公开(公告)号：WO2018204471A1

公开(公告)日：2018-11-08

申请号：PCT/US2018/030608

申请日：2018-05-02

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： HOJSIK, Michal ,  POHANKA, Lukas ,  HARIDAS, Harshal S.

IPC: H04L9/32 ,  H04L29/06 ,  G05B19/418

Abstract: A method includes receiving (610, 712), from a device (302), (i) a certificate request for a certification authority (304) and (ii) a first digital certificate (404). The certificate request is digitally signed by the first device, and the first digital certificate is stored in the device. The method also includes verifying (612, 714), at the certification authority, the first digital certificate using a second digital certificate of another certification authority (320). The method further includes verifying (614, 718) a digital signature of the certificate request using the first digital certificate. In addition, the method includes, after verifying the first digital certificate and the digital signature, transmitting (618, 722) a second digital certificate (406) to the device.

公开(公告)号：WO2018044550A1

公开(公告)日：2018-03-08

申请号：PCT/US2017/046902

申请日：2017-08-15

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： HARIDAS, Harshal S. ,  BOOKER, Shane W. ,  MCLAUGHLIN, Paul F. ,  WATSON, Adrian ,  STRILICH, James A. ,  SCHREDER, James

IPC: H04L12/12 ,  H04L29/06 ,  H04L12/46 ,  H04L29/12

CPC classification number: G05B19/042 ,  G05B19/4155 ,  G05B19/41855 ,  G05B2219/23276 ,  G05B2219/25232 ,  G05B2219/31449 ,  Y02P90/185

Abstract: A method includes transmitting (403), over a virtual private network (VPN) (234) to a remotely-located control platform (210), a request (316) for first information associated with a BOOTP protocol synchronization process (310). The method also includes receiving (405), from the control platform, a first response (318) comprising the requested first information. The method further includes receiving (407), over a local network (228) from an embedded device (106, 220a-220b) in a distributed control system (100, 200), a request (322) for second information associated with the BOOTP protocol. In addition, the method includes transmitting (409), to the embedded device, a second response (326) comprising the requested second information.

Abstract translation: 一种方法包括通过虚拟专用网络（VPN）（234）向位于远程的控制平台（210）发送（403）针对与BOOTP相关联的第一信息的请求（316） 协议同步过程（310）。 该方法还包括从控制平台接收（405）包括所请求的第一信息的第一响应（318）。 该方法还包括通过本地网络（228）从分布式控制系统（100,200）中的嵌入式设备（106,220a-220b）接收关于与BOOTP相关联的第二信息的请求（322） 协议。 另外，该方法包括向嵌入式设备发送（409）包括所请求的第二信息的第二响应（326）。

公开(公告)号：WO2017095599A1

公开(公告)日：2017-06-08

申请号：PCT/US2016/060939

申请日：2016-11-08

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： HARIDAS, Harshal S. ,  CHERNOGUZOV, Alexander ,  HOJSIK, Michal ,  GORZELIC, Stanley ,  GUDI, Mukunda

IPC: H04L9/08 ,  H04L9/30 ,  H04L29/06

CPC classification number: H04L9/0819 ,  H04L9/0841 ,  H04L2209/12

Abstract: An apparatus includes a first distributed control system (DCS) node (202). The first DCS includes at least one interface configured to communicate, over a network (128), with a second DCS node (204). The first DCS node also includes at least one processing device. The processing device is configured to exchange a security association policy (411) with the second DCS node. The processing device is also configured to exchange public keys (412) with the second DCS node using the security association policy. The processing device is also configured to send a public key (542) of the second DCS node to a field programmable gate array (402) of the first DCS node. The processing device is also configured to receive a shared secret (544) from the field programmable gate array. The processing device is also configured to generate a hash (546) of a message using the shared secret.

