Abstract: Techniques for cryptographically binding password authentication key exchange (PAKE) information with a manufacturing installed certificate (MIC) during device bootstrapping. An authentication server of a network receives an indication that a client device is attempting to join a network, the indication includes first PAKE information. The authentication server receives a MIC from a client device, wherein the MIC includes a hash of second PAKE information, the second PAKE information associated with the client device and embedded in a n extension of the MIC. The authentication server determines whether the first PAKE information corresponds to the second PAKE information, and if it does the authentication server allows the client device to join the network.

Abstract: A computing device connected to a power source via a combined power/data connection obtains an authentication request from the power source. The authentication request includes a freshness mechanism provided by the power source. The computing device signs an authentication response with a private key associated with a verified identity stored on the computing device. The authentication response includes the freshness mechanism. The computing device provides the authentication response to the power source, and receives power from the power source.

Abstract: A computing device connected to a power source via a combined power/data connection obtains an authentication request from the power source. The authentication request includes a freshness mechanism provided by the power source. The computing device signs an authentication response with a private key associated with a verified identity stored on the computing device. The authentication response includes the freshness mechanism. The computing device provides the authentication response to the power source, and receives power from the power source.

Abstract: Methods and systems are described herein for detecting deviations from an expected power profile of a device. The method comprises: retrieving a manufacturer usage description (MUD) associated with the device. The MUD includes a power profile associated with the device. An expected power consumption parameter can be determined from the power profile. The method may further comprise monitoring an actual power consumption parameter of the device and comparing the expected power consumption parameter to the actual power consumption parameter. The method may further comprise determining a deviation between the power consumption parameter and the expected power consumption indicated in the power profile, and outputting a notification when the deviation is equal to or greater than a threshold value.

Abstract: A computing device connected to a power source via a combined power/data connection obtains an authentication request from the power source. The authentication request includes a freshness mechanism provided by the power source. The computing device signs an authentication response with a private key associated with a verified identity stored on the computing device. The authentication response includes the freshness mechanism. The computing device provides the authentication response to the power source, and receives power from the power source.

Abstract: A power source that supplies power to authorized computing devices generates a query requesting the power usage of the computing devices over a predetermined time period. Each computing device receives the query and provides a response with an indication of the measured or estimated power usage during the predetermined time period. The power source adds up the power usage of each authorized computing device to determine a difference between the reported power usage and the power supplied to the authorized computing devices. The power source may mitigate any discrepancy by cutting off power to ports that are providing more power than is being reported as consumed by the authorized computing devices.

Abstract: Techniques for providing secure modification of manufacturer usage description (MUD) files based on device applications are provided. In one embodiment, a method for secure modification of MUD files may include obtaining a request for one or more applications from a device. The method also includes providing to the device the one or more applications and a certification that includes an updated MUD identifier determined based on the one or more applications requested. The updated MUD identifier is associated with a concatenated MUD file that comprises individual MUD file portions for each of the one or more applications requested. The device is configured to request an updated device identifier using the certification. The updated device identifier includes the updated MUD identifier that is associated with the concatenated MUD file.

Abstract: At an authentication server, a request for at least a first dynamic host configuration protocol (DHCP) option is received from a client device, and it is determined if the authentication server implements DHCP. Based at least in part on a determination that the authentication server does not implement a DHCP, the operations further include transmitting an application program interface (API) call to a DHCP server associated with the authentication server acting as a DHCP gateway, receiving a response from the DHCP server, and transmitting the response to the client device.

Abstract: This technology uses a bootstrap key (“BSK”) to securely onboard a computing device to a network. A unique BSK associated with an onboarding computing device is used to verify for various deployment models (1) that the computing device has proof the computing device is connecting to the correct wired or wireless network and (2) that the network has proof the computing device is trusted. The BSK may be an associated BSK or an embedded BSK. A computing device receives a signed voucher from the manufacturer authorized signing authority (“MASA”) before the computing device may onboard to a network. The MASA will issue a voucher to a Bootstrapping Remote Secure Key Infrastructure (“BRSKI”) registrar if the registrar proves knowledge of the computing device's BSK to the MASA or the registrar has an established trust relationship with the MASA.

Abstract: Systems, methods, and computer-readable media are disclosed for measurement of trustworthiness of network devices prior to their configuration and deployment in a network. In one aspect of the present disclosure, a method for pre-configuration of network devices includes receiving, at a dynamic host configuration server, a first request from a network device for configuration data, the configuration data including at least an IP address; sending, by the dynamic host configuration server, a second request to the network device for attestation information; verifying, by the dynamic host configuration server, the network device based on the attestation information; and assigning, by the dynamic host configuration server, the configuration data to the network device upon verifying the network device.

