Method And System For Setting Up A Secure Environment In Wireless Universal Plug And Play (Upnp) Networks

Abstract

The invention describes a method of setting up a secure environment in wireless Universal Plug and Play (UPnP) networks, comprising a UPnP security console and UPnP controlled devices defined in the UPnP Device Security specification, wherein the entry of information concerning the UPnP security bootstrap as required in the UPnP Device Security specification (particularly an initialization public/private key pair) into the devices is realized via a short-range key transmitter (SKT). A special user-friendly implementation of the UPnP TakeOwnership procedure renders any user interaction other than entering information from a SKT into the devices superfluous. The invention further describes a security system for wireless UPnP networks, comprising a short-range key transmitter (SKT), a security console and a controlled device as defined in the UPnP device security specification.

Description

In the drawing:

FIG. 1 shows diagrammatically a unit and a security console, as well as a controlled device in a wireless UPnP network.

The UPnP network 1 comprises a device referred to as “security console” having a UPnP security console functionality 3, as well as a new device 2, referred to as “controlled device” which is to be integrated in the network 1 by means of a portable unit 4.

The security console 2 is a UPnP device having a radio interface 23 operating in accordance with the IEEE802.11 standard, which radio interface 23 is used for transmitting useful data (music, video, general data but also control data). Additionally, the security console 2 is equipped with a receiving unit 21. The receiving unit 21 comprises a receiver 211 which is used as an interface for receiving the initialization key record 5 transmitted by the transmitter 41 of the unit 4. The receiving unit 21 comprises receiver software 212 which, after receiving the initialization key record 5 comprising a private/public key pair, stores said key pair in the storage unit 221 of the UPnP security unit 22 in which the manufacturer has already stored an “own” private/public key pair 6. Furthermore, the security unit 22 includes a procedure unit which comprises procedures of the UPnP architecture. The system unit 24 comprises, inter alia, the operating system as well as applications of the device 2.

The unit 4 is used for short-range transmission of information of the initialization key record 5. Essentially, it comprises a storage unit 42 in which the initialization key record 5 has been stored, and a transmitter 41 which is formed as a wireless interface for transmitting the key record 5. In the example of the embodiment, the transmission of the key record 5 is initiated via a key 43 on the unit 4. The transmitter 41 of the unit 4 has a short range of maximally about 10 cm.

The new device 3 to be integrated as a controlled device in the wireless network 1 is also a UPnP device equipped with a radio interface 33 operating in accordance with the IEEE802.11 standard. Additionally, the device 3 is equipped with a receiving unit 31 comprising a receiver 311 used as an interface for receiving the initialization key record 5 transmitted by the transmitter 41 of the unit 4. The receiving unit 31 also comprises receiver software 312 which, after receiving the initialization key record 5, stores this key record in the storage unit 321 of the UPnP security unit 32. Furthermore, the security unit 32 includes a procedure unit which comprises procedures of the UPnP architecture. The system unit 34 comprises, inter alia, the operating system as well as applications of the device 3.

In the UPnP network 1, a device is implemented as a security console 2. The initialization of the security console 2 which does not necessarily need to be known to the user is realized by means of the portable unit 4. After pressing the key 43, the initialization key record 5 stored in the storage unit 42 is transmitted to the receiving unit 21 of the security console 2. The key pair of the data record 5 is stored by the security console 2 in addition to an already available “own” public/private key pair 6 stored by the manufacturer.

When a new device is to be integrated as a controlled device 3 in the wireless UPnP network 1, the device 3 is initialized by means of the unit 4, with the initialization key record 5 being transmitted between the transmitter 41 and the receiver 311. After the key record 5 has been received, the device 3 stores the hash value of the public key of the key record 5 as the “initial owner” in an “owner list” in the storage unit 321 of the UPnP security unit 32. This corresponds to a “concise version” of the UPnP TakeOwnership procedure, but without any special user interaction.

Subsequently, the device 3 announces itself in the network 1 via SSDP in accordance with the UPnP standard. When the security console 2 receives the announcement from the new device 3, it gains access to the controlled device 3 via the UPnP GrantOwnership function by means of the initialization key record 5 and its own public/private key pair 6 stored by the manufacturer.

Claims

1. A method of setting up a secure environment in wireless Universal Plug and Play (UPnP) networks, in which at least one wireless UPnP device (3), referred to as “controlled device”, is integrated in a wireless UPnP network (1) comprising at least one device having a UPnP security console functionality, referred to as “security console” (2), wherein the security console (2) receives a cryptographic initialization public/private key pair (5) by means of a portable unit (4) via short-range transmission of information, said initialization public/private key pair being stored on said unit (4) and being stored by the security console (2) in addition to a previously stored own private/public key pair (6),the controlled device (3) receives the cryptographic initialization public/private key pair (5) from the portable unit (4) via short-range transmission of information, said initialization public/private key pair being stored on said unit and said controlled device storing the hash value of the public key of the initialization key pair in its owner list,the controlled device (3) subsequently announces itself in the network by means of SSDP in accordance with the UPnP standard procedures, andafter receiving the announcement from the controlled device (3), the security console (2) gains access to the controlled device by means of the initialization key pair (5) in conjunction with its own key pair (6) by activating the UPnP GrantOwnership function.

2. A method as claimed in claim 1, characterized in that, after take-over of the ownership of the controlled device (3), the UPnP security console (2) removes the initialization public/private key pair-generated entry from the owner list of the controlled device (3) by activating the UPnP RevokeOwnership function.

3. A method as claimed in claim 1, characterized in that the initialization key (5) stored on the portable unit (4) only comprises the public key of a private/public key pair, which public key is transmitted to the controlled device (3), and in that the complete key pair has already been stored in advance in the security console (2).

4. A security system for wireless UPnP networks, comprising: a controllable unit (4) with a memory (42) for storing a worldwide unambiguous key record (5) provided for short-range transmission of information of the key record (5),at least one device having a UPnP security console functionality (2) with at least one receiving unit (21) comprising a receiver (211) for receiving the key record (5), andat least one wireless UPnP device (3) with a receiving unit (31) comprising a receiver (311) for receiving the key record (5).

5. A security system as claimed in claim 4, characterized in that the key record (5) comprises an initialization public/private key pair by means of which the ownership of a controlled device (3) can be taken over by the UPnP security console (2).