System and method for creating a trusted network capable of facilitating secure open network transactions using batch credentials

US 20030084311A1
Filed: 09/24/2002
Published: 05/01/2003
Est. Priority Date: 10/03/2001
Status: Active Grant

First Claim

Patent Images

1. A method for deploying a trusted network capable of securely updating devices that allows for secure transactions over an open communications network, comprising the steps of:

assigning a credential to a plurality of devices to be used in secure transactions over the open communications network;

storing a permanent manifest of the devices, relating each device to the credential assigned to the plurality of devices to which the device belongs;

maintaining a current list of devices approved to securely transact over the open communications network, each device being related in the current list of devices to the credential assigned to the plurality of devices to which the device belongs; and

verifying the validity of the credential associated with the plurality of devices to which each device being used in secure transactions over the open communications network belongs.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for creating a trusted network capable of facilitating secure transactions via an open network using batch credentials, such as batch PKI certificates, is presented. A certificate is bound to a group, or batch, or devices. This certificate is referenced by an activation authority upon processing a request for service by a device. Information regarding the device batch certificate is maintained in a permanent, or escrow, database. A user identity is bound to a device, as a device key is used to sign a user key created on the device in the presence of the user, and a copy of the device key is later used to decrypt the signed user key upon its transmission and receipt.

100 Citations

View as Search Results

40 Claims

1. A method for deploying a trusted network capable of securely updating devices that allows for secure transactions over an open communications network, comprising the steps of:
- assigning a credential to a plurality of devices to be used in secure transactions over the open communications network;
  
  storing a permanent manifest of the devices, relating each device to the credential assigned to the plurality of devices to which the device belongs;
  
  maintaining a current list of devices approved to securely transact over the open communications network, each device being related in the current list of devices to the credential assigned to the plurality of devices to which the device belongs; and
  
  verifying the validity of the credential associated with the plurality of devices to which each device being used in secure transactions over the open communications network belongs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising the step of:
    - using at least one of the plurality of devices to securely transact over the open communications network.
  - 3. The method of claim 1, wherein the credential comprises a digital certificate.
  - 4. The method of claim 3, wherein the digital certificate is issued by a certification authority.
  - 5. The method of claim 1, wherein the permanent manifest is maintained by a device manufacturer.
  - 6. The method of claim 1, wherein the permanent manifest is maintained by a certification authority.
  - 7. The method of claim 1, wherein the open communications network comprises the Internet.
  - 8. The method of claim 1, wherein the open communications network comprises a mobile telephone network.
  - 9. The method of claim 8, wherein the mobile telephone network comprises the global system for mobile communications (GSM).
  - 10. The method of claim 9, wherein each of the plurality of devices comprises a subscriber identity module (SIM).
  - 11. The method of claim 1, wherein each of the plurality of devices comprises a smart card.
  - 12. The method of claim 1, wherein a manufacturer of the plurality of devices requests the credential.
  - 13. The method of claim 12, wherein the manufacturer requests the credential from a certification authority.

14. A method for binding a user'"'"'s identity to a device by creating a credential on a hardware device, comprising the steps of:
- storing a device key pair, comprising a device public key and a device private key within a device;
  
  generating a user key pair, comprising a user public key and a user private key, within the device;
  
  signing the user public key using the device private key;
  
  transmitting the signed user public key to a verification entity;
  
  decrypting the signed user public key using a copy of the device public key retained by the verification entity.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein the step of storing further comprises:
    - storing a reference pointer to a device manifest within a device.
  - 16. The method of claim 14, wherein the step of generating is performed while the device is under the control of the user with whom the user key is associated.

17. A method for effecting secure transactions via an open communications network, comprising the steps of:
- assigning a credential to a plurality of devices to be used in secure transactions over the open communications network;
  
  storing a permanent manifest relating each device of the plurality of devices to the credential assigned thereto;
  
  maintaining a current list of devices approved to use the credential assigned to the plurality of devices, each device being related in the current list of devices to the credential assigned to the plurality of devices to which the device belongs;
  
  performing a secure transaction via one of the devices using the credential assigned to the plurality of devices to which the device belongs;
  
  verifying the validity of the credential of the device.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, wherein the credential is a digital certificate.
  - 19. The method of claim 17, wherein the step of verifying is accomplished by way of a verification authority.
  - 20. The method of claim 17, further comprising the step of requesting the credential for the plurality of devices, and wherein the step of assigning is performed in response to the step of requesting.
  - 21. The method of claim 20, wherein the step of requesting is accomplished by way of a registration authority.
  - 22. The method of claim 21, wherein the registration authority is a manufacturer of the plurality of devices.
  - 23. The method of claim 17, wherein the step of maintaining a current list comprises maintaining a revocation list.

