{"search_session":{},"preferences":{"l":"ar","queryLanguage":"ar"},"patentId":"130-332-842-654-698","frontPageModel":{"patentViewModel":{"ref":{"entityRefId":"130-332-842-654-698","entityRefType":"PATENT"},"entityMetadata":{"linkedIds":{"empty":true},"tags":[],"collections":[{"id":11844,"type":"PATENT","title":"University of Kansas Patent Portfolio","description":"","access":"OPEN_ACCESS","displayAvatar":true,"attested":false,"itemCount":8584,"tags":[],"user":{"id":91044780,"username":"Cambialens","firstName":"","lastName":"","created":"2015-05-04T00:55:26.000Z","displayName":"Cambialens","preferences":"{\"usage\":\"public\",\"beta\":false}","accountType":"PERSONAL","isOauthOnly":false},"notes":[{"id":8456,"type":"COLLECTION","user":{"id":91044780,"username":"Cambialens","firstName":"","lastName":"","created":"2015-05-04T00:55:26.000Z","displayName":"Cambialens","preferences":"{\"usage\":\"public\",\"beta\":false}","accountType":"PERSONAL","isOauthOnly":false},"text":"
Search Applicants and Owners separately: univ* AND Kansas. Select more for logical variants. Add to collection. Select all patents in the collection and expand by simple families. Add to collection. Total patents: 1781
Search Applicants and Owners separately: univ* AND Kansas. Select more for logical variants. Add to collection. Select all patents in the collection and expand by simple families. Add to collection. Total patents: 1781
a. a plurality of security plugs, wherein at least one security plug is configured as an Ethernet based and application protocol-independent device for providing broadcast communication security between a set of automation components including at least one field device attached to the at least one field network of the automation network; and\n
b. a session key server for distributing a session key to each security plug to communicate securely with each device in the set of automation components during a communication session;\n
wherein a first security plug from the plurality of security plugs is identified as a master key server by remaining security plugs of the plurality of security plugs, and the first security plug is configured to generate and manage session keys across the plurality of security plugs,\n
wherein the first security plug is selected, upon network boot-up, from the plurality of security plugs by executing a protocol among the plurality of security plugs for selecting the first security plug as the master key server by the plurality of security plugs, and\n
wherein a second security plug can be selected, upon failure of the first security plug, from the plurality of security plugs by executing a protocol among the plurality of security plugs for selecting the second security plug as the master key server by the plurality of security plugs."],"number":1,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 1, wherein each security plug is deployed via at least one of:\n
a. an internal mode, where the at least one security plug is internal to an automation component such that a serial connection exists across the at least one security plug, which is integral to the automation component, and the automation network;\n
b. an external mode, where the at least one security plug is placed in series between the automation component and the automation network; and\n
c. a hybrid mode, which is a combination of the internal and external modes."],"number":2,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 1, wherein the session key server is placed one of internal and external to the at least one security plug."],"number":3,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 1, wherein the at least one security plug is configured to establish the session keys and configured to initialize bootstrap information to other security plugs using one of:\n
a. a mode of bootstrap, wherein at least one of (a) a separate communication channel and (b) an integrated communication channel is used to bootstrap devices of the automation network; and\n
b. a time of bootstrap, wherein at least one of (a) the session keys are configured at a time of manufacture of the security plugs, and (b) the keys are configured during installation or commissioning of the security plugs."],"number":4,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 1,\n
wherein the at least one security plug is configured for broadcast-key establishment and broadcast data-security."],"number":5,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 5, wherein the at least one security plug configured for broadcast-key establishment comprises:\n
a confidentiality and integrity mechanism."],"number":6,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 5, wherein the at least one security plug configured for broadcast-key establishment provides for secure communication in at least one of a unicast, multicast and broadcast communication."],"number":7,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 1, wherein the at least one security plug is configured to perform at least two phases of operation including:\n
a. broadcast secret key establishment wherein:\n\ni. the session key server sends and receives messages related to identification of one of plural servers as a master key server;\nii. the master key server generates and establishes at least one of the session keys among the plural security plugs;\niii. a broadcast key establishment module uses confidentiality and integrity modules to send key establishment messages to the plural security plugs, where a key management module loads long term master keys associated with the integrity and confidentiality modules to the broadcast key establishment module such that the confidentiality and the integrity modules communicate with a flow management module via the broadcast key establishment module;\niv. the key management module is updated with master keys and initialization vectors;\nv. each session key is loaded on to the integrity and confidentiality modules by the broadcast key establishment module;\nvi. security plugs receive messages from the master key server and apply cryptographic processing that is a reverse or identical operation to cryptographic processing performed at the master key server and verify security of the sender; and\nvii. upon receiving an activation signal from the master key server, session keys are loaded on the confidentiality and the integrity modules, and updated in the key management module; and\n
