Cryptographic system for resource starved CE device secure upgrade and re-configuration

US 20060159269A1
Filed: 01/20/2005
Published: 07/20/2006
Est. Priority Date: 01/20/2005
Status: Abandoned Application

First Claim

Patent Images

1. An asymmetric cryptographic key management system for secure data exchange using symmetric algorithms, the system comprising:

a plurality of clients, each client having a unique client identifier and client secret key;

one or more service providers for transmitting secure data to the plurality of clients, each service provider having a respective service provider identifier and service provider secret key;

a plurality of public key values, each public key value for securing a connection between at least one of the plurality of clients and one of the one or more service providers, exclusive of any other service provider of the one or more service providers;

a trusted authority for assigning the service provider identifier and service provider secret key for each of the one or more service providers, and for assigning the client identifier and client secret key for each of the plurality of clients, and the plurality of public key values, the trusted authority having a trusted authority identifier and a trusted authority secret key; and

one or more additional public key values, each additional public key value for securing a connection between the trusted authority and at least one of the clients.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for key management and securing communications channels is presented for the upgrade of compact electronic devices via a communications channel by service providers such as the original manufacturer and, possibly, a number of authorized third party service providers. The manufacturer, acting as a trusted authority, generates and distributes private cryptographic keys to each one of the clients and authorized service providers. The trusted authority also makes available public key values that may be used to secure communications between service providers and clients. The trusted authority may add additional authorized service providers and may also revoke the authorization of compromised service providers, thereby preventing communications between clients and said compromised service providers. Accordingly, authorized service providers, in addition to the manufacturer, may provide program and security upgrades, messages, and generally any data to electronic devices via a secure communications link.

50 Citations

View as Search Results

22 Claims

1. An asymmetric cryptographic key management system for secure data exchange using symmetric algorithms, the system comprising:
- a plurality of clients, each client having a unique client identifier and client secret key;
  
  one or more service providers for transmitting secure data to the plurality of clients, each service provider having a respective service provider identifier and service provider secret key;
  
  a plurality of public key values, each public key value for securing a connection between at least one of the plurality of clients and one of the one or more service providers, exclusive of any other service provider of the one or more service providers;
  
  a trusted authority for assigning the service provider identifier and service provider secret key for each of the one or more service providers, and for assigning the client identifier and client secret key for each of the plurality of clients, and the plurality of public key values, the trusted authority having a trusted authority identifier and a trusted authority secret key; and
  
  one or more additional public key values, each additional public key value for securing a connection between the trusted authority and at least one of the clients.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A system according to claim 1, further comprising one or more further public key values, each further public key value for securing a connection between the trusted authority at least one of the one or more service providers.
  - 3. A system according to claim 1, wherein each service provider has a second secret key for securely updating the service provider secret key.
  - 4. A system according to claim 1, further comprising:
    - a plurality of client authentication keys;
      
      a plurality of client authentication public key values, each client authentication public key value for authenticating a respective one of the plurality of public key values;
      
      one or more service provider authentication keys; and
      
      one or more service provider authentication public key values, each service provider authentication public key value for authenticating a respective one of the one or more public key values.
  - 5. A system according to claim 1, further comprising at least one of:
    - a global public key table containing the plurality of public key values and the one or more additional public key values;
      
      one or more individual service provider public key tables, wherein each individual service provider public key table is stored by a respective service provider and includes at least one public key value of the plurality of public key values for securing a connection between the respective service provider and at least one of the plurality of clients;
      
      one or more individual client public key tables, wherein each individual client public key table is stored by a respective client and includes the one or more public key values for securing a connection between the respective client and at least one of the one or more service providers; and
      
      a public key lookup service for obtaining at least one of the plurality of public key values by transmitting a request to the trusted authority.
  - 6. A system according to claim 1, further comprising at least one of:
    - a white list including acceptable service provider identifiers of the one or more service provider identifiers; and
      
      a black list including unacceptable service provider identifiers of the one or more service provider identifiers.

