Configuring trust anchors

Abstract

Disclosed is a method of configuring trust anchors in a network. The network comprises an end-point meter, and a communication module for communicating with the end-point meter. The method comprises obtaining, by a first server from a vendor of the end-point meter, a first vendor-signed certificate, obtaining, by the first server from a vendor of the communication module, a second vendor-signed certificate, providing, from the communication module to the first server, a first trust anchor certificate request, verifying, by the first server, the first trust anchor certificate request, providing, by the first server, to the communication module, a first trust anchor certificate of the end-point meter and authenticated by the first server, and the second vendor-signed certificate. The method comprises verifying, by the communication module, the second vendor-signed certificate, storing the first trust anchor certificate at the communication module, providing, from the communication module to the first server, a second trust anchor certificate request, verifying, by the first server, the second trust anchor certificate request, providing, from the first server, to the end-point meter, via the communication module, a second trust anchor certificate of the communication module and authenticated by the first server, and the first vendor-signed certificate, verifying, by the end-point meter, the first vendor-signed certificate, and storing the second trust anchor certificate at the end-point meter.

Description

[0001] CONFIGURING TRUST ANCHORS

[0002] FIELD OF INVENTION

[0003] The present disclosure is in the field of networked electrical utility or power meters, such as smart meter infrastructure, and relates to a method of configuring trust anchors in a network including an end-point meter and a communications module for communicating with the meter. The invention also relates, particularly but not exclusively, to configuring trust anchors in a network using public key infrastructure (PKI).

[0004] BACKGROUND TO INVENTION

[0005] Electrical utility or power meters may be networked in, for example, an advanced metering infrastructure. The network may comprise end-point meters and communication modules for communicating with the meters.

[0006] A trust anchor generally refers to a key that is inherently trusted within a network. In a utility or power meter network, which is inherently at risk of malicious or unauthorized access, being able to establish trust within the network is important.

[0007] Some communications protocols, such as device language message specification (DLMS) protocol, defines HLS (High Level Security) mechanism 7 which requires certificates to be provisioned to a networked end-point meter and a communication module. These certificates can be provisioned during manufacturing for each component, but during manufacturing the meter vendor and the communication module vendor are not aware of each other’s trust anchors. So even if they have their own certificates, which can be shared using HLS 7, they cannot authenticate each other’s certificate due to a lack of required trust anchors.

[0008] These trust anchors can be configured either during manufacturing (which is not possible as there is no knowledge of other party’s root) or in the field, such as by using the lmport_Certificate function of a DLMS end-point meter security object, but this lmport_Certificate call is done over an unsecure channel and thus lacks a mutual trust.

[0009] Other communications protocols used in networked meter infrastructure may also suffer from the above drawbacks, and there is a general need to establish trust within networks. It is therefore an aim of at least one embodiment of at least one aspect of the present disclosure to obviate or at least mitigate at least one of the above identified shortcomings of the prior art.

[0010] SUMMARY OF INVENTION

[0011] According to a first aspect of the disclosure, there is provided a method of configuring trust anchors in a network, wherein the network comprises an end-point meter, and a communication module for communicating with the end-point meter, wherein the method comprises: obtaining, by a first server from a vendor of the end-point meter, a first vendor- signed certificate; obtaining, by the first server from a vendor of the communication module, a second vendor-signed certificate; providing, from the communication module to the first server, a first trust anchor certificate request; verifying, by the first server, the first trust anchor certificate request; providing, by the first server, to the communication module: a first trust anchor certificate of the end-point meter and authenticated by the first server, and the second vendor-signed certificate; verifying, by the communication module, the second vendor-signed certificate; storing the first trust anchor certificate at the communication module; providing, from the communication module to the first server, a second trust anchor certificate request; verifying, by the first server, the second trust anchor certificate request; providing, from the first server, to the end-point meter, via the communication module: a second trust anchor certificate of the communication module and authenticated by the first server; and the first vendor-signed certificate; verifying, by the end-point meter, the first vendor-signed certificate; and storing the second trust anchor certificate at the end-point meter.

[0012] Advantageously, by providing and storing the first trust anchor certificate of the end-point meter at the communication module, and the second trust anchor certificate of the communication module at the end-point meter, each provided in a secure way, a mutual trust can be obtained in a more efficient and secure manner over at least some known examples.

[0013] Advantageously, in at least some examples the invention removes the need for providing integration specific trust anchors during manufacturing. The trust anchors can be provided after manufacturing, and once the specific deployment plans are known, rather than needing to know such plans during manufacturing. Consider that many meters and communication modules will be produced, and by different vendors, and it is therefore advantageous to configure the trust anchors during deployment when it is known how they will be arranged in the network.

