SYSTEM AND METHOD FOR SECURE KEY DISTRIBUTION TO MANUFACTURED PRODUCTS

US 20080049942A1
Filed: 08/28/2007
Published: 02/28/2008
Est. Priority Date: 08/28/2006
Status: Active Grant

First Claim

Patent Images

1. A system for distributing public key infrastructure (PKI) data from a PKI data generating facility to at least one product in a product personalization facility, comprising:

a PKI data generator configured to generate PKI data for loading onto at least one product, wherein the PKI data generator applies an end-to-end-encryption to at least part of the PKI data followed by a PKI Server (PKIS)-specific encryption to at least part of the PKI data; and

a PKI loader coupled to the PKI data generator and configured to receive PKI data transmitted from the PKI data generator, wherein the PKI loader is configured to transfer encrypted PKI data to a PKI server that is coupled to the at least one product, wherein the PKI server is configured to remove the PKIS-specific encryption from the encrypted PKI data and apply a PKIS session key encryption, wherein the PKIS session key encryption uses a session key negotiated with the product through an authenticated key agreement protocol.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for securely distributing PKI data, such as one or more private keys or other confidential digital information, from a PKI data generation facility to a product in a product personalization facility that is not connected to the PKI data generation facility and is assumed to be a non-secure product personalization facility. The system includes a PKI data loader for securely transmitting the encrypted PKI data transferred from the PKI data generator to a PKI server at the product personalization facility. The PKI server then transfers the PKI data to the product of interest, typically via a PKI station acting as a proxy between the PKI server and the product. In each communication step, PKI data being transferred is encrypted multiple times and the system is designed such that if any intermediate node is compromised with all of its keys, the overall system has not yet been compromised.

47 Citations

View as Search Results

20 Claims

1. A system for distributing public key infrastructure (PKI) data from a PKI data generating facility to at least one product in a product personalization facility, comprising:
- a PKI data generator configured to generate PKI data for loading onto at least one product, wherein the PKI data generator applies an end-to-end-encryption to at least part of the PKI data followed by a PKI Server (PKIS)-specific encryption to at least part of the PKI data; and
  
  a PKI loader coupled to the PKI data generator and configured to receive PKI data transmitted from the PKI data generator, wherein the PKI loader is configured to transfer encrypted PKI data to a PKI server that is coupled to the at least one product, wherein the PKI server is configured to remove the PKIS-specific encryption from the encrypted PKI data and apply a PKIS session key encryption, wherein the PKIS session key encryption uses a session key negotiated with the product through an authenticated key agreement protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system as recited in claim 1, further comprising a PKI station coupled between the PKI server and the at least one product, wherein the PKI station is configured to receive encrypted PKI data from the PKI server and transmit at least a portion of the received encrypted PKI data to the at least one product.
  - 3. The system as recited in claim 2, wherein the PKI server is configured to establish a secure tunnel with the PKI station in such a way that the PKI server authenticates the identity of the PKI station and the PKI station authenticates the identity of the PKI server.
  - 4. The system as recited in claim 2, wherein the PKI station is configured to transmit a PKI data request message to the PKI server, and wherein the PKI server is configured to authenticate the identity of the PKI station against an Access Control List before accepting the PKI data request message from the PKI station.
  - 5. The system as recited in claim 4, wherein the PKI server maintains separate Access Control Lists for different types of PKI data being requested.
  - 6. The system as recited in claim 2, the PKI station is configured to bridge between a first output interface of the PKI server and a plurality of product input interfaces from at least one type of product.
  - 7. The system as recited in claim 1, further comprising a monitoring server coupled to the PKI server, wherein the monitoring server monitors the amount of PKI data stored on the PKI server and generates an alert message when the amount of PKI data stored on the PKI server falls below a threshold level.
  - 8. The system as recited in claim 1, wherein the PKI server includes a database for storing at least a portion of the PKI data received by the PKI server.
  - 9. The system as recited in claim 1, wherein the PKI loader is configured to establish a secure tunnel with the PKI server in such a way that the PKI loader authenticates the identity of the PKI server and the PKI server authenticates the identity of the PKI loader.
  - 10. The system as recited in claim 1, wherein the PKI data generator includes a first portion including at least one of certificate authority inner vault and a hardware security module (HSM), and a second portion that includes a certificate authority outer vault.
  - 11. The system as recited in claim 1, key generation facility is in a different physical location from the product personalization facility.
  - 12. The system as recited in claim 1, wherein the PKI loader is located in the PKI data generating facility.
  - 13. The system as recited in claim 1, wherein the PKI station is located in the product factory.
  - 14. The system as recited in claim 1, wherein at least one of the products is selected from the group consisting of a signal converter box, a signal decoder box, a digital video recorder, a digital video disk recorder, a computer, a television, a mobile communication device, a cellular telephone, a smart telephone, a personal digital assistant (PDA), a wireless handheld device, a digital camera, a laptop personal computer (PC), a notebook PC.