7. An asymmetric key management system that employs symmetric encryption algorithms for secure transmission of information, the system comprising:
- a plurality of clients, each client having a unique client secret key value and identifier;
  
  one or more service providers, each service provider having a unique service provider secret key value and identifier;
  
  one or more public key tables, each public key table including one service provider identifier for each of the one or more service providers, a plurality of client identifiers, one for each of the plurality of clients, respectively, and a plurality of public key values, wherein each of the plurality of public key values is assigned to a pairing of a respective one of the plurality of client identifiers and a respective one of the one or more service provider identifiers, exclusive of any other service provider of the one or more service provider identifiers;
  
  wherein secure transmission of information is achieved between the one or more service providers and clients by negotiating a symmetric session key to encrypt communications.
- View Dependent Claims (8, 9, 10)
- - 8. A system according to claim 7, further comprising:
    - a trusted authority for updating keys for the plurality of clients, the one or more service providers, and for maintaining the one or more public key tables, the trusted authority including a unique trusted authority secret key value and identifier, and a memory for storing the plurality of client secret key values and identifiers, the one or more service provider secret key values and identifiers, and the one or more public key tables; and
      
      one or more additional public key values, wherein each additional public key value of the one or more additional public key values is assigned to a respective pairing of the trusted authority identifier and a client identifier of the one or more client identifiers;
      
      wherein at least one of the one or more public key tables includes the one or more additional public key values.
  - 9. The system according to claim 7, further comprising a controller for implementing a symmetric algorithm based public key protocol to secure a communications channel with at least a symmetric session key.
  - 10. The system according to claim 9, wherein the communications channel is established through one of a wired local area network, a wireless local area network, a secure digital card, a portable storage device, an infrared channel, a satellite link, a fiber optic link, and a cable link.

11. A method of initializing a symmetric algorithm based public key system, the method comprising the steps of:
- a) generating and storing a plurality of client secret key values and identifiers;
  
  b) distributing the plurality of client secret key values and identifiers to respective ones of the plurality of clients;
  
  c) generating and storing a plurality of service provider secret key values and identifiers;
  
  d) distributing the plurality of service provider secret key values and identifiers to respective ones of the plurality of service providers; and
  
  e) generating a plurality of public key values for at least one pairing of the plurality of service providers and the plurality of clients and exclusive of pairings of one service provider with another service provider and one client with another client.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. A method according to claim 11, further including at least one of the steps of:
    - receiving a request for on demand generation of a public key value prior to step (e);
      
      storing the plurality of public key values, and providing access to a global public key table containing the plurality of public key values;
      
      generating a service provider public key table for a selected service provider of the plurality of service providers, the service provider public key table containing ones of the plurality of public key values corresponding to the selected service provider and the plurality of clients, and distributing the service provider public key table to the selected service provider; and
      
      generating a client public key table for a selected client of the plurality of clients, the client public key table containing ones of the plurality of public key values corresponding to the selected client and the plurality of service providers, and distributing the client public key table to the selected client.
  - 13. A method according to claim 11, further including at least one of the steps of:
    - generating a trusted authority secret key value and identifier;
      
      generating a plurality of trusted authority public key values for pairing of the trusted authority and respective ones of the plurality of clients; and
      
      generating a plurality of additional trusted authority public key values for each pairing of the trusted authority and the plurality of service providers respectively.
  - 14. The method according to claim 11, further including the steps of:
    - receiving a request for authentication of one of the plurality of service providers;
      
      searching at least one of a white list and a black list for the service provider;
      
      responding positively if the service provider is either found on the white list or not found on the black list; and
      
      responding negatively if the service provider is either not found on the white list or found on the black list.
  - 15. A method according to claim 11, further includes authorizing the addition of a new service provider, including the steps of:
    - generating and storing, by the trusted authority, a new service provider secret key value and identifier;
      
