Method of delivering direct proof private keys in signed groups to devices using a distribution CD

US 20060013400A1
Filed: 07/14/2004
Published: 01/19/2006
Est. Priority Date: 07/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating an encrypted data structure associated with a device, the encrypted data structure comprising a private key and a private key digest;

generating an identifier, based on the a pseudo-randomly generated value, for the encrypted data structure;

storing the identifier and the encrypted data structure in a signed group record on a removable storage medium; and

storing the pseudo-random value and a group number corresponding to the signed group record into non-volatile storage within the device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Delivering a Direct Proof private key in a signed group of keys to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored along with a group number in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored in a signed group of keys (e.g., a signed group record) on a removable storage medium (such as a CD or DVD), and distributed to the owner of the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system. If not, the system obtains the associated signed group record of encrypted data structures from the removable storage medium, and verifies the signed group record. The device decrypts the encrypted data structure using a symmetric key regenerated from its stored pseudo-random value to obtain the Direct Proof private key, when the group record is valid. If the private key is valid, it may be used for subsequent authentication processing by the device in the client computer system.

Citations

45 Claims

1. A method comprising:
- generating an encrypted data structure associated with a device, the encrypted data structure comprising a private key and a private key digest;
  
  generating an identifier, based on the a pseudo-randomly generated value, for the encrypted data structure;
  
  storing the identifier and the encrypted data structure in a signed group record on a removable storage medium; and
  
  storing the pseudo-random value and a group number corresponding to the signed group record into non-volatile storage within the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising distributing the removable storage medium and the device.
  - 3. The method of claim 1, further comprising generating a Direct Proof family key pair for a class of devices.
  - 4. The method of claim 1, further comprising generating a key pair for signing and verifying the group record.
  - 5. The method of claim 4, further comprising storing a hash of the public key of the group record key pair into non-volatile storage of the device.
  - 6. The method of claim 1, further comprising selecting a group size for the signed group record.
  - 7. The method of claim 3, wherein the private key comprises a Direct Proof private key associated with a public key of the Direct Proof family key pair, and further comprising hashing the Direct Proof private key to generate the private key digest.
  - 8. The method of claim 1, further comprising generating a symmetric key based on the pseudo-random value for the device.
  - 9. The method of claim 8, wherein generating the identifier comprises encrypting a data value using the symmetric key.
  - 10. The method of claim 8, further comprising encrypting the data structure using the symmetric key.
  - 11. The method of claim 1, wherein the encrypted data structure further comprises a random initialization vector.
  - 12. The method of claim 1, wherein the removable storage medium comprises at least one of a CD and a digital versatile disk (DVD).
  - 13. The method of claim 1, wherein the pseudo-random value for the device is unique.

14. An article comprising:
- a first storage medium having a plurality of machine readable instructions, wherein when the instructions are executed by a processor, the instructions provide for delivering private keys in signed groups to devices by generating an encrypted data structure associated with a device, the encrypted data structure comprising a private key and a private key digest;
  
  generating an identifier, based on a pseudo-randomly generated value, for the encrypted data structure;
  
  storing the identifier and the encrypted data structure in a signed group record on a removable storage medium; and
  
  causing the storing the pseudo-random value and a group number corresponding to the signed group record into non-volatile storage within the device.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The article of claim 14, further comprising instructions for generating a key pair for signing and verifying the group record.
  - 16. The article of claim 15, further comprising instructions for storing a hash of the public key of the group record key pair into non-volatile storage of the device.
  - 17. The article of claim 14, further comprising instructions for selecting a group size for the signed group record.
  - 18. The article of claim 14, further comprising instructions for generating a Direct Proof family key pair for a class of devices.
  - 19. The article of claim 14, wherein the private key comprises a Direct Proof private key associated with a public key of the Direct Proof family key pair, and further comprising instructions for hashing the Direct Proof private key to generate the private key digest.
  - 20. The article of claim 14, further comprising instructions for generating a symmetric key based on the pseudo-random value for the device.
  - 21. The article of claim 20, wherein instructions for generating the identifier comprise instructions for encrypting a data value using the symmetric key.
  - 22. The article of claim 20, further comprising instructions for encrypting the data structure using the symmetric key.
  - 23. The article of claim 14, wherein the encrypted data structure further comprises a random initialization vector.
  - 24. The article of claim 14, wherein the pseudo-random value for the device is unique.

