in edge computing deployments |
-
2021
- 2021-07-09 FR FR2107523A patent/FR3125191A1/fr not_active Withdrawn
-
2022
- 2022-07-08 WO PCT/FR2022/051376 patent/WO2023281231A1/fr active Application Filing
- 2022-07-08 CN CN202280048378.1A patent/CN117643014A/zh active Pending
- 2022-07-08 EP EP22754900.3A patent/EP4367831A1/fr active Pending
- 2022-07-08 US US18/577,490 patent/US20240275776A1/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6823454B1 (en) * | 1999-11-08 | 2004-11-23 | International Business Machines Corporation | Using device certificates to authenticate servers before automatic address assignment |
US20210144517A1 (en) * | 2019-04-30 | 2021-05-13 | Intel Corporation | Multi-entity resource, security, and service management in edge computing deployments |
Non-Patent Citations (1)
Title |
---|
YVES IGOR JERSCHOW ET AL: "CLL: A Cryptographic Link Layer for Local Area Networks", 10 September 2008, SECURITY AND CRYPTOGRAPHY FOR NETWORKS; [LECTURE NOTES IN COMPUTER SCIENCE], SPRINGER BERLIN HEIDELBERG, BERLIN, HEIDELBERG, PAGE(S) 21 - 38, ISBN: 978-3-540-85854-6, XP019104387 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR3145253A1 (fr) * | 2023-01-25 | 2024-07-26 | Orange | Procédé de révocation d’un jeton de certification permettant d’authentifier l’établissement d’une connexion entre deux équipements de communication, dispositifs et programmes d’ordinateur correspondants |
WO2024156613A1 (fr) * | 2023-01-25 | 2024-08-02 | Orange | Procédé de révocation d'un jeton de certification permettant d'authentifier l'établissement d'une connexion entre deux équipements de communication, dispositifs et programmes d'ordinateur correspondants |
Also Published As
Publication number | Publication date |
---|---|
EP4367831A1 (fr) | 2024-05-15 |
US20240275776A1 (en) | 2024-08-15 |
CN117643014A (zh) | 2024-03-01 |
FR3125191A1 (fr) | 2023-01-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9912644B2 (en) | System and method to communicate sensitive information via one or more untrusted intermediate nodes with resilience to disconnected network topology | |
US7127613B2 (en) | Secured peer-to-peer network data exchange | |
WO2019178942A1 (fr) | Procédé et système d'exécution de négociation ssl | |
FR2847752A1 (fr) | Methode et systeme pour gerer l'echange de fichiers joints a des courriers electroniques | |
EP3568966B1 (fr) | Procédés et dispositifs de délégation de diffusion de contenus chiffrés | |
EP3568989A1 (fr) | Procédés et dispositifs de vérification de la validité d'une délégation de diffusion de contenus chiffrés | |
WO2023281231A1 (fr) | Procede d'etablissement authentifie d'une connexion entre un equipement raccorde a au moins un reseau de communication et un serveur d'un fournisseur de services et dispositifs correspondants | |
CA3100170C (fr) | Procede de securisation de flux de donnees entre un equipement de communication et un terminal distant, equipement mettant en oeuvre le procede | |
CN117640765A (zh) | 云环境服务访问方法及系统 | |
EP3824676A1 (fr) | Dispositifs et procedes de gestion d'un attachement d'un dispositif de communication a un reseau d'un operateur | |
US11888898B2 (en) | Network configuration security using encrypted transport | |
WO2024156613A1 (fr) | Procédé de révocation d'un jeton de certification permettant d'authentifier l'établissement d'une connexion entre deux équipements de communication, dispositifs et programmes d'ordinateur correspondants | |
WO2023247459A1 (fr) | Procédé de suspension d'un jeton de certification permettant d'authentifier l'établissement d'une connexion entre deux équipements de communication, dispositifs et programmes d'ordinateur correspondants | |
EP3149902B1 (fr) | Technique d'obtention d'une politique de routage de requêtes émises par un module logiciel s'exécutant sur un dispositif client | |
EP3991380A1 (fr) | Procedes et dispositifs de securisation d'un reseau de peripherie a acces multiple | |
FR2975518A1 (fr) | Procede de securisation d'une architecture d'authentification, dispositifs materiels et logiciels correspondants | |
WO2023066708A1 (fr) | Procédé d'établissement d'un jeton de certification d'une instanciation d'une grappe de nœuds | |
WO2021191536A1 (fr) | Délégation d'une fonction de résolution d'identifiants de nommage | |
WO2024083694A1 (fr) | Procédé de traitement d'une requête en résolution d'au moins un identifiant de nommage, dispositif et programme d'ordinateur correspondants | |
WO2023232888A1 (fr) | Infrastructure de sécurité; procédé et produit programme d'ordinateur associés | |
FR3093882A1 (fr) | Procédé de configuration d’un objet communicant dans un réseau de communication, terminal utilisateur, procédé de connexion d’un objet communicant au réseau, équipement d’accès et programmes d’ordinateur correspondants. | |
FR3110802A1 (fr) | Procédé de contrôle de l’attribution d’une adresse IP à un équipement client dans un réseau de communication local, procédé de traitement d’une requête d’attribution d’une adresse IP à un équipement client dans un réseau de communication local, dispositifs, équipement d’accès, équipement serveur et programmes d’ordinateur correspondants. | |
WO2006056687A2 (fr) | Procede d'authentification de la decouverte de voisinage de l'environnement reseau ip d'un terminal candidat a un acces reseau |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22754900 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202280048378.1 Country of ref document: CN Ref document number: 18577490 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2022754900 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2022754900 Country of ref document: EP Effective date: 20240209 |