[0014] Advantageously, the invention in at least some examples avoids the use of unsecured channels for providing trust anchors to the end-point meter device and communication module. In some examples, it may be sufficient to reduce, rather than eliminate, the use of unsecured channels, which may still provide an improvement over other methods and systems.

[0015] Advantageously, in at least some examples, the invention solves a problem whereby, during manufacturing, the vendor of the end-point meter does not know the root of the communication module, and vice versa. Both the end-point meter and the communication module, in some examples, can therefore be deployed then provided with each other’s trust anchor.

[0016] The vendor of the end-point meter may be different to the vendor of the communication module.

[0017] The network may comprise a plurality of end-point meters. The communication module may be configured to communicate with one or more or a plurality of the endpoint meters.

[0018] The first server may be configured to communicate with the communication module using a secure channel, which may be by certificate management protocol, such as enrolment over secure transport (EST), or the like. The first server may be configured for certificate management, and in some examples may be an EST server. The first server may be implemented in any suitable manner, and need not be a single server, and may be geographically distributed, such as in cloud computing. The term server is not intended to be limiting, and the first server may be implemented in hardware and / or software in any suitable manner.

[0019] The end-point meter and the communication module may be configured to communicate with each other using a communications protocol, such as the Device Language Message Specification (DLMS) protocol, or the like. The method may comprise installing a unique device certificate, such as a “birth certificate”, at the end-point meter and / or the communication module.

[0020] The method may comprise installing a first manufacturer trust anchor at the endpoint meter. The first manufacturer trust anchor may be associated with the vendor of the end-point meter. The method may comprise installing a second manufacturer trust anchor at the communication module. The second manufacturer trust anchor may be associated with the vendor of the communication module.

[0021] The first manufacturer trust anchor and / or second manufacturer trust anchor may be installed prior to deployment (during manufacture of the end-point meter or communication module).

[0022] The method may comprise generating or otherwise obtaining, by the first server, a first public key infrastructure (PKI) key pair. The key pair may be a first private key and a first public key.

[0023] The step of obtaining the first vendor-signed certificate may comprise sending a first certificate signing request from the first server to a vendor of the end-point meter. The first certificate signing request may include the first public key of the first server. The method may comprise signing the first certificate signing request by the vendor of the end-point meter to create the first vendor-signed certificate. The signing of the first certificate signing request may include using a certificate authority of the vendor of the end-point meter. The method may comprise providing, from the vendor of the end-point meter to the first server, the first vendor-signed certificate.

[0024] The step of obtaining the second vendor-signed certificate may comprise sending a second certificate signing request from the first server to a vendor of the communication module. The second certificate signing request may include the first public key of the first server. The method may comprise signing the second certificate signing request by the vendor of the communication module to create the second vendor- signed certificate. The signing of the second certificate signing request may include using a certificate authority of the vendor of the communication module. The method may comprise providing, from the vendor of the communication module to the first server the second vendor-signed certificate.

[0025] The method may comprise mapping at least one device parameter from the first vendor-signed certificate to a first device identifier associated with the vendor of the endpoint meter. The mapping may include mapping a device name, such as a logical device name, from the vendor-signed certificate to the first device identifier. The first device identifier may be an internet assigned numbers authority (IANA) identifier. The device name may be allocated by the vendor of the end-point meter.

[0026] The method may comprise mapping at least one device parameter from the second vendor-signed certificate to a second device identifier associated with the vendor of the communication module. The mapping may include mapping a device name, such as a logical device name, from the vendor-signed certificate to the second device identifier. The second device identifier may be an internet assigned numbers authority (IANA) identifier. The device name may be allocated by the vendor of the communication module.

[0027] The method may comprise deploying the end-point meter and / or the communication module to a deployment location. The deployment may be carried out after the first vendor-signed certificate and the second vendor-signed certificate have been obtained by the first server. The deployment may be carried out after the mapping of the first vendor certificate and / or the mapping of the second vendor certificate. The deployment location may be a location where the end-point meter can monitor power usage and where the communication module can communicate with the end-point meter.

[0028] The method may comprise establishing a communication link, or secure communication link between the end-point meter and the communication module. The communication link may be a mutually trusted secure channel of communication, which may be established through shared keys. In some examples the communication link includes sharing at least one set of symmetric keys between the end-point meter and the communication module. The symmetric keys may be pre-shared before deployment, or during deployment. The symmetric keys may be shared before the first trust anchor certificate request is sent. The communication link may be established before the first trust anchor certificate request is sent.

[0029] The communication link between the end-point meter and the communication module, when established, may “associate” the end-point meter with the communication module.

[0030] The first trust anchor request may include the second device identifier associated with the communication module.

[0031] The method may comprise providing, by the first server to the communication module, in response to the first trust anchor certificate request being verified by the first server, a second trust anchor certificate of the communication module and authenticated by the first server. In this example, when the first trust anchor request has been verified, the first server provides the first trust anchor certificate and the second trust anchor certificate and the second vendor-signed certificate to the communication module.

