公开(公告)号：WO2018204471A1

公开(公告)日：2018-11-08

申请号：PCT/US2018/030608

申请日：2018-05-02

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： HOJSIK, Michal ,  POHANKA, Lukas ,  HARIDAS, Harshal S.

IPC: H04L9/32 ,  H04L29/06 ,  G05B19/418

Abstract: A method includes receiving (610, 712), from a device (302), (i) a certificate request for a certification authority (304) and (ii) a first digital certificate (404). The certificate request is digitally signed by the first device, and the first digital certificate is stored in the device. The method also includes verifying (612, 714), at the certification authority, the first digital certificate using a second digital certificate of another certification authority (320). The method further includes verifying (614, 718) a digital signature of the certificate request using the first digital certificate. In addition, the method includes, after verifying the first digital certificate and the digital signature, transmitting (618, 722) a second digital certificate (406) to the device.

公开(公告)号：WO2019032580A1

公开(公告)日：2019-02-14

申请号：PCT/US2018/045604

申请日：2018-08-07

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： POHANKA, Lukas ,  HOJSIK, Michal ,  BAZANT, Jiri

IPC: H04L9/08 ,  H04L9/32

Abstract: A method includes generating (412, 610) a first encryption key based on a first cryptographic operation (408, 606) performed by cryptographic circuitry (214) and involving a cryptographic key (302) securely stored in a memory (218) of the cryptographic circuitry. The method also includes encrypting (416, 614) data to be protected using the first encryption key and storing (420, 618) the encrypted data on a persistent storage device (212) external to the cryptographic circuitry. The method could also include retrieving (502, 702) the encrypted data from the persistent storage device. The method could further include generating (508, 708) a second encryption key based on a second cryptographic operation (504, 704) performed by the cryptographic circuitry and involving the cryptographic key, where the second encryption key matches the first encryption key. In addition, the method could include decrypting (510, 710) the encrypted data using the second encryption key.

公开(公告)号：WO2017095599A1

公开(公告)日：2017-06-08

申请号：PCT/US2016/060939

申请日：2016-11-08

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： HARIDAS, Harshal S. ,  CHERNOGUZOV, Alexander ,  HOJSIK, Michal ,  GORZELIC, Stanley ,  GUDI, Mukunda

IPC: H04L9/08 ,  H04L9/30 ,  H04L29/06

CPC classification number: H04L9/0819 ,  H04L9/0841 ,  H04L2209/12

Abstract: An apparatus includes a first distributed control system (DCS) node (202). The first DCS includes at least one interface configured to communicate, over a network (128), with a second DCS node (204). The first DCS node also includes at least one processing device. The processing device is configured to exchange a security association policy (411) with the second DCS node. The processing device is also configured to exchange public keys (412) with the second DCS node using the security association policy. The processing device is also configured to send a public key (542) of the second DCS node to a field programmable gate array (402) of the first DCS node. The processing device is also configured to receive a shared secret (544) from the field programmable gate array. The processing device is also configured to generate a hash (546) of a message using the shared secret.

Abstract translation: 一种装置包括第一分布式控制系统（DCS）节点（202）。 第一DCS包括被配置为通过网络（128）与第二DCS节点（204）通信的至少一个接口。 第一DCS节点还包括至少一个处理设备。 处理设备被配置为与第二DCS节点交换安全关联策略（411）。 处理设备还被配置为使用安全关联策略与第二DCS节点交换公共密钥（412）。 处理设备还被配置成将第二DCS节点的公钥（542）发送到第一DCS节点的现场可编程门阵列（402）。 处理设备还被配置为从现场可编程门阵列接收共享秘密（544）。 处理设备还被配置为使用共享秘密来生成消息的散列（546）。

公开(公告)号：WO2017218265A1

公开(公告)日：2017-12-21

申请号：PCT/US2017/036407

申请日：2017-06-07

Applicant: HONEYWELL INTERNATIONAL INC.

Inventor： HARIDAS, Harshal S. ,  HOJSIK, Michal ,  FINDEJS, Jiri ,  POHANKA, Lukas

IPC: G06F21/57 ,  H04L9/08 ,  G06F21/30 ,  H04L9/32

Abstract: A method includes securely booting a device (106, 114, 116, 122, 124, 130, 132, 138, 140, 142, 200) using a bootloader (FSBL, SSBL), where the bootloader is digitally signed (FSBL.sig, SSBL.sig) using a first cryptographic key (SSK) associated with the bootloader. The method also includes executing one or more kernel or user applications using the device, where the one or more kernel or user applications are digitally signed (Partition1.sig, Partition2.sig, Partition3.sig) using one or more second cryptographic keys (TSK) associated with the one or more kernel or user applications. In addition, the method includes using (800) an in-band channel to update or replace the first cryptographic key.

Abstract translation: 一种方法包括使用引导加载器（FSBL，SSBL）来安全地引导设备（106,114,116,122,124,130,132,138,140,​​142,200），其中引导加载器 使用与引导加载程序相关联的第一加密密钥（SSK）进行数字签名（FSBL.sig，SSBL.sig）。 该方法还包括使用设备执行一个或多个内核或用户应用程序，其中使用一个或多个第二密码密钥（TSK）对一个或多个内核或用户应用程序进行数字签名（Partition1.sig，Partition2.sig，Partition3.sig） ）与一个或多个内核或用户应用程序相关联。 另外，该方法包括使用（800）带内信道来更新或替换第一密码密钥。