SYSTEM AND METHOD FOR REMOTE DEVICE REGISTRATION

US 20100205433A1
Filed: 04/27/2010
Published: 08/12/2010
Est. Priority Date: 06/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling insertion of sensitive data into devices, said method comprising:

arranging a controller to be communicably connectable to a server being located remote therefrom and configured to be communicably connectable to equipment responsible for injecting said sensitive data into said devices, said controller being configured for distributing said sensitive data to said server to enable said server to provide said sensitive data to said equipment, said controller comprising a secure module for performing cryptographic operations;

said controller using said secure module to cryptographically protect said sensitive data;

said controller sending a cryptographically protected data transmission comprising said sensitive data to said server to enable said server to extract said sensitive data therefrom;

said controller providing a credit value to said server indicative of a number of sensitive data insertions that are permitted before requesting more of said sensitive data from said controller to enable said server to update said credit value according to amounts of said sensitive data provided to said equipment; and

said controller receiving an equipment log from said server, said equipment log pertaining to the insertion of an amount of said sensitive data into respective devices by said equipment upon said equipment obtaining said amount of sensitive data from said server upon request, said equipment log having been obtained by said server from said equipment.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for remote device registration, to monitor and meter the injection of keying or other confidential information onto a device, is provided. A producer who utilizes one or more separate manufacturers, operates a remote module that communicates over forward and backward channels with a local module at the manufacturer. Encrypted data transmissions are sent by producer to the manufacturer and are decrypted to obtain sensitive data used in the devices. As data transmissions are decrypted, credits from a credit pool are depleted and can be replenished by the producer through credit instructions. As distribution images are decrypted, usage records are created and eventually concatenated, and sent as usage reports back to the producer, to enable the producer to monitor and meter production at the manufacturer.

Citations

32 Claims

1. A method for controlling insertion of sensitive data into devices, said method comprising:
- arranging a controller to be communicably connectable to a server being located remote therefrom and configured to be communicably connectable to equipment responsible for injecting said sensitive data into said devices, said controller being configured for distributing said sensitive data to said server to enable said server to provide said sensitive data to said equipment, said controller comprising a secure module for performing cryptographic operations;
  
  said controller using said secure module to cryptographically protect said sensitive data;
  
  said controller sending a cryptographically protected data transmission comprising said sensitive data to said server to enable said server to extract said sensitive data therefrom;
  
  said controller providing a credit value to said server indicative of a number of sensitive data insertions that are permitted before requesting more of said sensitive data from said controller to enable said server to update said credit value according to amounts of said sensitive data provided to said equipment; and
  
  said controller receiving an equipment log from said server, said equipment log pertaining to the insertion of an amount of said sensitive data into respective devices by said equipment upon said equipment obtaining said amount of sensitive data from said server upon request, said equipment log having been obtained by said server from said equipment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, further comprising receiving a request from said server for additional sensitive data, and providing said additional sensitive data and a new credit value to said server.
  - 3. The method according to claim 1 further comprising receiving a server log report prepared by said server and indicative of receipt of said sensitive data from said controller.
  - 4. The method according to claim 1 wherein said secure module encrypts a header included in said data transmission to protect a key, said key enabling said server to decrypt said transmission and extract said sensitive data therefrom.
  - 5. The method according to claim 1, further comprising initiating a provisioning procedure executed prior to sending said sensitive data to said server, said provisioning procedure being used to initialize said server and said secure module.
  - 6. The method according to claim 1 comprising sending said data transmission to a plurality of servers.
  - 7. The method according to claim 1 further comprising said controller sending a credit instruction to said server indicating an update for said credit value.
  - 8. The method according to claim 1 further comprising said controller sending to said server, an object for implementing an existing data injection solution, said existing solution modifying said data;
    - said object having been signed to be provided to a secure module for said server to store said signed object, verify said signed object, and modify said sensitive data according to said existing solution if said signed object is verified.
  - 9. The method according to claim 3 wherein said data transmission includes a plurality of types of sensitive data, said method further comprising said secure module sending certain ones of said types according to permissions established by said controller.
  - 10. The method according to claim 9 wherein said server log report includes an indication of which one of said types has been provided by said secure module to said equipment.
  - 11. The method according to claim 1 further comprising said controller sending a configuration message to said server for use in modifying settings in a secure module at said server.
  - 12. The method according to claim 3 wherein said equipment and server log reports are received by said controller in response to a poll initiated by one of said server and said controller.
  - 13. The method according to claim 3 wherein said equipment and server log reports are received by said controller for obtaining additional sensitive data, wherein a further data transmission is sent to said server if said log reports are favourable and additional sensitive data is required;
    - and said controller sends to said server, an instruction to inhibit further extraction of said data from any previous transmission if said log reports are not favourable.
  - 14. The method according to claim 1 wherein said sensitive data comprises a plurality of keys, said data transmission including a quantity of said keys encrypted by said secure module to enable said server to decrypt one or more of said keys as indicated by instructions provided by said controller apriori.
  - 15. The method according to claim 14 wherein said secure module encrypts said quantity of keys to enable said server to individually re-encrypt each key;
    - wherein certain ones of said keys are decrypted for use by said equipment upon a request made by said equipment.
  - 16. The method according to claim 1 wherein said secure module contains a symmetric key for communicating over forward and backward communication channels between said server and said controller.