[0032] The method may comprise storing the second trust anchor certificate at the communication module when the second vendor-signed certificate has been verified by the communication module. In this example, the communication module stores the first trust anchor certificate of the end-point meter and the second trust anchor certificate of the communication module.

[0033] The step of verifying the first trust anchor certificate request may comprise verifying the second device identifier associated with the communication module.

[0034] For the first trust anchor certificate request, authenticating the first trust anchor certificate by the first server may comprise signing the first trust anchor certificate, which may use PKI. For the first trust anchor certificate request, the signing of the first trust anchor certificate may use the first private key of the first server. For the first trust anchor certificate request, authenticating the second trust anchor certificate by the first server may comprise signing the second trust anchor certificate, which may use PKI. For the first trust anchor certificate request, the signing of the second trust anchor certificate may use the first private key of the first server.

[0035] The step of verifying the second vendor-signed certificate by the communication module may comprise using the second manufacturer trust anchor to validate the second vendor-signed certificate. Validating the second vendor-signed certificate may include extracting a second validation tool therefrom. The second validation tool may be the first public key included in the second vendor-signed certificate. The second validation tool may be used to further validate the authenticated first trust anchor certificate. The validation may include validating the authenticated second trust anchor certificate, which may use the second validation tool.

[0036] The first trust anchor certificate stored at the communication module may be an end-point meter root. The second trust anchor certificate may be stored at the communication module and may be a communication module root.

[0037] The first trust anchor certificate may be stored at the communication module persistently, such as in non-volatile memory. The second trust anchor certificate may be stored at the communication module persistently, such as in non-volatile memory.

[0038] The method may comprise obtaining, from the end-point meter by the communication module, one or more device attributes, which may include a device name, such as a logical device name, and / or the first device identifier. This step may be carried out before the second trust anchor certificate request and / or after the verification of the second vendor-signed certificate by the communication module and / or after the storing of the first trust anchor certificate at the communication module, and / or after the storing of the second trust anchor certificate at the communication module.

[0039] The second trust anchor certificate request may include one or more of the device attributes of the end-point meter obtained by the communication module.

[0040] The second trust anchor certificate request may be carried out after the first trust anchor certificate request. The second trust anchor certificate request may be carried out after the storing of the first trust anchor certificate at the communication module and / or after the storing of the second trust anchor certificate at the communication module.

[0041] The second trust anchor request may include the first device identifier associated with the end-point meter.

[0042] The method may comprise providing, by the first server to the end-point meter via the communication module, in response to the second trust anchor certificate request being verified by the first server, a first trust anchor certificate of the end-point meter and authenticated by the first server. In this example, when the second trust anchor request has been verified, the first server provides the first trust anchor certificate, the second trust anchor certificate and the first vendor-signed certificate to the end-point meter via the communication module.

[0043] The method may comprise storing the first trust anchor certificate at the end-point meter when the first vendor-signed certificate has been verified by the end-point meter. In this example, the end-point meter stores the first trust anchor certificate of the endpoint meter and the second trust anchor certificate of the communication module.

[0044] The step of verifying the second trust anchor certificate request may comprise verifying the first device identifier associated with the end-point meter.

[0045] For the second trust anchor certificate request, authenticating the second trust anchor certificate by the first server may comprise signing the second trust anchor certificate, which may use PKI. For the second trust anchor certificate request, the signing of the second trust anchor certificate may use the first private key of the first server. For the second trust anchor certificate request, authenticating the first trust anchor certificate by the first server may comprise signing the first trust anchor certificate, which may use PKI. For the second trust anchor certificate request, the signing of the first trust anchor certificate may use the first private key of the first server.

[0046] The step of verifying the first vendor-signed certificate by the end-point meter may comprise using the first manufacturer trust anchor to validate the first vendor-signed certificate. Validating the first vendor-signed certificate may include extracting a first validation tool therefrom. The first validation tool may be the first public key included in the first vendor-signed certificate. The first validation tool may be used to further validate the authenticated second trust anchor certificate. The validation may include validating the authenticated first trust anchor certificate, which may use the first validation tool.

[0047] The second trust anchor certificate stored at the end-point meter may be a communication module root. The first trust anchor certificate may be stored at the endpoint meter and may be an end-point meter root.

[0048] The second trust anchor certificate may be stored at the end-point meter persistently, such as in non-volatile memory. The first trust anchor certificate may be stored at the end-point meter persistently, such as in non-volatile memory.

[0049] In some examples, the first and second trust anchor certificates are each stored at both the end-point meter and the communication module.

[0050] The network may be part of, or may be an advanced metering infrastructure (AMI) network. The network may comprise a network of an AMI, and the at least one end-point meter may comprise at least one of: a collector; a gateway node, and / or a metering device.