b. secure communication wherein messages received from a controller are processed by the confidentiality and integrity modules directly."],"number":8,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 1, wherein each security plug includes field programmable gate arrays."],"number":9,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 1, wherein each security plug includes application specific integrated circuits."],"number":10,"annotation":false,"claim":true,"title":false},{"lines":["The system of claim 1, comprising: a combination of wired and wireless technology, and plural automation components each configured as at least one of an industrial controller, a field device, a connectivity server, an operator workstation and an engineering station."],"number":11,"annotation":false,"claim":true,"title":false},{"lines":["A device for providing real-time, secure communication in an automation network including at least one field network and having plural automation components including at least one field device connected to the field network, the device for providing real-time, secure communication comprising:\n
a processor configured to execute:\n
a. security logic modules that provide dynamic formation of a group of automation components for communicating on the automation network, each security logic module including:\n\ni. a key management module;\nii. a broadcast key establishment module for sending and receiving messages related to identification of one of plural automation components as a master key server by the plural automation components, upon network boot-up, and for sending and receiving messages related to identification of a second automation component from the plural automation components, upon failure of the one automation component;\niii. a confidentiality module; and\niv. an integrity module;\n
b. Ethernet communication logic that enables the management of session keys between the group of automation components on the automation network, the Ethernet communication logic including:\n\ni. security bootstrap communication logic; and\nii. communication logic; and\n
c. a session key-server module for initializing and managing session keys across the plural of automation components, when the processor is selected as the master key server by the plural automation components."],"number":12,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the processor is configured to execute a flow management module for data flow and operational control, and for controlling and interfacing the security logic modules with each other."],"number":13,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the security logic modules and Ethernet communication logic are housed in a unified hardware substrate."],"number":14,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein components of the security logic modules are housed in a unified hardware substrate."],"number":15,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12 wherein:\n
a. the key management module stores security bootstrap information from the security bootstrap communication logic and includes interfaces for remaining security logic modules to retrieve security bootstrap information;\n
b. the broadcast key establishment module uses long-term security bootstrap information to generate and distribute short-term session broadcast-keys using the security communication logic, the confidentiality module, the integrity module, and a flow management module;\n
c. the confidentiality module provides interfaces for encrypting and decrypting data by the broadcast key establishment module and the flow management module;\n
d. the integrity module provides interfaces for generating and verifying security checksums for data by the broadcast key establishment module and the flow management module;\n
e. the flow management module provides data flow and operational control for the remaining security logic modules;\n
f. the security bootstrap communication logic provides a communication channel for the key management module to manage key operations; and\n
g. the security bootstrap communication logic provides data interfaces for the flow management module to interact with a physical medium."],"number":16,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the security bootstrap communication logic includes at least one of a near-field communication and a physically protected communication channel, the physically protected communication channel having a physical wire."],"number":17,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the security bootstrap communication logic interacts with at least one of internet protocol (IP), Ethernet, Wireless Local Area Network (LAN), Foundation Fieldbus, and Modbus."],"number":18,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the confidentiality module performs a block cipher which includes at least one of Advanced Encryption Standard (AES), Triple Data Encryption Algorithm applying the Data Encryption Standard, Data Encryption Standard and Blowfish."],"number":19,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the integrity module implements a hash function including at least one of MD5, SHA1 and SHA2, and a message authentication code of at least one of Keyed-Hash Message Authentication Code (HMAC or NMAC), Cipher-based Message Authentication Code (CMAC), Universal Hashing based Message Authentication Code (UMAC), and Cipher Block Chaining Message Authentication Code (CBC-MAC)."],"number":20,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the integrity and confidentiality modules are implemented using authenticated encryption including at least one of Galois/Counter Mode (GCM), a nonce-based Authenticated Encryption with Associated Data (EAX) mode, an offset codebook mode (OCB) mode, and a Counter with Cipher Block chaining Message Authentication Code (CCM) mode."],"number":21,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the processor is configured to operate in two phases, which include:\n
