SYSTEM AND METHOD FOR SECURE KEY DISTRIBUTION TO MANUFACTURED PRODUCTS
First Claim
1. A system for distributing public key infrastructure (PKI) data from a PKI data generating facility to at least one product in a product personalization facility, comprising:
- a PKI data generator configured to generate PKI data for loading onto at least one product, wherein the PKI data generator applies an end-to-end-encryption to at least part of the PKI data followed by a PKI Server (PKIS)-specific encryption to at least part of the PKI data; and
a PKI loader coupled to the PKI data generator and configured to receive PKI data transmitted from the PKI data generator, wherein the PKI loader is configured to transfer encrypted PKI data to a PKI server that is coupled to the at least one product, wherein the PKI server is configured to remove the PKIS-specific encryption from the encrypted PKI data and apply a PKIS session key encryption, wherein the PKIS session key encryption uses a session key negotiated with the product through an authenticated key agreement protocol.
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method for securely distributing PKI data, such as one or more private keys or other confidential digital information, from a PKI data generation facility to a product in a product personalization facility that is not connected to the PKI data generation facility and is assumed to be a non-secure product personalization facility. The system includes a PKI data loader for securely transmitting the encrypted PKI data transferred from the PKI data generator to a PKI server at the product personalization facility. The PKI server then transfers the PKI data to the product of interest, typically via a PKI station acting as a proxy between the PKI server and the product. In each communication step, PKI data being transferred is encrypted multiple times and the system is designed such that if any intermediate node is compromised with all of its keys, the overall system has not yet been compromised.
47 Citations
20 Claims
-
1. A system for distributing public key infrastructure (PKI) data from a PKI data generating facility to at least one product in a product personalization facility, comprising:
-
a PKI data generator configured to generate PKI data for loading onto at least one product, wherein the PKI data generator applies an end-to-end-encryption to at least part of the PKI data followed by a PKI Server (PKIS)-specific encryption to at least part of the PKI data; and
a PKI loader coupled to the PKI data generator and configured to receive PKI data transmitted from the PKI data generator, wherein the PKI loader is configured to transfer encrypted PKI data to a PKI server that is coupled to the at least one product, wherein the PKI server is configured to remove the PKIS-specific encryption from the encrypted PKI data and apply a PKIS session key encryption, wherein the PKIS session key encryption uses a session key negotiated with the product through an authenticated key agreement protocol. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for distributing PKI data from a PKI data generating facility to at least one product in a product personalization facility, comprising the steps of:
-
generating PKI data for loading onto at least one product;
encrypting at least a portion of the PKI data using an end-to-end encryption;
encrypting at least a portion of the PKI data using a PKI Server (PKIS)-specific encryption;
transferring at least a portion of the encrypted PKI data to a PKI loader, wherein the PKI loader is configured to transfer encrypted PKI data to a PKI server that is coupled to the at least one product, wherein the PKI server is configured to remove the PKIS-specific encryption from the encrypted PKI data and apply a PKIS session key encryption, wherein the PKIS session key encryption uses a session key negotiated with the product through an authenticated key agreement protocol. - View Dependent Claims (16)
-
-
17. A method for distributing PKI data from a PKI data generating facility to at least one product in a product personalization facility, comprising the steps of:
-
transferring PKI data from a PKI server to a PKI station, wherein the PKI data is encrypted by the PKI data generating facility with an end-to-end encryption and encrypted by the PKI server with a PKIS session key encryption, wherein the PKIS session key encryption uses a session key negotiated with the product through an authenticated key agreement protocol;
loading at least a portion of the encrypted PKI data from the PKI station onto at least one product in the product personalization facility;
decrypting at least one of the end-to-end encryption and the PKIS session key encryption from the PKI data received by the at least one product; and
storing at least a portion of the decrypted PKI data on the at least one product. - View Dependent Claims (18, 19, 20)
-
Specification