17. A system for controlling insertion of sensitive data into devices, said system comprising:
- a controller device communicably connectable to a server being located remote therefrom and configured to be communicably connectable to equipment responsible for injecting said sensitive data into said devices, said controller device being configured for distributing said sensitive data to said server to enable said server to provide said sensitive data to said equipment, said controller device comprising a secure module for performing cryptographic operations;
  
  said controller device being configured for;
  
  using said secure module to cryptographically protect said sensitive data;
  
  sending a cryptographically protected data transmission comprising said sensitive data to said server to enable said server to extract said sensitive data therefrom;
  
  providing a credit value to said server indicative of a number of sensitive data insertions that are permitted before requesting more of said sensitive data from said controller device to enable said server to update said credit value according to amounts of said sensitive data provided to said equipment; and
  
  receiving an equipment log from said server, said equipment log pertaining to the insertion of an amount of said sensitive data into respective devices by said equipment upon obtaining said amount of sensitive data from said server upon request, said equipment log having been obtained by said server from said equipment.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The system according to claim 17, wherein said controller device is further configured for receiving a request from said server for additional sensitive data, and providing said additional sensitive data and a new credit value to said server.
  - 19. The system according to claim 17, wherein said controller device is further configured for receiving a server log report prepared by said server and indicative of receipt of said sensitive data from said controller.
  - 20. The system according to claim 17 wherein said secure module encrypts a header included in said data transmission to protect a key, said key enabling said server to decrypt said transmission and extract said sensitive data therefrom.
  - 21. The system according to claim 17, wherein said controller device is further configured for iating a provisioning procedure executed prior to sending said sensitive data to said server, said provisioning procedure being used to initialize said server and said secure module.
  - 22. The system according to claim 17, wherein said controller device is further configured for sending said data transmission to a plurality of servers.
  - 23. The system according to claim 17, wherein said controller device is further configured for sending a credit instruction to said server indicating an update for said credit value.
  - 24. The system according to claim 17 , wherein said controller device is further configured for sending to said server, an object for implementing an existing data injection solution, said existing solution modifying said data;
    - said object having been signed to be provided to a secure module for said server to store said signed object, verify said signed object, and modify said sensitive data according to said existing solution if said signed object is verified.
  - 25. The system according to claim 19 wherein said data transmission includes a plurality of types of sensitive data, and wherein said controller device is further configured for sending certain ones of said types according to permissions established by said controller system.
  - 26. The system according to claim 25 wherein said server log report includes an indication of which one of said types has been provided by said secure module to said equipment.
  - 27. The system according to claim 17 wherein said controller device is further configured for sending a configuration message to said server for use in modifying settings in a secure module at said server.
  - 28. The system according to claim 19 wherein said equipment and server log reports are received by said controller device in response to a poll initiated by one of said server and said controller.
  - 29. The system according to claim 19 wherein said equipment and server log reports are received by said controller for obtaining additional sensitive data, wherein a further data transmission is sent to said server if said log reports are favourable and additional sensitive data is required;
    - and said controller sends to said server, an instruction to inhibit further extraction of said data from any previous transmission if said log reports are not favourable.
  - 30. The system according to claim 17 wherein said sensitive data comprises a plurality of keys, said data transmission including a quantity of said keys encrypted by said secure module to enable said server to decrypt one or more of said keys as indicated by instructions provided by said controller apriori.
  - 31. The system according to claim 30 wherein said secure module encrypts said quantity of keys to enable said server to individually re-encrypt each key;
    - wherein certain ones of said keys are decrypted for use by said equipment upon a request made by said equipment.
  - 32. The system according to claim 17 wherein said secure module contains a symmetric key for communicating over forward and backward communication channels between said server and said controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Certicom Corporation (Blackberry Limited)
Inventors
XU, Patrick, NEILL, Brian, VADEKAR, Ashok

Granted Patent

US 8,423,765 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06F 21/72   in cryptographic circuits

H04L 2209/04   Masking or blinding

H04L 2209/60   Digital content management,...

H04L 2463/062   applying encryption of the ...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0897   involving additional device...

SYSTEM AND METHOD FOR REMOTE DEVICE REGISTRATION

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR REMOTE DEVICE REGISTRATION

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links