Abstract: At an authentication server, a request for at least a first dynamic host configuration protocol (DHCP) option is received from a client device, and it is determined if the authentication server implements DHCP. Based at least in part on a determination that the authentication server does not implement a DHCP, the operations further include transmitting an application program interface (API) call to a DHCP server associated with the authentication server acting as a DHCP gateway, receiving a response from the DHCP server, and transmitting the response to the client device.

Abstract: This disclosure describes techniques for providing manufacturer usage description (MUD) solution to automatically update network access policy for client application software. The method may include embedding metadata in the application binary. The metadata may include MUD uniform resource identifiers (URIs) that may point to MUD files describing the application's network access requirements. The MUD files may be hosted by application vendor's MUD servers. The system may include a network policy server that is able discover the MUD URIs. The MUD URIs may be discovered based on extracting the MUD URIs from the metadata and/or being provision with the set of MUD URIs for trusted applications. The method may include enterprise wide policy and individual host policy for implementation of the MUD files.

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: Techniques for providing secure modification of manufacturer usage description (MUD) files based on device applications are provided. In one embodiment, a method for secure modification of MUD files may include obtaining a request for one or more applications from a device. The method also includes providing to the device the one or more applications and a certification that includes an updated MUD identifier determined based on the one or more applications requested. The updated MUD identifier is associated with a concatenated MUD file that comprises individual MUD file portions for each of the one or more applications requested. The device is configured to request an updated device identifier using the certification. The updated device identifier includes the updated MUD identifier that is associated with the concatenated MUD file.

Abstract: In an embodiment, a method comprises at a network device in an enterprise network, selecting one or more time servers used for establishing a timing reference according to a predetermined priority order of selection that begins with determining whether the network device is configured with information indicating one or more time servers to be used. A timing reference is established for the network device based on a selected time server.

Abstract: This disclosure describes techniques for providing manufacturer usage description (MUD) solution to automatically update network access policy for client application software. The method may include embedding metadata in the application binary. The metadata may include MUD uniform resource identifiers (URIs) that may point to MUD files describing the application's network access requirements. The MUD files may be hosted by application vendor's MUD servers. The system may include a network policy server that is able discover the MUD URIs. The MUD URIs may be discovered based on extracting the MUD URIs from the metadata and/or being provision with the set of MUD URIs for trusted applications. The method may include enterprise wide policy and individual host policy for implementation of the MUD files.

Abstract: Techniques for providing secure modification of manufacturer usage description (MUD) files based on device applications are provided. In one embodiment, a method for secure modification of MUD files may include obtaining a request for one or more applications from a device. The method also includes providing to the device the one or more applications and a certification that includes an updated MUD identifier determined based on the one or more applications requested. The updated MUD identifier is associated with a concatenated MUD file that comprises individual MUD file portions for each of the one or more applications requested. The device is configured to request an updated device identifier using the certification. The updated device identifier includes the updated MUD identifier that is associated with the concatenated MUD file.

Abstract: This technology uses a bootstrap key (“BSK”) to securely onboard a computing device to a network. A unique BSK associated with an onboarding computing device is used to verify for various deployment models (1) that the computing device has proof the computing device is connecting to the correct wired or wireless network and (2) that the network has proof the computing device is trusted. The BSK may be an associated BSK or an embedded BSK. A computing device receives a signed voucher from the manufacturer authorized signing authority (“MASA”) before the computing device may onboard to a network. The MASA will issue a voucher to a Bootstrapping Remote Secure Key Infrastructure (“BRSKI”) registrar if the registrar proves knowledge of the computing device's BSK to the MASA or the registrar has an established trust relationship with the MASA.

Abstract: Systems, methods, and computer-readable media are disclosed for measurement of trustworthiness of network devices prior to their configuration and deployment in a network. In one aspect of the present disclosure, a method for pre-configuration of network devices includes receiving, at a dynamic host configuration server, a first request from a network device for configuration data, the configuration data including at least an IP address; sending, by the dynamic host configuration server, a second request to the network device for attestation information; verifying, by the dynamic host configuration server, the network device based on the attestation information; and assigning, by the dynamic host configuration server, the configuration data to the network device upon verifying the network device.

Abstract: This technology uses a bootstrap key (“BSK”) to securely onboard a computing device to a network. A unique BSK associated with an onboarding computing device is used to verify for various deployment models (1) that the computing device has proof the computing device is connecting to the correct wired or wireless network and (2) that the network has proof the computing device is trusted. The BSK may be an associated BSK or an embedded BSK. A computing device receives a signed voucher from the manufacturer authorized signing authority (“MASA”) before the computing device may onboard to a network. The MASA will issue a voucher to a Bootstrapping Remote Secure Key Infrastructure (“BRSKI”) registrar if the registrar proves knowledge of the computing device's BSK to the MASA or the registrar has an established trust relationship with the MASA.