Search

EP-4742069-A1 - ZERO-KNOWLEDGE PROOF BASED DEVICE DEPLOYMENT

EP4742069A1EP 4742069 A1EP4742069 A1EP 4742069A1EP-4742069-A1

Abstract

A computer implemented system and method for automated device deployment using server compromise tolerant, zero-knowledge authentication has been disclosed that generates network configuration specific firmware image and prepares a device for authentication by implanting the authentication data inside the firmware image during the firmware build process. When the firmware image is installed in a target hardware and run by the hardware it sends authentication request to the ZKP server. The system allows further operation to facilitate device configuration if the request from the device is valid.

Inventors

  • Mullick Mohammad, Rakib Hassan

Assignees

  • Mullick Mohammad, Rakib Hassan

Dates

Publication Date
20260513
Application Date
20251105

Claims (15)

  1. A computer system for network configuration specific firmware image generation that provides automated device deployment and server hack-proof authentication, comprising: a bus system that connects various input/output and processing devices in a computer system; a network interface connected to the bus system and to communicate with external systems; a non-volatile storage device connected to the bus system or over network wherein the storage device stores program instructions and to be used for data storage; a processor connected to the bus system; a volatile storage device connected to the bus system wherein the volatile storage device holds instructions to be executed by the processor; wherein the system is configured to: receive, a firmware image generation request with a parameter comprising customer specific system configurations; generate, plurality of firmware images, plurality of authentication artifacts based on the requested customer specific system configurations wherein the authentication artifacts are consist of two parts, one part for the server and the other part for the device/client; inject, the client part of the authentication artifacts inside the generated firmware image; store, the server part of the authentication artifacts and the generated firmware image; delete, the private key used to generate the authentication artifact; receive, provision activation request comprising a UUID and a sequence number; authenticate, a device that is running the generated firmware image, the authentication steps further comprising: receive, an authentication request with a parameter comprising a message, a signed hash ( signature ), an UUID and a sequence number; identify, the corresponding public key using the received UUID and the sequence number; generate, a signed hash ( signature ), using the identified public key; compare, the generated signature with the received signature; allow, users to connect to a target device and perform operations like, copy, delete files, execute programs/scripts; track, the list of successfully deployed devices.
  2. The computer system of claim 1, further configured to use password based authentication wherein the said password is injected during the firmware image generation process and the authentication request comprising an UUID, a sequence number, password.
  3. The computer system of claim 1 or claim 2 wherein the said firmware image generation request parameter further comprises a sequence number or count indicating how many authentication artifacts should be generated under a single UUID.
  4. The computer system according to any preceding claim, further configured to generate multiple authentication artifacts for a single device authentication.
  5. The computer system according to any preceding claim, wherein the firmware image is an operating system based image or a baremetal, OS-less, image.
  6. The computer system according to any preceding claim, further configured for device authentication only wherein the necessary system compatible authentication artifacts are provided.
  7. A computer-implemented method for network configuration specific firmware image generation that provides automated device deployment and server hack-proof authentication, the computer-implemented method comprising: receiving, a firmware image generation request with a parameter comprising customer specific system configurations; generating, plurality of firmware images, plurality of authentication artifacts based on the requested customer specific system configurations wherein the authentication artifacts are consist of two parts, one part for the server and the other part for the device/client; injecting, the client part of the authentication artifacts inside the generated firmware image; storing, the server part of the authentication artifacts and the generated firmware image; deleting, the private key used to generate the authentication artifact; receiving, provision activation request comprising a UUID and a sequence number; authenticating, a device that is running the generated firmware image, the authentication steps further comprising: receiving, an authentication request with a parameter comprising a message, a signed hash ( signature ), an UUID and a sequence number; identifying, the corresponding public key using the received UUID and the sequence number; generating, a signed hash ( signature ) using the identified public key; comparing, the generated signature with the received signature; allowing, users to connect to a target device and perform operations like, copy, delete files, execute programs/scripts; tracking, the list of successfully deployed devices.
  8. The computer-implemented method of claims 7, further configured to generate multiple authentication artifacts for a single device authentication.
  9. The computer-implemented method of claims 7 to 8, wherein the firmware image is an operating system based image or a baremetalOS-less, image.
  10. The computer-implemented method of claims 7 to 9, further configured for a device authentication only wherein the compatible authentication artifacts of the device are provided.
  11. A computer program product for network configuration specific firmware image generation that provides automated device deployment and server hack-proof authentication, the computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising: receiving, by the computer program, a firmware image generation request with a parameter comprising customer specific system configurations; generating, by the computer program, plurality of firmware images, plurality of authentication artifacts based on the requested customer specific system configurations wherein the authentication artifacts are consist of two parts, one part for the server and the other part for the device/client; injecting, by the computer program, the client part of the authentication artifacts inside the generated firmware image; storing, by the computer program, the server part of the authentication artifact and the generated firmware image; deleting, by the computer program, the private key used to generate the authentication artifact; receiving, by the computer program, provision activation request comprising a UUID and a sequence number; authenticating, by the computer program, a device that is running the generated firmware image, the authentication steps further comprising: receiving, by the computer program, an authentication request with a parameter comprising a message, a signed hash ( signature ), an UUID and a sequence number; identifying, by the computer program, the corresponding public key using the received UUID and the sequence number; generating, by the computer program, a signed hash ( signature ) using the identified public key; comparing, by the computer program, the generated signature with the received signature; allowing, by the computer program, users to connect to a target device and perform operations like, copy, delete files, execute programs/scripts; tracking, by the computer program, the list of successfully deployed devices.