25. A method comprising:
- determining if an encrypted data structure, comprising a private key and a private key digest, associated with a device installed in a computer system is stored in a memory on the computer system; and
  
  if the encrypted data structure is not stored, obtaining the encrypted data structure associated with the device in a signed group record from a removable storage medium accessible by the computer system, the removable storage medium storing a database of signed group records.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. The method of claim 25, wherein the removable storage medium comprises at least one of a CD and a digital versatile disk (DVD) created by a manufacturer of the device.
  - 27. The method of claim 25, wherein obtaining the encrypted data structure comprises issuing the acquire key command to the device to initiate a private key acquisition process.
  - 28. The method of claim 25, wherein the private key comprises a Direct Proof private key associated with a public key of a Direct Proof family key pair for a class of devices.
  - 29. The method of claim 27, wherein the private key acquisition process comprises generating a symmetric key based on a unique pseudo-random value stored in the device.
  - 30. The method of claim 29, wherein the private key acquisition process comprises generating a device identifier, based on the pseudo-random value, for the encrypted data structure.
  - 31. The method of claim 27, wherein the private key acquisition process comprises obtaining the signed group record corresponding to a group number of the device from the removable storage medium.
  - 32. The method of claim 30, further comprising parsing the signed group record to obtain a group number, a group public key, and the encrypted data structure corresponding to the device identifier.
  - 33. The method of claim 31, further comprising verifying the signed group record.
  - 34. The method of claim 32, wherein the private key acquisition process further comprises decrypting the encrypted data structure received from the removable storage medium using the symmetric key to obtain the private key and the private key digest.
  - 35. The method of claim 34, wherein the private key acquisition process further comprises hashing the private key to generate a new private key digest, comparing the private key digest from the decrypted data structure with the new private key digest, and accepting the private key as valid for the device when the digests match.

36. An article comprising:
- a first storage medium having a plurality of machine readable instructions, wherein when the instructions are executed by a processor, the instructions provide for obtaining a private key from a signed group record for a device installed in a computer system by determining if an encrypted data structure, comprising a private key and a private key digest, associated with a device installed in a computer system is stored in a memory on the computer system (904); and
  
  if the encrypted data structure is not stored, obtaining the encrypted data structure associated with the device in a signed group record from a removable storage medium accessible by the computer system, the removable storage medium storing a database of signed group records.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 37. The article of claim 36, wherein instructions for obtaining the encrypted data structure comprise instructions for issuing the acquire key command to the device to initiate a private key acquisition process.
  - 38. The article of claim 36, wherein the private key comprises a Direct Proof private key associated with a public key of a Direct Proof family key pair for a class of devices.
  - 39. The article of claim 37, wherein the private key acquisition process comprises generating a symmetric key based on a unique pseudo-random value stored in the device.
  - 40. The article of claim 37, wherein the private key acquisition process comprises generating a device identifier, based on the pseudo-random value, for the encrypted data structure.
  - 41. The article of claim 37, wherein the private key acquisition process comprises obtaining the signed group record corresponding to a group number of the device from the removable storage medium.
  - 42. The article of claim 40, further comprising parsing the signed group record to obtain a group number, a group public key, and the encrypted data structure corresponding to the device identifier.
  - 43. The article of claim 41, further comprising verifying the signed group record.
  - 44. The article of claim 42, wherein the private key acquisition process further comprises decrypting the encrypted data structure received from the removable storage medium using the symmetric key to obtain the private key and the private key digest.
  - 45. The method of claim 44, wherein the private key acquisition process further comprises hashing the private key to generate a new private key digest, comparing the private key digest from the decrypted data structure with the new private key digest, and accepting the private key as valid for the device when the digests match.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Brickell, Ernie F., Hall, Clifford D., Sutton, James A. II, Grawrock, David W.

Granted Patent

US 7,693,286 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/278
CPC Class Codes

G06F 12/1036   for multiple virtual addres...

G06F 21/57   Certifying or maintaining t...

G06F 21/73   by creating or determining ...

G06F 9/4843   by program, e.g. task dispa...

H04L 63/04   for providing a confidentia...

H04L 63/083   using passwords cryptograph...

H04L 9/0897   involving additional device...

H04L 9/3218   using proof of knowledge, e...

H04L 9/3236   using cryptographic hash fu...

Method of delivering direct proof private keys in signed groups to devices using a distribution CD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Method of delivering direct proof private keys in signed groups to devices using a distribution CD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links