a. broadcast secret key establishment wherein:\n\ni. a session key server including the session key-server module sends and receives messages related to identification of one of plural servers as the master key server;\nii. the master key server generates and establishes a session key among plural security plugs;\niii. a broadcast key establishment module uses the confidentiality and integrity modules to send key establishment messages to the plural security plugs, where the key management module loads long term keys for the integrity and confidentiality modules to the broadcast key establishment module such that the confidentiality and the integrity modules communicate with a flow management module via the broadcast key establishment module;\niv. the key management module is updated with master keys and initialization vectors;\nv. each session key is loaded on to the integrity and confidentiality modules by the broadcast key establishment module;\nvi. the security plugs receive messages from the master key server and apply cryptographic processing identical to that of the master key server and verify security of the sender;\nvii. upon receiving an activation signal from the master key server, session keys are loaded on the confidentiality and the integrity modules, and updated in the key management module; and\n
b. secure communication wherein messages received from a controller are processed by the confidentiality and integrity modules directly."],"number":22,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the security logic modules support secure communication using at least one of unicast, multicast and broadcast communication."],"number":23,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, in combination with an automation network having plural automation components, each automation component comprising at least one of:\n
a connectivity server, an operator workstation, and an engineering station, wherein at least one of the connectivity server, the operator workstation, and the engineering station are connected by a control network for interacting with plural controllers, field devices and intelligent electronic devices."],"number":24,"annotation":false,"claim":true,"title":false},{"lines":["The device of claim 12, wherein the Ethernet communication logic selects at least one automation component from the group of automation components to generate, initialize, and manage sessions keys across the group of automation components."],"number":25,"annotation":false,"claim":true,"title":false},{"lines":["A method for real-time, secure communication in an automation network including at least one field network and having plural automation components including at least one field device integrally coupled with (a) at least one security plug and (b) at least one session key server, the method comprising:\n
bootstrapping the at least one security plug, wherein the bootstrapping includes:\n
i. secret key establishment for dynamic formation of a group of automation components to communicate on the automation network by sending and receiving messages at a session key server module related to selection of a first security plug present in the automation network as a master server, and designating remaining security plugs as slaves for receiving messages from the master server wherein if the at least one security plug includes a plurality of security plugs, the first security plug is selected from the plurality of security plugs by executing a protocol among the plurality of security plugs for selecting the first security plug as the master key server by the plurality of security plugs, upon network boot-up; and\n
ii. secure communication between the automation components wherein messages received from a controller are directly processed by confidentiality and integrity modules of the at least one security plug."],"number":26,"annotation":false,"claim":true,"title":false},{"lines":["The method of claim 26, wherein the bootstrapping is configured to select between:\n
i. a mode of bootstrap, wherein at least one of (a) a separate communication channel and (b) an integrated communication channel is used to bootstrap devices of the automation network; and\n
ii. a time of bootstrap, wherein master keys are configured during at least one of (a) a manufacture, and (b) installation or commissioning of the at least one security plug and the at least one session key server."],"number":27,"annotation":false,"claim":true,"title":false},{"lines":["The method of claim 26, wherein the secret key establishment comprises:\n
i. sending and receiving messages at the session key server module related to election of a first session key server of the at least one session key server present in the automation network as a master server;\n
ii. generating and establishing a session key among all security plugs;\n
iii. sending key establishment messages to all security plugs in the automation network, where a key management module loads long term keys associated with integrity and confidentiality modules on to a broadcast key establishment module such that the confidentiality and the integrity modules communicate with a flow management module via the broadcast key establishment module;\n
iv. updating the key management module with master keys and initialization vectors;\n
v. loading the session key to the integrity and confidentiality modules by the broadcast key establishment module;\n
vi. designating remaining security plugs as slaves for receiving messages from the master server, and for applying cryptographic processing of the master server, and for verifying security of a sender; and\n
vii. upon receiving an activation signal from the master server, loading session keys on the confidentiality and the integrity modules, and updating the session keys in the key management module."],"number":28,"annotation":false,"claim":true,"title":false},{"lines":["The method of claim 26, comprising: performing secure communication using at least one of unicast, multicast and broadcast communication."],"number":29,"annotation":false,"claim":true,"title":false},{"lines":["The method of claim 26, wherein the at least one security plug is configured to generate, initialize, and manage session keys for other security plugs in the automation network."],"number":30,"annotation":false,"claim":true,"title":false}]}},"filters":{"npl":[],"notNpl":[],"applicant":[],"notApplicant":[],"inventor":[],"notInventor":[],"owner":[],"notOwner":[],"tags":[],"dates":[],"types":[],"notTypes":[],"j":[],"notJ":[],"fj":[],"notFj":[],"classIpcr":[],"notClassIpcr":[],"classNat":[],"notClassNat":[],"classCpc":[],"notClassCpc":[],"so":[],"notSo":[],"sat":[]},"sequenceFilters":{"s":"SEQIDNO","d":"ASCENDING","p":0,"n":10,"sp":[],"si":[],"len":[],"t":[],"loc":[]}}