[0051] The communication module may be operable to exchange meter data with a network module, such as a head-end system. The head-end system may be a device or service configured to collect data, such as measurement data and meter events, from a plurality of devices, for transmission to an application.

[0052] The term end-point will be understood to refer to an end-point of a network. For example, in the instance of an Advanced Metering Infrastructure (AMI) network, each endpoint comprises at least one of: a collector; a gateway node, and / or a metering device such as a smart meter, or “edge-intelligence” or communication module associated with a smart meter. It will be understood that an end-point may not be the final node of a network, and in some cases, one end-point may subsequently send data onwards to another end-point meter, with the term end-point meaning generally at the metering region of the network, as opposed to the head-end of the network.

[0053] The communication module may be any suitable communication module for communicating with an end-point meter.

[0054] In an AMI network, the head-end system may provide a communication and data collection layer between a smart meter infrastructure and a utility’s IT systems. The headend system may be configured to enable secure communication to the metering infrastructure. The steps of the method may be carried out in any order unless the context provides otherwise.

[0055] The use of numbering such as “first” and “second” is provided to differentiate one feature from another, and does not imply the presence or absence of any feature, any preferred numbering or ordering of features, and is provided purely to assist in understanding the invention.

[0056] According to a second aspect of the disclosure, there is provided a computer program comprising instructions which, when the program is executed by a computer, cause the computer to function as a first server for carrying out at least some steps of the method according to the first aspect.

[0057] According to a third aspect of the disclosure, there is provided a computer program comprising instructions which, when the program is executed by a computer, cause the computer to function as a communication module for carrying out at least some steps of the method according to the first aspect.

[0058] According to a fourth aspect of the disclosure, there is provided a computer program comprising instructions which, when the program is executed by a computer, cause the computer to function as an end-point meter for carrying out at least some steps of the method according to the first aspect.

[0059] According to a fifth aspect of the disclosure, there is provided a computer- readable storage medium comprising instructions which, when executed by a computer, cause the computer to carry out at least some of the method of the first aspect.

[0060] According to a sixth aspect of the disclosure, there is provided one or more computer programs comprising instructions which, when the program is executed by a computer, cause the computer to carry out at least some of the method of the first aspect.

[0061] According to a seventh aspect of the disclosure, there is provided a system comprising: an end-point meter; a communication module for communicating with the end-point meter; and a first server; wherein the first server is operable to obtain, from a vendor of the end-point meter, a first vendor-signed certificate; wherein the first server is operable to obtain, from a vendor of the communication module, a second vendor-signed certificate; wherein the communication module is operable to provide, to the first server, a first trust anchor certificate request; wherein the first server is configured to verify the first trust anchor certificate request; wherein the first server is configured to provide, to the communication module: a first trust anchor certificate of the end-point meter and authenticated by the first server, and the second vendor-signed certificate; wherein the communication module is configured to verify the second vendor- signed certificate; wherein the communication module is configured to store the first trust anchor certificate; wherein the communication module is operable to provide, to the first server, a second trust anchor certificate request; wherein the first server is configured to verify the second trust anchor certificate request; wherein the first server is configured to provide, to the end-point meter, via the communication module: a second trust anchor certificate of the communication module and authenticated by the first server; and the first vendor-signed certificate; wherein the end-point meter is configured to verify the first vendor-signed certificate; wherein the end-point meter is configured to store the second trust anchor certificate at the end-point meter.

[0062] The above summary is intended to be merely examples and non-limiting. The disclosure includes one or more corresponding aspects, embodiments or features in isolation or in various combinations whether or not specifically stated (including claimed) in that combination or in isolation. It should be understood that features defined above in accordance with any aspect of the present disclosure or below relating to any specific embodiment of the disclosure may be utilized, either alone or in combination with any other defined feature, in any other aspect or embodiment or to form a further aspect or embodiment of the disclosure.

[0063] BRIEF DESCRIPTION OF DRAWINGS

[0064] These and other aspects of the present disclosure will now be described, by way of example only, with reference to the accompanying drawings, wherein: Fig. 1 depicts a method of configuring trust anchors in a network in accordance with an embodiment of the invention; and

[0065] Fig. 2 depicts an example distribution of certificates in the network.

[0066] DETAILED DESCRIPTION OF DRAWINGS

[0067] With reference to Fig. 1 a method 100 of configuring trust anchors in a network, wherein the network comprises an end-point meter 1 , and a communication module 2 for communicating with the end-point meter 1 , is shown. The network comprises a plurality of end-point meters 1 and the communication module 2 could be configured to communicate with a plurality of the end-point meters 1 . As the invention relates to configuring trust anchor certificates, only one meter 1 and one communication module 2 is depicted for brevity.

