Method and apparatus for uniquely and authoritatively identifying tangible objects
First Claim
1. An apparatus having a digital protection mechanism, comprising:
- a tangible object;
a digital protection system attached to said tangible object, said digital protection system comprising;
(a) an external interface for receiving data requests;
(b) a processor coupled to said external interface, said processor capable of transforming data according to a first public/private key encryption algorithm; and
(c) an internal data storage, said internal data storage storing an identity private key, said identity private key being inaccessible outside said external interface; and
a data descriptor associated with said digital protection system, said data descriptor including an identity public key, attribute data and a digital signature;
wherein said processor performs a first transformation of data responsive to a request received through said external interface, said processor performing said first transformation of said data according to said first public/private key encryption algorithm using said identity private key, wherein a second transformation of data according to said first public/private key encryption algorithm using said identity public key is a complementary transformation of said first transformation.
1 Assignment
0 Petitions
Accused Products
Abstract
A smart chip protection system contains a unique public/private identity key pair and uses a separate public/private signature key pair. The identity private key is stored in permanent, secure storage such that it can not be read outside the chip. An issuing entity generates a descriptor containing the identity public key, attribute data, and a digital signature. The digital signature is generated by enciphering a derivation of the identity public key and the attribute data with the signature private key known only to the issuer. The authenticity of the descriptor data is verified by decrypting the signature with the signature public key using a known algorithm, and comparing the result to the derivation of the descriptor data. The identity of the object can be verified requesting the smart chip ro perform an encryption/decryption operation using its identity private key, and performing the complement using the public key.
141 Citations
140 Claims
-
1. An apparatus having a digital protection mechanism, comprising:
-
a tangible object;
a digital protection system attached to said tangible object, said digital protection system comprising;
(a) an external interface for receiving data requests;
(b) a processor coupled to said external interface, said processor capable of transforming data according to a first public/private key encryption algorithm; and
(c) an internal data storage, said internal data storage storing an identity private key, said identity private key being inaccessible outside said external interface; and
a data descriptor associated with said digital protection system, said data descriptor including an identity public key, attribute data and a digital signature;
wherein said processor performs a first transformation of data responsive to a request received through said external interface, said processor performing said first transformation of said data according to said first public/private key encryption algorithm using said identity private key, wherein a second transformation of data according to said first public/private key encryption algorithm using said identity public key is a complementary transformation of said first transformation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for using verified information concerning a tangible object, comprising the steps of:
-
accessing descriptor data associated with the tangible object, said descriptor data including an identity public key for transforming data according to a first public/private key encryption algorithm, attribute data containing information concerning said tangible object, and a digital signature;
verifying that said digital signature matches said identity public key and said attribute data;
performing a pair of complementary data transformations on source test data to produce resultant test data, said pair of complementary data transformations being performed by;
(a) performing a first data transformation according to said first public/private key encryption algorithm using said identity public key, and (b) accessing a digital protection system attached to said tangible object to perform a second data transformation according to said first public/private key encryption algorithm using an identity private key in said digital protection system, said identity private key corresponding to said identity public key according to said first public/private key encryption algorithm, said second data transformation being complementary to said first data transformation;
comparing said source test data with said resultant test data; and
using said attribute data in a manner dependent on the results of said step of verifying that said digital signature matches said identity public key and said attribute data, and said step of comparing said source test data with said resultant test data. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A program product for using verified information concerning a tangible object, said program product comprising a plurality of processor executable instructions recorded on signal-bearing media, wherein said instructions, when executed by a processor of a digital data processing device, cause the digital data processing device to perform the steps of:
-
accessing descriptor data associated with the tangible object, said descriptor data including an identity public key for transforming data according to a first public/private key encryption algorithm, attribute data containing information concerning said tangible object, and a digital signature;
verifying that said digital signature matches said identity public key and said attribute data;
performing a pair of complementary data transformations on source test data to produce resultant test data, said pair of complementary data transformations being performed by;
(a) performing a first data transformation according to said first public/private key encryption algorithm using said identity public key, and (b) accessing a digital protection system attached to said tangible object to perform a second data transformation according to said first public/private key encryption algorithm using an identity private key in said digital protection system, said identity private key corresponding to said identity public key according to said first public/private key encryption algorithm, said second data transformation being complementary to said first data transformation;
comparing said source test data with said resultant test data; and
using said attribute data in a manner dependent on the results of said step of verifying that said digital signature matches said identity public key and said attribute data, and said step of comparing said source test data with said resultant test data. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 29, 30, 31, 32, 33, 34, 35, 36, 38, 39, 40, 41, 42, 43)
-
-
28. A method for updating attribute data associated with a tangible object, comprising the steps of:
-
receiving a request to a service provider from a requestor to update said attribute data, the request including an identity public key for transforming data according to a first public/private key encryption algorithm;
performing a pair of complementary data transformations of source test data to produce resultant test data, a first of said pair of complementary data transformations being performed by said service provider according to said first public/private key encryption algorithm using said identity public key, and a second of said pair of complementary data transformations being performed by requesting a digital protection system attached to said tangible object to perform said second data transformation according to said first public/private key encryption algorithm using an identity private key in said digital protection system, said identity private key corresponding to said identity public key according to said first public/private key encryption algorithm;
comparing said source test data with said resultant test data, said comparing step being performed by said service provider; and
depending on the results of said step of comparing said source test data with said resultant test data, generating an updated descriptor, said updated descriptor comprising said identity public key, updated attribute data, and a digital signature of said identity public key and said updated attribute data.