  12. The computer program product of claim 11, further configured to use password based authentication wherein the password is injected during the firmware image generation process and the authentication request comprising an UUID, a sequence number, password.
  13. The computer program product of claim 11 or claim 12, wherein the said firmware image generation request parameter further comprises a sequence number or count indicating how many authentication artifacts should be generated under a single UUID.
  14. A computer program product for automatically sending authentication request during a device startup and provisioning the device, the computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising: sending, by the computer program, an authentication request with a parameter comprising a signed hash (signature), an UUID, a text/string and a sequence number wherein the signed hash is generated from the said text/string; receiving, by the computer program, a response if the authentication request is successful or not; receiving, by the computer program, a request to download, receive a file or execute any program or delete any file.
  15. The computer program product of claim 14 wherein the parameter of the said authentication request is injected during the firmware build process.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This patent application claims priority from U.S. Provisional Application No. 63/717,362 filed Nov. 7, 2024 which application is hereby incorporated in its entirety by reference. BACKGROUND OF THE INVENTION The emergence of new technologies brings new challenges from different directions. The advancement of the Internet of Things (IoT) brings new challenges when it comes to device deployment. Device deployment typically takes place at a customer site to make sure the target device can connect to the Internet. This is also known as "device provisioning". Most of the IoT devices must be connected to the Internet directly and these devices need to be configured at a customer site to make sure the devices can access to the Internet. If a customer has a Wi-Fi network then the target device needs to be configured with a valid Wi-Fi credentials. If a customer network requires Ethernet connectivity where static IP address is used then the device must have the network configuration with proper IP address. To handle such variety of network configurations the device configuration steps remains as a manual and interactive process. It turned out to be a time consuming task if the number of devices are higher or the deployment area is large. Moreover setting the Wi-Fi credentials each time for all the devices may have security implications and error-prone. The network configuration data are stored in the non-volatile storage of a particular device. How exactly the network configuration data are stored and maintained depends on the software that the device runs. Sometimes a device runs baremetal software or sometimes it could be running an operating system (OS) based software. The software that runs on a resource constrained, integrated device are often called firmware, they often need to be programmed into a chip. Sometimes this so called firmware is also read from a non-volatile storage device, typically the case for OS based software. In any case when a software is build/generated it does not hold any network configuration data therefore it need to be configured later on. During the device deployment on a customer site a person need to provide the network configuration information manually which overwrites the default network configuration files. To overcome the limitation of manual configuration of Wi-Fi networks, the WiFi Alliance unveils a mechanism called Device Provisioning Protocol (DPP) that utilizes smartphone for device configuration. To make the process less cumbersome a more flexible approach has been introduced with the help of a centralized server by avoiding user interactions (US11546755B2). Methods like Zero-Touch Provisioning (ZTP) relies on DHCP server where devices can automatically configure themselves without any human intervention. To ensure no unwanted devices get registered the DHCP server needs to be pre-configured. Letting devices directly connect to the Internet may have some downside if devices are not authenticated. Password based authentication scheme has its own limitation and also not best for offering privacy respecting services. Use of Zero-Knowledge proof based authentication has the possibility of dealing with such privacy concern however such authentication method is often hard to integrate due their usages of digital signatures which require maintenance of public/private keys and brings usability issues. Apart from setting up the network configuration and authenticating a device further configurations may require which could be non-generic, device-specific configuration files such as CA client certificate files or other system configuration files, or a program/script which are required for the device to function properly. Depending on the vendor (or the product) provisioning steps are also referred as commissioning. In short, the process of making a device fully functional before connecting to the Internet can be tedious and open for innovative solutions. SUMMARY OF THE INVENTION According to one of illustrative embodiment, a computer implemented method, a computer program product and a computer system for hack-proof (server compromise tolerant), automated device authentication and deployment is provided. The system builds network configuration specific firmware images and generates authentication artifacts during the firmware build process. The generated authentication artifacts are used by the system to offer zero-knowledge proof based authentication scheme utilizing digital signature based message signing where the server only keeps the public key to verify an authentication request. The system is tolerant to any data breach and offers privacy respecting service. The disclosed system does not require any user interactions at the customer site and enables administrators (or users) to further interact (i.e. copy / delete files) with the device from a remote location. The system generates authentication artifacts during the firmware build proc