[0068] In the embodiment of Fig. 1 , the network is part of an advanced metering infrastructure (AMI) network and the endpoint meter comprises at least one of: a collector; a gateway node, and / or a metering device. The end-point meter can be any utility meter, such as for power, gas, water, or the like.

[0069] The communication module 2 is operable to exchange meter data with a network module, such as a head-end system. The head-end system is a device or service configured to collect data, such as measurement data and meter events, from a plurality of devices, for transmission to an application.

[0070] The term end-point will be understood to refer to an end-point of a network. For example, in the instance of an Advanced Metering Infrastructure (AMI) network, each endpoint comprises at least one of: a collector; a gateway node, and / or a metering device such as a smart meter, or “edge-intelligence” or communication module associated with a smart meter. It will be understood that an end-point may not be the final node of a network, and in some cases, one end-point may subsequently send data onwards to another end-point meter, with the term end-point meaning generally at the metering region of the network, as opposed to the head-end of the network.

[0071] The communication module 2 may be any suitable communication module 2 for communicating with the end-point meter 1.

[0072] In an AMI network, the head-end system may provide a communication and data collection layer between a smart meter infrastructure and a utility’s IT systems. The head- end system may be configured to enable secure communication to the metering infrastructure.

[0073] In the embodiment shown in Fig. 1 , the end-point meter 1 acts as a device language message specification (DLMS) server and the communication module 2 acts as a DLMS client module, with both devices communicating with each other using the DLMS communication protocol, which is a known protocol used in meter infrastructure. The use of DLMS is by example, and other communication protocols may be employed.

[0074] The method comprises at step 101 installing a unique device certificate (a “birth certificate”), at the end-point meter 1 and the communication module 2, and installing a first manufacturer trust anchor at the end-point meter 1 . The first manufacturer trust anchor is associated with the vendor of the end-point meter 1 . A second manufacturer trust anchor is installed at the communication module 2, also at step 101 . The second manufacturer trust anchor is associated with the vendor of the communication module 2.

[0075] The first manufacturer trust anchor and the second manufacturer trust anchor are installed prior to deployment, during manufacture of the end-point meter 1 and the communication module 2.

[0076] Next, the method, at step 102 comprises generating, by a first server 4, a first public key infrastructure (PKI) key pair, which is a first private key and a first public key. The functions of the first server 4 in Fig. 1 are split into those that are carried out before or during manufacture (termed “one time setup (customer installation)” in Fig. 1 ), and those carried out once the meter 1 and the communication module 2 are deployed. In the embodiment of Fig. 1 , the network comprises the first server 4, at least for the purposes of carrying out the method 100 although it will be understood that the server 4 may have other functions within the AMI network.

[0077] At Step 104, the first server 4 obtains from a vendor of the end-point meter 1 a first vendor-signed certificate, and at step 106 the first server 4 obtains from a vendor of the communication module 2 a second vendor-signed certificate. These steps will be described in more detail now.

[0078] The step 104 of obtaining the first vendor-signed certificate comprises sending a first certificate signing request from the first server 4 to a vendor of the end-point meter 1 . The initialisation of this step can occur in many different ways, such as by either of the vendors of the meter 1 or communication module 2 or requesting it from the first server 4, by a third party requesting it, or in any suitable manner.

[0079] The first certificate signing request includes the first public key of the first server 4. The first certificate signing request is signed by the vendor of the end-point meter 1 , using a certificate authority of the vendor, to create the first vendor-signed certificate. The vendor of the end-point meter 1 then provides the first vendor-signed certificate to the first server 4.

[0080] The step 106 of obtaining the second vendor-signed certificate comprises sending a second certificate signing request from the first server 4 to a vendor of the communication module 2. The second certificate signing request includes the first public key of the first server 4. The second certificate signing request is signed by the vendor of the communication module 2, using a certificate authority of the vendor to create the second vendor-signed certificate. The vendor of the communication module 2 then provides the second vendor-signed certificate to the first server 4.

[0081] In the embodiment of Fig. 1 , the certificate authority used by each vendor is a manufacturing certificate authority.

[0082] Once the first server 4 obtains the vendor-signed certificates, the method proceeds to step 108 comprising mapping a logical device name (an example of a device parameter) from the first vendor-signed certificate to an internet assigned numbers authority (IANA) identifier associated with the vendor of the end-point meter 1. The device name is allocated by the vendor of the end-point meter 1 . This mapping will map each 3-byte octet of the logical device name field, which indicates the manufacturer identifier from the certificate signing, against the associated vendor IANA. The mapping of step 108 also maps a logical device name from the second vendor-signed certificate to an IANA identifier associated with the vendor of the communication module 2 in the same manner.

[0083] In the embodiment of Fig. 1 , the vendor of the end-point meter 1 is different to the vendor of the communication module 2.

