| CPC H04L 63/0853 (2013.01) [H04L 9/08 (2013.01); H04L 9/0819 (2013.01); H04L 9/083 (2013.01); H04L 9/085 (2013.01); H04L 9/088 (2013.01); H04L 9/0891 (2013.01); H04L 9/321 (2013.01); H04L 9/3242 (2013.01); H04L 9/3247 (2013.01); H04L 9/3268 (2013.01); H04W 12/0431 (2021.01); H04W 12/069 (2021.01); H04W 12/35 (2021.01); H04W 12/73 (2021.01)] | 25 Claims |
|
1. A method of generating, distributing, and managing a lifecycle of a symmetric pre-shared key (PSK) used in certificate-less keyed hash message authentication code (HMAC) based content signing for tamper resistance, for use between applications executing on distributed devices including a producer application executing on a producer device, a consumer application executing respectively on a consumer device, a key distribution service (KDS), a KDS proxy, a KDS interface, a symmetric KDS member M-PSK, a M-PSK identity hint, a tenant identifier, a device group identifier associated with the tenant identifier, a member domain associated with the group identifier, an application identifier associated with the group identifier, a key record, a dynamic host configuration protocol (DHCP) server, and a domain name system (DNS) server, the method comprising:
authenticating, with the KDS, by the producer application executing on the producer device, using the tenant identifier, the symmetric KDS member PSK (M-PSK) and the M-PSK identity hint, wherein the producer device is registered by a DNS hostname on the DNS server configured with the KDS or the KDS proxy, and is configured as a first member of a device group on the KDS; and
creating, by a producer application on the KDS, a symmetric pre-shared key with an associated pre-shared key (PSK) identity hint; and
signing, by the producer application executing on the producer device, digital content using the created pre-shared key; and
generating, by the producer application executing on the producer device, an associated signature manifest with the tenant identifier, the group identifier, the digital signature, and the pre-shared key identity hint; and
sending, by the producer application executing on the producer device to the consumer application executing on the consumer device, the signed digital content and the associated signature manifest; and
authenticating, with the KDS, by the consumer application executing on the consumer device, using the tenant identifier, the symmetric KDS member PSK (M-PSK) and the M-PSK identity hint, wherein the consumer device is registered by a DNS hostname on the DNS server, configured with the KDS or the KDS proxy, and is configured as a second member of the device group on the KDS; and
receiving, by the consumer application, the signed digital content and the associated signature manifest with the tenant identifier, the group identifier, the digital signature, and the pre-shared key identity hint; and
retrieving, by the consumer application from the KDS, using at least the tenant identifier, the group identifier, and the pre-shared key identity hint, the pre-shared key for the pre-shared key identity hint in the received signature manifest; and
verifying, by the consumer application, the received signed digital content using the retrieved pre-shared key to regenerate the digital signature and to compare for a match with the digital signature in the received signature manifest.
|