15. A method for distributing PKI data from a PKI data generating facility to at least one product in a product personalization facility, comprising the steps of:
- generating PKI data for loading onto at least one product;
  
  encrypting at least a portion of the PKI data using an end-to-end encryption;
  
  encrypting at least a portion of the PKI data using a PKI Server (PKIS)-specific encryption;
  
  transferring at least a portion of the encrypted PKI data to a PKI loader, wherein the PKI loader is configured to transfer encrypted PKI data to a PKI server that is coupled to the at least one product, wherein the PKI server is configured to remove the PKIS-specific encryption from the encrypted PKI data and apply a PKIS session key encryption, wherein the PKIS session key encryption uses a session key negotiated with the product through an authenticated key agreement protocol.
- View Dependent Claims (16)
- - 16. The method as recited in claim 15, further comprising the step of establishing a secure tunnel between the PKI loader and the PKI server in such a way that the PKI loader authenticates the identity of the PKI server and the PKI server authenticates the identity of the PKI loader.

17. A method for distributing PKI data from a PKI data generating facility to at least one product in a product personalization facility, comprising the steps of:
- transferring PKI data from a PKI server to a PKI station, wherein the PKI data is encrypted by the PKI data generating facility with an end-to-end encryption and encrypted by the PKI server with a PKIS session key encryption, wherein the PKIS session key encryption uses a session key negotiated with the product through an authenticated key agreement protocol;
  
  loading at least a portion of the encrypted PKI data from the PKI station onto at least one product in the product personalization facility;
  
  decrypting at least one of the end-to-end encryption and the PKIS session key encryption from the PKI data received by the at least one product; and
  
  storing at least a portion of the decrypted PKI data on the at least one product.
- View Dependent Claims (18, 19, 20)
- - 18. The method as recited in claim 17, further comprising the step of establishing a secure tunnel between the PKI server and the PKI station in such a way that the PKI server authenticates the identity of the PKI station and the PKI station authenticates the identity of the PKI server.
  - 19. The method as recited in claim 17, wherein the PKI station is configured to transmit a PKI data request message to the PKI server, and wherein the PKI server authenticates the identity of the PKI station against an Access Control List before accepting the PKI data request message from the PKI station.
  - 20. The method as recited in claim 17, further comprising the step of the product performing at least one validation step for validating the authenticity of the PKI data received by the product.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
General Instrument Corporation (CommScope Holding Company, Inc.)
Inventors
Moskovics, Stuart, Medvinsky, Alexander, Qiu, Xin, Chen, Liqiang, Sprunk, Eric

Granted Patent

US 8,761,401 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/283
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/006   involving public key infras...

H04L 9/0822   using key encryption key

H04L 9/0844   with user authentication or...

SYSTEM AND METHOD FOR SECURE KEY DISTRIBUTION TO MANUFACTURED PRODUCTS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SECURE KEY DISTRIBUTION TO MANUFACTURED PRODUCTS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links