[0084] At step 1 10, the method 100 comprises deploying the end-point meter 1 and the communication module 2 to a deployment location after the first vendor-signed certificate and the second vendor-signed certificate have been obtained by the first server 4 and the mapping of the first vendor certificate and the mapping of the second vendor certificate. The deployment location is a location where the end-point meter 1 can monitor utility usage (e g. power usage or the like) and where the communication module 2 can communicate with the end-point meter 1 (i.e. the intended end-use, termed “field deployment” in Fig. 1).

[0085] Next, the method comprises at step 1 12 establishing a secure communication link between the end-point meter 1 and the communication module 2. In the embodiment of Fig. 1 , the communication link is a mutually trusted secure channel of communication established through PKI by sharing at least one set of symmetric keys between the endpoint meter 1 and the communication module 2. The symmetric keys can be pre-shared before deployment, or during deployment, for example.

[0086] The symmetric keys may be a default symmetric key embedded in the end-point meter 1 and the communication module 2 firmware or installed during manufacture, although this is provided merely as an example.

[0087] The communication link between the end-point meter 1 and the communication module 2, when established, “associates” the end-point meter 1 with the communication module 2. The communication module 2 then handles communication with the first server 4 on behalf of the end-point meter 1. In the embodiment of Fig. 1 , the association is in Security Suite 0, which for brevity will not be described in detail, and other methods may be used for the communication link.

[0088] Next, the method 100 comprises at step 114 providing, from the communication module 2 to the first server 4, a first trust anchor certificate request, which may be a “CACerts” request. The communication link between the end-point meter 1 and the communication module 2 is established before the first trust anchor certificate request is sent. The first trust anchor request includes the IANA identifier associated with the vendor of the communication module.

[0089] The first server 4 is configured to communicate with the communication module 2 using a secure communication channel, which in the embodiment of Fig. 1 is by the certificate management protocol: enrolment over secure transport (EST). The first server 4 is configured for certificate management, and is termed an “EST server” in Fig. 1 . However, the use of EST is as an example and is not intended to be limiting.

[0090] The first server 4 can be implemented in any suitable manner, and need not be a single server, and may be geographically distributed, such as in cloud computing. The term server is not intended to be limiting, and the first server may be implemented in hardware and / or software in any suitable manner.

[0091] Next, at step 1 16, the first server 4 verifies the first trust anchor certificate request. This includes verifying the IANA identifier associated with the vendor of the communication module 2.

[0092] Once the first trust anchor certificate request is verified, the first server 4 authenticates a first trust anchor certificate of the end-point meter 1 by signing the first trust anchor certificate, using the first private key of the first server 4. The first server 4 also authenticates a second trust anchor certificate of the communication module 2 by signing the second trust anchor certificate using the first private key of the first server 4. It will be understood that there are other ways of the first server 4 obtaining authenticated trust anchor certificates.

[0093] Next, at step 1 18, the first server 4 provides to the communication module 2, by “CACerts”, the authenticated first trust anchor certificate of the end-point meter 1 , the authenticated second trust anchor certificate of the communication module 2, and the second vendor-signed certificate.

[0094] In other examples, the first server 4, in response to a first trust anchor certificate request, may provide only the first trust anchor certificate of the end-point meter 1 .

[0095] At step 120, the communication module 2 verifies the second vendor-signed certificate by using the second manufacturer trust anchor to validate the second vendor- signed certificate. Validating the second vendor-signed certificate includes extracting a second validation tool therefrom, which in this embodiment is the first public key included in the second vendor-signed certificate. The first public key is used to further validate the authenticated first trust anchor certificate and the authenticated second trust anchor certificate (validating the CACerts response from the first server 4).

[0096] After the above validation, the communication module 2 stores the first trust anchor certificate and the second trust anchor certificate, persistently (e.g. using nonvolatile memory).

[0097] The first trust anchor certificate stored at the communication module 2 is an endpoint meter root, and the second trust anchor certificate stored at the communication module 2 is a communication module root.

[0098] At this stage, the communication module 2 has the trust anchors of itself and the end-point meter 1 . The remaining steps of the method will replicate this to store the trust anchors of the end-point meter 1 and the communication module 2 at the end-point meter 1 so that they can trust each other.

[0099] The method 100 comprises a step 122 of obtaining, from the end-point meter 1 by the communication module 2, an IANA identifier (an example of a device attribute) of the vendor of the meter 1. This step 122 is carried out before a second trust anchor certificate request and after the verification of the second vendor-signed certificate by the communication module 2 and after the storing of the first and second trust anchor certificates at the communication module 2.

[0100] At step 124 the communication module 2 provides a second trust anchor certificate request to the first server 4. The second trust anchor certificate request includes the IANA identifier of the vendor of the end-point meter 1 obtained by the communication module 2. The second trust anchor certificate request is carried out after the first trust anchor certificate request, and after the storing of the first and second trust anchor certificates at the communication module 2.