-
-
37. A method for using verified information concerning a tangible object, comprising the steps of:
-
accessing descriptor data associated with the tangible object, said descriptor data including an identity public key for transforming data according to a first public/private key encryption algorithm, attribute data containing information concerning said tangible object, and a digital signature, wherein said digital signature represents an encryption of data derived from said identity public key and said attribute data according to a derivation algorithm, said encryption being according to a second public/private key encryption algorithm using a signature private key;
decrypting said digital signature according to said second public/private key encryption algorithm using a signature public key;
deriving data from said identity public key and said attribute data using said derivation algorithm;
comparing the decrypted digital signature to the data derived from said identity public key and said attribute data according to said derivation algorithm;
generating random source test data;
performing a pair of complementary data transformations of said source test data to produce resultant test data, including;
(a) performing a first data transformation of said pair of complementary data transformations according to said first public/private key encryption algorithm using said identity public key, and (b) accessing a digital protection system attached to said tangible object to perform a second data transformation of said pair of complementary data transformations, said second data transformation being according to said first public/private key encryption algorithm using an identity private key in said digital protection system, said identity private key corresponding to said identity public key according to said first public/private key encryption algorithm;
comparing said random source test data with said resultant test data; and
using said attribute data in a manner dependent on the results of said step of comparing the decrypted digital signature to the data derived from said identity public key and said attribute data, and said step of comparing said random source test data with said resultant test data.
-
-
44. An apparatus for verifying information concerning a tangible object, comprising:
-
a programmable processor;
a memory for storing instructions executable on said programmable processor;
a digital protection system interface coupled to said processor, said interface communicating with a digital protection system for said tangible object;
a protection system verification program executable on said programmable processor, wherein said protection system verification program (a) obtains a data descriptor from a said digital protection system through said interface, said data descriptor comprising an identity public key for transforming data according to a first public/private key encryption algorithm, attribute data containing information concerning said object, and a digital signature;
(b) verifies that said digital signature matches said identity public key and said attribute data;
(c) performs a first data transformation of a pair of complementary data transformations of source test data which produce resultant test data, said first data transformation being according to said first public/private key encryption algorithm using said identity public key;
(d) directs said digital protection system to perform a second data transformation of said pair of complementary data transformations of source test data which produce resultant test data, said second data transformation being complementary to said first data transformation;
(e) compares said source test data with said resultant test data; and
(f) verifies information concerning the tangible object responsive to steps (b) and (e). - View Dependent Claims (45, 46, 47, 48, 49, 50)
-
-
51. A method for verifying the identity of a tangible object, comprising the steps of:
-
accessing a descriptor associated with the tangible object, said descriptor including an identity public key for transforming data according to a first public/private key encryption algorithm;
providing source test data;
performing a pair of complementary data transformations on said source test data to produce resultant test data, said pair of complementary data transformations being performed by;
(a) performing a first data transformation according to said first public/private key encryption algorithm using said identity public key, and (b) accessing a digital protection system attached to said tangible object to perform a second data transformation according to said first public/private key encryption algorithm using an identity private key in said digital protection system, said identity private key corresponding to said identity public key according to said first public/private key encryption algorithm, said second data transformation being complementary to said first data transformation;
comparing said source test data with said resultant test data; and
using said descriptor to identify said tangible object dependent on the results of said step of comparing said source test data with said resultant test data. - View Dependent Claims (52, 53, 54, 55, 57, 58, 59, 60, 61, 62, 63, 64)
-
-
56. A method for providing telephone service, comprising the steps of:
-
transmitting an identity public key from a telephone to a service provider;
providing source test data, said step of providing source test data being performed by said service provider;
performing a pair of complementary data transformations of said source test data to produce resultant test data, by;
(a) performing a first data transformation of said pair of complementary data transformations according to a first public/private key encryption algorithm using said identity public key, said performing a first data transformation step being performed by said service provider, and (b) requesting said telephone to perform a second data transformation of said pair of complementary data transformations according to said first public/private key encryption algorithm using an identity private key stored in said telephone, and receiving the results of said second data transformation;
comparing said source test data to said resultant test data, said comparing step being performed by said service provider;
providing service to said telephone depending on whether said source test data matches said resultant test data.
