Digital rights management system and method

US 10,027,489 B2
Filed: 08/27/2015
Issued: 07/17/2018
Est. Priority Date: 03/31/2004
Status: Active Grant

First Claim

Patent Images

1. A certificate authority device, comprising:

a memory that stores executable instructions; and

a processor, coupled to the memory, that facilitates execution of the executable instructions to perform operations, comprising;

communicating with an automation device and a control device via a local area network consisting of a set of networked devices comprising the certificate authority device, the control device, and the automation device, that communicate via a local area network protocol;

generating for the control device a digital certificate that cryptographically authenticates an identity of the control device;

determining that the control device is authorized to modify an automation program that is executed by the automation device based on defined privileges linked to the digital certificate of the control device;

facilitating presentation of the defined privileges via a user interface; and

receiving, via the user interface, input data representative of a change to the defined privileges.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An architecture for application of digital rights management to industrial automation devices including programmable logic controllers (PLCs), I/O devices, and communication adapters is provided. Digital rights management involves a set of technologies for controlling and managing access to device objects and/or programs such as ladder logic programs. Access to automation device objects and/or programs can be managed by downloading rules of use that define user privileges with respect to automation devices and utilizing digital certificates, among other things, to verify the identity of a user desiring to interact with device programs, for example. The architecture can provide for secure transmission of messages to and amongst automation devices utilizing public key cryptography associated with digital certificates.

38 Citations

20 Claims

1. A certificate authority device, comprising:
- a memory that stores executable instructions; and
  
  a processor, coupled to the memory, that facilitates execution of the executable instructions to perform operations, comprising;
  
  communicating with an automation device and a control device via a local area network consisting of a set of networked devices comprising the certificate authority device, the control device, and the automation device, that communicate via a local area network protocol;
  
  generating for the control device a digital certificate that cryptographically authenticates an identity of the control device;
  
  determining that the control device is authorized to modify an automation program that is executed by the automation device based on defined privileges linked to the digital certificate of the control device;
  
  facilitating presentation of the defined privileges via a user interface; and
  
  receiving, via the user interface, input data representative of a change to the defined privileges.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The certificate authority device of claim 1, wherein the local area network protocol is an Ethernet protocol.
  - 3. The certificate authority device of claim 1, wherein the set of networked devices does not include a device of a wide area network.
  - 4. The certificate authority device of claim 1, wherein the set of networked devices consisting of devices of a common automation facility identity.
  - 5. The certificate authority device of claim 1, wherein the operations further comprise storing at least a portion of the digital certificate to certificate data store of the certificate authority device.
  - 6. The certificate authority device of claim 1, wherein the operations further comprise transmitting at least a portion of the digital certificate to the automation device.
  - 7. The certificate authority device of claim 1, wherein the operations further comprise generating a second digital certificate that cryptographically authenticates a user identity of a user of the control device.
  - 8. The certificate authority device of claim 7, wherein the determining that the control device is authorized to modify the automation program further comprises determining that the user of the control device is authorized to modify the automation program based on a defined privilege linked to the second digital certificate.
  - 9. The certificate authority device of claim 1, wherein the operations further comprise determining that an instruction transmitted by the automation device is authorized based on a set of defined privileges of the identity associated with the automation device.

10. A first automation device, comprising:
- a memory that stores computer executable instructions; and
  
  a processor, communicatively coupled to the memory, that facilitates execution of the computer executable instructions to perform operations, comprising;
  
  receiving, from a second automation device, a message instructing a modification of an automation program related to the first automation device, wherein the message comprises sender data indicative of the second automation device;
  
  receiving, from a certificate authority device, digital certificate data that was issued by the certificate authority device, wherein the certification data certifies an identity of the second automation device;
  
  based on the digital certificate data, verifying the message was transmitted by the second automation device, wherein the first automation device, the second automation device, and the certificate authority device are communicatively coupled via a local area network consisting of a set of a set of networked device that communicate via a local area network protocol;
  
  determining that the second automation device is authorized to facilitate the modification of the automation program based on defined privileges linked to the digital certificate data;
  
  facilitating presentation of the defined privileges via a user interface; and
  
  receiving input data representative of a change to the defined privileges via the user interface.
- View Dependent Claims (11, 12, 19, 20)
- - 11. The first automation device of claim 10, wherein the operations further comprise modifying the automation program based on the message in response to the verifying.
  - 12. The first automation device of claim 10, wherein the receiving the digital certificate data comprises receiving the digital certificate data in response to an installation procedure comprising attaching the second device to the local area network.
  - 19. The first automation device of claim 10, wherein the operations further comprise receiving, from the certificate authority device, second input data representative of a second change to the defined privileges.
  - 20. The first automation device of claim 10, wherein the operations further comprise receiving, from the second automation device, second input data representative of a second change to the defined privileges.

13. A method, comprising:
- receiving, by a system comprising a processor, a request to access automation data representative of a program that is executed by an automation device or a process that is performed by the automation device, wherein the request is from a requesting device;
  
  receiving, by the system, digital certificate data corresponding to the requesting device, wherein the digital certificate data cryptographically authenticates an identity of the requesting device, and wherein the digital certificate data is generated by a certificate authority device;
  
  matching, by the system, the digital certificate data to a list of access rights for the program or the process;
  
  determining, by the system, a level of access to the automation data is satisfied based on the matching; and
  
  granting, by the system, the level of access to the automation data, wherein the level of access is granted to the requesting device in response to the determining,wherein the system, the requesting device, and the certificate authority device are communicatively coupled via a local area network consisting of a set of networked device that communicate via a local area network protocol;
  
  facilitating presentation of the list of access rights via a user interface; and
  
  receiving, via the user interface, input data representative of a change to the list of access rights.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, further comprising requesting a plurality of digital certificates from the certificate authority device, wherein the plurality of digital certificates comprises a digital certificate corresponding to the requesting device.
  - 15. The method of claim 13, wherein the receiving the digital certificate data includes receiving a public key.
  - 16. The method of claim 13, wherein the receiving the digital certificate data includes receiving at least one of an device identifier, a validity period, or a certification authority signature.
  - 17. The method of claim 13, wherein the matching comprises matching the digital certificate data to a set of rights that restrict access to the program or the process according to a device name, a user name, an entity type, or a role.
  - 18. The method of claim 13, further comprising, based on the level of access, determining that the requesting device is authorized to modify the program or the process based on defined privileges linked to the digital certificate data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Original Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Inventors
Callaghan, David M.
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US14/837,145
Publication Number

US 20150365240A1
Time in Patent Office

1,055 Days
Field of Search

715175
US Class Current
CPC Class Codes

G05B 2219/24167   Encryption, password, user ...

G06F 21/31   User authentication

G06F 21/33   using certificates

G06F 21/445   by mutual authentication, e...

G06F 21/606   by securing the transmissio...

G06F 21/62   Protecting access to data v...

H04L 63/0823   using certificates cryptogr...

H04L 67/12   specially adapted for propr...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

Digital rights management system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Digital rights management system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links