[0101] At step 126 the first server 4 verifies the second trust anchor certificate request. This includes verifying the IANA identifier associated with the vendor of the end-point meter 1 .

[0102] For the second trust anchor certificate request, the first server 4 authenticates a first trust anchor certificate of the end-point meter 1 by signing using the first private key, and authenticates a second trust anchor certificate of the communication module 2 by signing using the first private key.

[0103] At step 128, the first server 4 provides, to the end-point meter 1 , via the communication module 2, the authenticated first trust anchor certificate of the end-point meter 1 , the authenticated second trust anchor certificate of the communication module 2, and the first vendor-signed certificate.

[0104] At step 130 the end-point meter 1 verifies the first vendor-signed certificate. This includes using the first manufacturer trust anchor to validate the first vendor-signed certificate. Validating the first vendor-signed certificate includes extracting a first validation tool, which in this embodiment is the first public key included in the first vendor- signed certificate. The first public key is used to further validate the authenticated first and second trust anchor certificates.

[0105] Also at step 130 the first trust anchor certificate and the second trust anchor certificate are stored persistently at the end-point meter (e.g. using non-volatile memory). The first trust anchor certificate stored at the end-point meter is an end-point meter root, and the second trust anchor certificate stored at the end-point meter is a communication module root.

[0106] In the embodiment of Fig. 1 , the first and second trust anchor certificates are each stored at both the end-point meter and the communication module.

[0107] Advantageously, by providing and storing the first trust anchor certificate of the end-point meter at the communication module, and the second trust anchor certificate of the communication module at the end-point meter, each provided in a secure way, a mutual trust can be obtained in a more efficient and secure manner over at least some known examples.

[0108] Advantageously, the invention removes the need for providing integration specific trust anchors during manufacturing. The trust anchors can be provided after manufacturing, and once the specific deployment plans are known, rather than needing to know such plans during manufacturing. Consider that many meters and communication modules will be produced, and by different vendors, and it is therefore advantageous to configure the trust anchors during deployment when it is known how they will be arranged in the network.

[0109] Advantageously, the invention in at least some examples avoids the use of unsecured channels for providing trust anchors to the end-point meter device and communication module. In some examples, it may be sufficient to reduce, rather than eliminate, the use of unsecured channels, which may still provide an improvement over other methods and systems.

[0110] Advantageously, in at least some examples, the invention solves a problem whereby, during manufacturing, the vendor of the end-point meter does not know the root of the communication module, and vice versa. Both the end-point meter and the communication module, in some examples, can therefore be deployed then provided with each other’s trust anchor.

[0111] Fig. 2 depicts various certificates stored at the end-point meter 1 , the communication module 2, and the first server 4.

[0112] The first server 4 has root certificate authority (CA) certificates for the end-point meter 1 (DLMS server), the communication module 2 (DLMS client), a customer root CA certificate, and other CA certificates. The first server 4 also includes end-point meter and communication module vendor-signed certificates (DLMS server and DLMS client root CA signed EST server certificates), customer signed EST server TLS certificate and trust anchors to trust the end-point meter (DLMS server) and the communication module (DLMS client).

[0113] The end point meter 1 (DLMS server) includes a birth certificate, an end-point meter trust anchor certificate (DLMS server root CA Certificate), and a first manufacturer trust anchor (DLMS server manufacturing CA certificate), and acquired from the first server (during EST), a communication module trust anchor certificate (DLMS client root CA certificate), a customer root CA certificate, and other CA certificates.

[0114] The communication module 2 (DLMS client) includes a birth certificate, a communication module trust anchor certificate (DLMS client root CA Certificate), and a second manufacturer trust anchor (DLMS client manufacturing CA certificate), and acquired from the first server (during EST), an end-point meter trust anchor certificate (DLMS server root CA certificate), a customer root CA certificate, and other CA certificates. Although the disclosure has been described in terms of example embodiments as set forth above, it should be understood that these embodiments are illustrative only and that the claims are not limited to those embodiments. Those skilled in the art will be able to make modifications and alternatives in view of the disclosure, which are contemplated as falling within the scope of the appended claims. Each feature disclosed or illustrated in the present specification may be incorporated in any embodiments, whether alone or in any appropriate combination with any other feature disclosed or illustrated herein.

Claims

CLAIMS:1 . A method of configuring trust anchors in a network, wherein the network comprises an end-point meter, and a communication module for communicating with the end-point meter, wherein the method comprises: obtaining, by a first server from a vendor of the end-point meter, a first vendor-signed certificate; obtaining, by the first server from a vendor of the communication module, a second vendor-signed certificate; providing, from the communication module to the first server, a first trust anchor certificate request; verifying, by the first server, the first trust anchor certificate request; providing, by the first server, to the communication module: a first trust anchor certificate of the end-point meter and authenticated by the first server, and the second vendor-signed certificate; verifying, by the communication module, the second vendor-signed certificate; storing the first trust anchor certificate at the communication module; providing, from the communication module to the first server, a second trust anchor certificate request; verifying, by the first server, the second trust anchor certificate request; providing, from the first server, to the end-point meter, via the communication module: a second trust anchor certificate of the communication module and authenticated by the first server; and the first vendor-signed certificate; verifying, by the end-point meter, the first vendor-signed certificate; and storing the second trust anchor certificate at the end-point meter.