-
-
65. A telephone, comprising:
-
a transceiver for communicating with a service provider;
a telephonic interface for audible communication with a user;
an identity public key and corresponding identity private key according to a first public/private key encryption algorithm;
a digital controller controlling the operation of said telephone, wherein said controller;
(a) causes said telephone to transmit said identity public key to a service provider with a request for service;
(b) responsive to a request from said service provider, performs a data transformation of test data received from said service provider according to said first public/private key encryption algorithm using said identity private key; and
(c) transmits the transformed test data to said service provider. - View Dependent Claims (66, 67, 68, 69, 70)
-
-
71. A method in a telephone service provider for updating attribute data contained in a telephone, comprising the steps of:
-
obtaining a descriptor associated with said telephone, said descriptor including an identity public key for transforming data according to a first public/private key encryption algorithm, attribute data, and a digital signature;
verifying that said digital signature matches said attribute data and said identity public key;
performing a pair of complementary data transformations of source test data to produce resultant test data, a first of said pair of complementary data transformations being performed by said service provider according to said first public/private key encryption algorithm using said identity public key, and a second of said pair of complementary data transformations being performed by requesting said telephone to perform said second data transformation according to said first public/private key encryption algorithm using an identity private key in said telephone and receiving data from said telephone responsive to said request, said identity private key corresponding to said identity public key according to said first public/private key encryption algorithm;
comparing said source test data with said resultant test data;
depending on the results of said step of comparing said source test data with said resultant test data, generating an updated descriptor, said updated descriptor comprising said identity public key, updated attribute data, and a digital signature of said identity public key and said updated attribute data; and
transmitting said updated descriptor to said telephone. - View Dependent Claims (72, 73, 74, 75, 76)
-
-
77. A machine having multiple parts, comprising:
-
a first replaceable part a digital controller controlling operation of at least one function of said machine, said digital controller being external to said first replaceable part;
a digital protection system attached to said first replaceable part, said digital protection system comprising;
(a) an external interface for receiving data requests, (b) a processor coupled to said external interface, said processor capable of performing a first data transformation according to a first public/private key encryption algorithm, and (c) an internal data storage, said internal data storage storing an identity private key, said identity private key being inaccessible outside said external interface; and
a data descriptor associated with said digital protection system, said data descriptor including an identity public key, attribute data and a digital signature;
wherein said controller verifies information concerning said first replaceable part by;
(a) obtaining said data descriptor associated with said digital protection system, (b) performing a second data transformation of test data according to said first public/private key encryption algorithm using said identity public key, said second data transformation being complementary to said first data transformation, (c) accessing said digital protection system attached to said first replaceable part to perform said first data transformation of said test data using said identity private key, (d) comparing data undergoing said first and second data transformations to test data before transformation; and
(e) verifying that said data descriptor has not been altered using said digital signature. - View Dependent Claims (78, 79, 80, 81, 82, 83, 84, 85)
-
-
86. A replaceable part for a machine having multiple parts, comprising:
-
a part performing a function for said machine, and a digital protection system attached to said part, said digital protection system comprising;
(a) an external interface for communicating with a digital controller of said machine, said digital controller being located externally to said replaceable part;
(b) a processor coupled to said external interface, said processor capable of performing a data transformation according to a first public/private key encryption algorithm, and (c) an internal data storage, said internal data storage storing an identity private key, said identity private key being inaccessible outside said external interface, and a data descriptor, said data descriptor including an identity public key, attribute data and a digital signature;
wherein, responsive to a request received through said external interface, said processor of said digital protection system performs said data transformation according to said first public/private key encryption algorithm using said identity private key. - View Dependent Claims (87, 88, 89, 90)
-
-
91. A method of operating a machine having multiple parts, including a first replaceable part having a digital protection system and a digital controller external to said first replaceable part for controlling operation of said machine, said method comprising the steps of:
-
(a) obtaining a data descriptor associated with said first replaceable part, said data descriptor including an identity public key, attribute data, and a digital signature;
(b) performing a complementary pair of data transformations of source test data to produce resultant test data, including a first data transformation performed by said digital controller according to a first public/private key encryption algorithm using said identity public key, and a second data transformation performed by said digital protection system, said second data transformation being complementary to said first data transformation;
(c) comparing said source test data to said resultant test data;
(d) verifying that said data descriptor has not been altered using said digital signature; and
(e) using the results of steps (c) and (d) in the operation of said machine. - View Dependent Claims (92, 93, 94, 95, 96)
-
-
97. A personal identity document for a subject, comprising:
-
a carrier; and
a digital protection system attached to said carrier, said digital protection system comprising;