24. A method of associating a credential with a plurality of devices, comprising the steps of:
- a manufacturer of the plurality of devices storing data regarding the plurality of devices;
  
  a registration authority transmitting request data to a certification authority and requesting a credential for the plurality of devices;
  
  the certification authority recording credential data to be associated with the plurality of devices and issuing a credential for the plurality of devices;
  
  the certification authority providing the credential to the manufacturer; and
  
  the manufacturer providing each of the plurality of devices having the credential associated therewith to a plurality of users.
- View Dependent Claims (25, 26)
- - 25. The method of claim 24, wherein the registration authority is the manufacturer.
  - 26. The method of claim 24, further comprising the steps of:
    - the manufacturer creating and storing a permanent manifest of the credential and each of the devices of the plurality of devices and the credential associated with the plurality of devices.

27. A method for activating a device for performing secure transactions over an open network, comprising the steps of:
- requesting activation of service, by way of a request, on behalf of the device;
  
  generating an indication of whether or not the request of activation of service was granted;
  
  if the request is granted, authenticating the device; and
  
  storing the authentication result in a user database.
- View Dependent Claims (28, 29, 30)
- - 28. The method of claim 27, wherein the step of requesting is performed by an activation authority.
  - 29. The method of claim 27, wherein the request is granted, further comprising the steps of:
    - generating a user key pair, comprising a user public key and a user private key, within the device;
      
      signing the user public key using a device private key associated with the device;
      
      transmitting the signed user public key to a verification entity;
      
      decrypting the signed user public key using a copy of the device public key retained by the verification entity.
  - 30. The method of claim 29, wherein the step of generating is performed in the presence of a user of the device.

31. A system for activation of services for a device over an open communications network, comprising:
- an activation authority configured to request activation of a device, on behalf of the device;
  
  a certification authority for certifying a credential of the device for which activation is requested by the activation authority;
  
  a certification storage device for storing information regarding credentials for a plurality of devices;
  
  a registration authority configured to request certification of a device from the certification authority;
  
  a user database accessible to the registration authority and to the activation authority configured to store information regarding users associated with the plurality of devices; and
  
  a device database accessible to the activation authority for maintaining information regarding the plurality of devices.
- View Dependent Claims (32)
- - 32. The system of claim 31, wherein the registration authority comprises a service provider.

33. A system capable of securely updating devices that allow for secure transactions over an open network, comprising:
- a manufacturer that manufactures a plurality of devices;
  
  an activation authority configured to request activation of each of the plurality of devices;
  
  a device certification authority configured to issue a credential for the plurality of devices;
  
  a device registration authority for requesting a credential for the plurality of devices from the device certification authority;
  
  a user certification authority configured to issue a credential for users of the plurality of devices;
  
  a user registration authority for requesting a credential for the users of the plurality of devices from the user certification authority.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40)
- - 34. The system of claim 33, further comprising:
    - a service provider for providing service to at least one of the plurality of devices.
  - 35. The system of claim 34, wherein the service provider is the user registration authority.
  - 36. The system of claim 33, further comprising an escrow database accessible to the manufacturer, the device registration authority, and the device certification authority.
  - 37. The system of claim 33, further comprising a user database accessible to the user registration authority.
  - 38. The system of claim 33, further comprising a certificate database accessible to the user certification authority and the activation authority.
  - 39. The system of claim 33, further comprising a device database accessible to the manufacturer and the activation authority.
  - 40. The system of claim 33, wherein the device registration authority comprises the manufacturer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS France SA
Original Assignee
Gemalto SA (Thales SA)
Inventors
Miller, Paul, Merrien, Lionel, Carrara, Jean-Louis, Bebic, Youri

Granted Patent

US 7,925,878 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/191
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0823   using certificates cryptogr...

H04L 63/104   Grouping of entities

H04L 63/12   Applying verification of th...

H04L 67/30   Profiles

H04L 9/006   involving public key infras...

H04L 9/3268   using certificate validatio...

System and method for creating a trusted network capable of facilitating secure open network transactions using batch credentials

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for creating a trusted network capable of facilitating secure open network transactions using batch credentials

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links