Abstract translation: 一种装置包括第一分布式控制系统（DCS）节点（202）。 第一DCS包括被配置为通过网络（128）与第二DCS节点（204）通信的至少一个接口。 第一DCS节点还包括至少一个处理设备。 处理设备被配置为与第二DCS节点交换安全关联策略（411）。 处理设备还被配置为使用安全关联策略与第二DCS节点交换公共密钥（412）。 处理设备还被配置成将第二DCS节点的公钥（542）发送到第一DCS节点的现场可编程门阵列（402）。 处理设备还被配置为从现场可编程门阵列接收共享秘密（544）。 处理设备还被配置为使用共享秘密来生成消息的散列（546）。

公开(公告)号：WO2015112463A1

公开(公告)日：2015-07-30

申请号：PCT/US2015/011937

申请日：2015-01-20

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： HARIDAS, Harshal S. ,  CHERNOGUZOV, Alexander

IPC: H04L9/00 ,  H04L12/407

CPC classification number: H04L63/20 ,  H04L63/0281 ,  H04L63/0823 ,  H04L63/18

Abstract: A method includes receiving (304), at a first distributed control system (DCS) node (202) over a network, information associated with a security manager (208). The method also includes establishing (306, 310) multiple communication channels between the first DCS node and the security manager over the network using the information, where the communication channels include a non-secure channel and a secure channel. The method further includes receiving (308) security credentials from the security manager at the first DCS node over the non-secure channel and receiving (312) a security policy and an activation time from the security manager at the first DCS node over the secure channel. In addition, the method includes transitioning (316) the first DCS node to communicate with a second DCS node over the network using the security policy at the activation time.

Abstract translation: 一种方法包括：通过网络在第一分布式控制系统（DCS）节点（202）处接收（304）与安全管理器（208）相关联的信息。 该方法还包括使用信息在网络上建立（306,310）第一DCS节点和安全管理器之间的多个通信信道，其中通信信道包括非安全信道和安全信道。 该方法还包括通过非安全信道从第一DCS节点从安全管理器接收（308）安全证书，并通过安全信道从第一DCS节点的安全管理器接收（312）安全策略和激活时间 。 此外，该方法包括使用安全策略在激活时间过渡（316）第一DCS节点以通过网络与第二DCS节点进行通信。

公开(公告)号：WO2018132472A1

公开(公告)日：2018-07-19

申请号：PCT/US2018/013166

申请日：2018-01-10

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： HOISIK, Michal ,  HARIDAS, Harshal S. ,  POHANKA, Lukas

IPC: G06F21/57 ,  G06F21/62 ,  H04L9/08

Abstract: A method includes verifying (402) that firmware of a device (200) is trusted and contains a root of trust. The method also includes verifying (406) that a protected storage (214) of the device contains a private or secret key associated with a device certificate (DevCert) that is stored in a persistent storage (204, 210, 212) of the device. The method further includes verifying (414) the device certificate of the device using the root of trust. In addition, the method includes, in response to verifying that the protected storage contains the private or secret key associated with the device certificate and verifying the device certificate, determining that the device is a genuine device. The root of trust could include a trusted certificate or a trusted public key.

公开(公告)号：WO2017218265A1

公开(公告)日：2017-12-21

申请号：PCT/US2017/036407

申请日：2017-06-07

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： HARIDAS, Harshal S. ,  HOJSIK, Michal ,  FINDEJS, Jiri ,  POHANKA, Lukas

IPC: G06F21/57 ,  H04L9/08 ,  G06F21/30 ,  H04L9/32

Abstract: A method includes securely booting a device (106, 114, 116, 122, 124, 130, 132, 138, 140, 142, 200) using a bootloader (FSBL, SSBL), where the bootloader is digitally signed (FSBL.sig, SSBL.sig) using a first cryptographic key (SSK) associated with the bootloader. The method also includes executing one or more kernel or user applications using the device, where the one or more kernel or user applications are digitally signed (Partition1.sig, Partition2.sig, Partition3.sig) using one or more second cryptographic keys (TSK) associated with the one or more kernel or user applications. In addition, the method includes using (800) an in-band channel to update or replace the first cryptographic key.

Abstract translation: 一种方法包括使用引导加载器（FSBL，SSBL）来安全地引导设备（106,114,116,122,124,130,132,138,140,​​142,200），其中引导加载器 使用与引导加载程序相关联的第一加密密钥（SSK）进行数字签名（FSBL.sig，SSBL.sig）。 该方法还包括使用设备执行一个或多个内核或用户应用程序，其中使用一个或多个第二密码密钥（TSK）对一个或多个内核或用户应用程序进行数字签名（Partition1.sig，Partition2.sig，Partition3.sig） ）与一个或多个内核或用户应用程序相关联。 另外，该方法包括使用（800）带内信道来更新或替换第一密码密钥。