(a) an external interface for receiving data requests, (b) a processor coupled to said external interface, said processor capable of performing a data transformation according to a first public/private key encryption algorithm, and (c) an internal data storage, said internal data storage storing an identity private key and a data descriptor, said identity private key being inaccessible outside said external interface, said data descriptor including an identity public key, attribute data and a digital signature of said identity public key and said attribute data, said identity public key corresponding to said identity private key according to said first public/private key encryption algorithm;
wherein said processor performs said data transformation of data responsive to a request received through said external interface, said processor performing said data transformation according to said first public/private key encryption algorithm using said identity private key. - View Dependent Claims (98, 99, 100, 101, 102, 103, 104, 105)
-
-
106. A control station for verifying the personal identities of multiple subjects, comprising:
-
a programmable processor;
a memory, said memory storing a control program which executes on said programmable processor and controls at least some operations of said control station;
a digital personal identity document interface, said interface communicating with a digital personal identity document of a subject;
wherein said control program verifies a personal identity of a subject by;
(a) obtaining a data descriptor from said digital personal identity document of the subject through said interface, said descriptor comprising an identity public key for transforming data according to a first public/private key encryption algorithm, attribute data containing identifying information concerning said subject, and a digital signature;
(b) verifying that said digital signature matches said identity public key and said attribute data;
(c) performing a pair of complementary data transformations of source test data to produce resultant test data, said pair of complementary data transformations including (i) a first data transformation according to said first public/private key encryption algorithm using said identity public key, said first data transformation being performed externally to said digital personal identity document, and (ii) a second data transformation according to said first public/private key encryption algorithm, said second data transformation being performed by said digital personal identity document responsive to a request by said control program;
(d) comparing said source test data with said resultant test data; and
(e) verifying the identity of said subject depending on the results of said step of verifying that said digital signature matches said identity public key and said attribute data, and said step of comparing said source test data with said resultant test data. - View Dependent Claims (107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 129, 130, 131, 132, 133, 135, 136, 137, 138, 139, 140)
-
-
117. A method for verifying the identity of a subject, comprising the steps of:
-
(a) obtaining a data descriptor from a digital personal identity document of the subject, said descriptor comprising an identity public key for transforming data according to a first public/private key encryption algorithm, attribute data containing identifying information concerning said subject, and a digital signature;
(b) verifying that said digital signature matches said identity public key and said attribute data;
(c) performing a pair of complementary data transformations of source test data to produce resultant test data, wherein a first data transformation of said pair is performed by a verifying device according to said first public/private key encryption algorithm using said identity public key, and wherein a second data transformation of said pair is performed by said digital personal identity document responsive to a request from a verifying device, said second data transformation being complementary to said first data transformation;
(d) comparing said source test data with said resultant test data; and
(e) verifying the identity of said subject responsive to the results of steps (b) and (d).
-
-
128. A method for providing television service to a subscriber, comprising the steps of:
-
accessing descriptor data in a television receiving apparatus, said descriptor data including an identity public key for transforming data according to a first public/private key encryption algorithm, attribute data and a digital signature of said descriptor data;
verifying that said descriptor data has not been altered using said digital signature;
providing source test data;
performing a first data transformation of a pair of data transformations of said source test data, said pair of data transformations producing resultant test data, said first data transformation being according to said first public/private key encryption algorithm using said identity public key;
requesting a digital protection system of said television receiving apparatus to perform a second data transformation of said pair of data transformations of said source test data, said digital protection system including (a) a processor capable of performing said second data transformation according to a first public/private key encryption algorithm; and
(b) a permanent data storage accessible only through said processor, said permanent data storage storing an identity private key for performing said second data transformation according to said first public/private key encryption algorithm;
comparing said source test data with the resultant test data to verify the identity of said digital protection system; and
using said attribute data to access one or more television channels on behalf of said subscriber depending on the results of said verifying step and said comparing step.
-
-
134. A television receiving system, comprising:
-
a digital controller controlling the operation of said television system;
a television signal transmission interface coupled to said digital controller, said interface receiving televisions signals from an external source and transmitting television signals to a display apparatus;
a digital protection system coupled to said digital controller, said digital protection system securely storing an identity private key, and said digital protection system performing a first data transformation according to a first public/private key encryption algorithm in response to a command from said digital controller;
a data descriptor associated with said digital protection system, said data descriptor including an identity public key for performing data transformations according to said first public/private key encryption algorithm, attribute data and a digital signature;
wherein said controller;
(a) directs said digital protection system to perform said first data transformation of test data;
(b) performs a second data transformation of test data according to said first public/private key encryption algorithm using said identity public key;
(c) compares test data before transformation with test data after said first and said second transformation, (d) verifies that said digital signature matches said identity public key, and (e) uses said attribute data to access television channels on behalf of a user responsive to the results of steps (c) and (d).
-
Specification