2. The method of claim 1 , wherein the step of obtaining the first vendor-signed certificate comprises sending a first certificate signing request from the first server to a vendor of the end-point meter, and signing the first certificate signing request by the vendor of the end-point meter to create the first vendor-signed certificate.

3. The method of claim 1 or claim 2, wherein the step of obtaining the second vendor-signed certificate comprises sending a second certificate signing request from the first server to a vendor of the communication module, and signing the second certificate signing request by the vendor of the communication module to create the second vendor-signed certificate.

4. The method of any preceding claim, wherein the method comprises mapping at least one device parameter from the first vendor-signed certificate to a first device identifier associated with the vendor of the end-point meter.

5. The method of any preceding claim, wherein the method comprises mapping at least one device parameter from the second vendor-signed certificate to a second device identifier associated with the vendor of the communication module.

6. The method of any preceding claim, wherein the method comprises providing, by the first server to the communication module, in response to the first trust anchor certificate request being verified by the first server, a second trust anchor certificate of the communication module and authenticated by the first server.

7. The method of claim 6, wherein the method comprises storing the second trust anchor certificate at the communication module when the second vendor-signed certificate has been verified by the communication module.

8. The method of any preceding claim, wherein, for the first trust anchor certificate request, authenticating the first trust anchor certificate by the first server comprises signing the first trust anchor certificate.

9. The method of any preceding claim, wherein the step of verifying the second vendor-signed certificate by the communication module comprises using a second manufacturer trust anchor to validate the second vendor-signed certificate.

10. The method of any preceding claim, wherein the method comprises providing, by the first server to the end-point meter via the communication module, in response to the second trust anchor certificate request being verified by the first server, afirst trust anchor certificate of the end-point meter and authenticated by the first server.1 1 . The method of claim 10, wherein the method comprises storing the first trust anchor certificate at the end-point meter when the first vendor-signed certificate has been verified by the end-point meter.

12. The method of any preceding claim, wherein for the second trust anchor certificate request, authenticating the second trust anchor certificate by the first server comprises signing the second trust anchor certificate.

13. The method of any preceding claim, wherein the step of verifying the first vendor- signed certificate by the end-point meter comprises using a first manufacturer trust anchor to validate the first vendor-signed certificate.

14. The method of any preceding claim, wherein the end-point meter and the communication module are configured to communicate with each other using a communications protocol, such as the Device Language Message Specification (DLMS) protocol.

15. The method of any preceding claim, wherein the network is part of, or is an advanced metering infrastructure (AMI) network, and the at least one end-point meter comprises at least one of: a collector; a gateway node, and / or a metering device.

16. The method of any preceding claim, wherein the communication module is operable to exchange meter data with a network module, such as a head-end system.

17. A computer program comprising instructions which, when the program is executed by a computer, cause the computer to function as a first server for carrying out at least some steps of the method of claim 1 .

18. A computer program comprising instructions which, when the program is executed by a computer, cause the computer to function as a communication module for carrying out at least some steps of the method according to claim 1 .

19. A computer program comprising instructions which, when the program is executed by a computer, cause the computer to function as an end-point meter for carrying out at least some steps of the method according to claim 1 .

20. A system comprising: an end-point meter; a communication module for communicating with the end-point meter; and a first server; wherein the first server is operable to obtain, from a vendor of the end-point meter, a first vendor-signed certificate; wherein the first server is operable to obtain, from a vendor of the communication module, a second vendor-signed certificate; wherein the communication module is operable to provide, to the first server, a first trust anchor certificate request; wherein the first server is configured to verify the first trust anchor certificate request; wherein the first server is configured to provide, to the communication module: a first trust anchor certificate of the end-point meter and authenticated by the first server, and the second vendor-signed certificate; wherein the communication module is configured to verify the second vendor- signed certificate; wherein the communication module is configured to store the first trust anchor certificate; wherein the communication module is operable to provide, to the first server, a second trust anchor certificate request; wherein the first server is configured to verify the second trust anchor certificate request; wherein the first server is configured to provide, to the end-point meter, via the communication module:a second trust anchor certificate of the communication module and authenticated by the first server; and the first vendor-signed certificate; wherein the end-point meter is configured to verify the first vendor-signed certificate; wherein the end-point meter is configured to store the second trust anchor certificate at the end-point meter.

Images