      generating, by the trusted authority, a plurality new service provider public key values for a pairing of the new service provider and respective ones of the plurality of clients; and
      
      distributing, from the trusted authority to the new service provider, the new service provider secret key value and identifier to the new service provider and the plurality of new service provider public key values to the new service provider and to the plurality of clients.
  - 16. A method according to claim 11, further includes invalidating a compromised service provider of the plurality of service providers, including the steps of:
    - receiving an indication that the compromised service provider has been compromised;
      
      deleting, by the trusted authority, one at least one of the secret key value for the compromised service provider and the service provider identifier for the compromised service provider from a memory; and
      
      deleting, by the trusted authority, one or more public key values corresponding to the compromised service provider from the memory.
  - 17. The method according to claim 16, further including at least one of the steps of:
    - adding, by the trusted authority, the compromised service provider to a black list of unacceptable service providers;
      
      removing, by the trusted authority, the compromised service provider from a white list of acceptable service providers; and
      
      sending a message from the trusted authority to the plurality of clients to discontinue future communications with the compromised service provider.
  - 18. A method according to claim 11, further includes authorizing the addition of a new client, including the steps of:
    - generating and storing, by the trusted authority, a new client secret key value and identifier;
      
      generating, by the trusted authority, a plurality of new client public key values for a pairing of the new client and each of the plurality of service providers; and
      
      distributing, from the trusted authority to the new client, the new client identifier and the new client secret key and distributing the new client public key values from the trusted authority to the plurality of service providers, respectively;
      
      generating, by the trusted authority, a new client public key table containing the plurality of new client public key values, and distributing the client new client public key table to the new client.

19. A method of downloading a secure device upgrade encrypted with at least a session key, the method comprising the steps of:
- a) receiving a transmission from a service provider including a service provider identifier and an encrypted session key;
  
  b) requesting authentication of the service provider from a trusted authority;
  
  c) receiving an authentication response from the trusted authority;
  
  d) aborting the download if the authentication response is negative and continuing the download if the authentication response is positive;
  
  e) obtaining a public key for decrypting at least a portion of the transmission from the service provider;
  
  f) decrypting the portion of the transmission to obtain a decrypted session key;
  
  g) securing a communications channel to the service provider with the session key; and
  
  h) receiving the device upgrade from the service provider through the secured communications channel.
- View Dependent Claims (20, 21, 22)
- - 20. A method according to claim 19, further including the steps of:
    - receiving a payload hash value;
      
      computing a hash value for the device upgrades;
      
      aborting the download if the payload hash value and the computed hash value do not match; and
      
      continuing the download if the payload hash file and the computed hash value do match.
  - 21. A method according to claim 19, further including the step of generating a log including one or more of the service provider identifier, an identifier for the device upgrades, the date of receiving the transmission, and the payload hash value.
  - 22. A method according to claim 19, further including the step of updating a secret key of a secure communications system using a second secret key by:
    - receiving a transmission from a trusted authority including a trusted authority identifier and an encrypted session key;
      
      obtaining a public key for decrypting at least a portion of the transmission from the trusted authority;
      
      decrypting the transmission using the public key and the second secret key to obtain a decrypted session key;
      
      receiving a new secret key from the trusted authority, the new secret key being encrypted with at least the session key; and
      
      replacing the secret key with the new secret key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Panasonic Corporation (Panasonic Holdings Corporation)
Original Assignee
Matsushita Electric Industrial Company Limited (Panasonic Holdings Corporation)
Inventors
Perkins, Gregory M., Braun, David Alan

Application Number

US11/038,719
Publication Number

US 20060159269A1
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 9/0833   involving conference or gro...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/3006   underlying computational pr...

H04L 9/321   involving a third party or ...

Cryptographic system for resource starved CE device secure upgrade and re-configuration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic system for resource starved CE device secure upgrade and re-configuration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links