ONLINE SECURE DEVICE PROVISIONING FRAMEWORK

US 20110258685A1
Filed: 04/15/2011
Published: 10/20/2011
Est. Priority Date: 04/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method for updating network-enabled devices with new identity data, comprising:

generating a plurality of new identity data records;

loading the new identity data records onto an update server;

receiving at the update server a request for new identity data from at least one network-enabled device having a previously assigned identity linked to an identifier;

linking the previously assigned identifier to a new identifier linked to one of the new identity data records; and

securely delivering one or more new identity data records to the network-enabled device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for updating network-enabled devices with new identity data includes generating a plurality of new identity data records and loading the new identity data records onto an update server. A request is received at the update server for new identity data from at least one network-enabled device having a previously assigned identity linked to an identifier. The previously assigned identifier is linked to a new identifier that is linked to one of the new identity data records. One or more new identity data records are securely delivered to the network-enabled device.

Citations

34 Claims

1. A method for updating network-enabled devices with new identity data, comprising:
- generating a plurality of new identity data records;
  
  loading the new identity data records onto an update server;
  
  receiving at the update server a request for new identity data from at least one network-enabled device having a previously assigned identity linked to an identifier;
  
  linking the previously assigned identifier to a new identifier linked to one of the new identity data records; and
  
  securely delivering one or more new identity data records to the network-enabled device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 further comprising receiving a whitelist specifying a plurality of devices authorized to be updated with new identity data.
  - 3. The method of claim 1 wherein the devices in the plurality of network-enabled devices authorized to be upgraded are authorized to be updated with new identity data by a service provider, said plurality of network-enabled devices being a subset of all network-enabled devices serviced by the service provider.
  - 4. The method of claim 3 wherein the devices in the subset of all devices are all of a common type.
  - 5. The method of claim 1 wherein the devices in the plurality of devices to be upgraded are devices whose respective users requested an update.
  - 6. The method of claim 1 wherein the devices in the plurality of devices to be upgraded receive authorization to be updated based on one or more factors selected from the group consisting of device customer, device type, and a region where authorized devices are deployed.
  - 7. The method of claim 1 wherein generating the new identity data record is performed for a specific network-enabled device based on the previously assigned identifier for the specific network-enabled device.
  - 8. The method of claim 1 further comprising encrypting the new identity data record with previous identity data previously installed on the network-enabled device.
  - 9. The method of claim 8 wherein encrypting the new identity data is performed before the request for new identity data is received.
  - 10. The method of claim 8 wherein encrypting the new identity data is performed when the request for new identity data is received.
  - 11. The method of claim 10 wherein the network-enabled device has a plurality of previously assigned identifiers, an identifier of the first type being linked to identity data previously installed on the network-enabled device, the identifier of the first type being linked with a previously installed identity data record.
  - 12. The method of claim 11 wherein the new identifier is an identifier of the second type, the identifier of the second type being extracted from the network-enabled device and stored in a database during factory provisioning.
  - 13. The method of claim 11 further comprising loading a whitelist onto the update server, said whitelist including a previously assigned identifier of a first type for each of the network-enabled devices that are authorized to be provisioned with new identity data and a previously assigned identifier of a second type for each of the one or more of the network-enabled devices that are authorized to be provisioned with new identity data.
  - 14. The method of claim 13 further comprising establishing the whitelist by correlating a previously assigned identifier of a third type for each of the network-enabled devices authorized to be provisioned with respective ones of the identifiers of the first and second types and further comprising tracking device inventory based on the previously assigned identifier of the third type.
  - 15. The method of claim 14 wherein the identifier of the third type is used as the new identifier.
  - 16. The method of claim 1 wherein the identity data includes a device digital certificate chain and a private key.

17. An identity management system, comprising:
- an identity data generator configured to generate a plurality of new identity data records;
  
  a whitelist manager configured to (i) receive one or more identifiers associated with each of a plurality of network-enabled devices deployed for use in association with a network and (ii) produce a whitelist relating the one or more identifiers to each of the network-enabled device that are authorized to receive new identity data, wherein at least one of the identifiers associated with each network-enabled device is a previously assigned identifier;
  
  an update server configured to (i) receive the new identity data records from the identity data generator, (ii) receive requests for new identity data from the plurality of network-enabled devices (iii) authenticate each of the network-enabled devices and (iv);
  
  deliver a new identity data record to each one of the authenticated network-enabled device that are authorized to receive a new identity data record in accordance with the whitelist, said new identity data record being linked to the previously assigned identifier of the authenticated network-enabled device.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The identity management system of claim 17 wherein the update server is further configured to bind the previously assigned identifier to the new identity data record based on the whitelist.
  - 19. The identity management system of claim 17 wherein the identity data generator is further configured to bind the previously assigned identifier to the new identity data record based on the whitelist.
  - 20. The identity management system of claim 17 wherein the authorization of network-enabled devices to receive new identity data is based on the whitelist.
  - 21. The identity management system of claim 17 wherein each device is associated with two or more identifiers which are received from different entities, an identifier of a first type being received from a first entity indicating that the network-enabled device associated with the first identifier is authorized to receive the update identity data.
  - 22. The identity management system of claim 21 wherein the previously assigned identifier linked to the new identity data record is an identifier assigned by a device manufacturer.
  - 23. The identity management system of claim 21 wherein the previously assigned identifier linked to the new identity data record is an identifier assigned by a network operator who deployed the network-enabled devices.
  - 24. The identity management system of claim 17 wherein the first entity is a network operator who deployed the network-enabled device.
  - 25. The identity management system of claim 24 wherein a second of the two or more identifiers are received from a manufacturer of the network-enabled device.

26. An identity data management system, comprising:
- one or more databases storing at least two identifiers associated with a plurality of network-enabled devices, a first and second of the two identifiers being identifiers of a first and second type, respectively;
  
  a whitelist manager for receiving a first set of data specifying one or more of the network-enabled devices that are authorized to be updated with new identity data, wherein the one or more network-enabled devices are identified in the first set of data by identifiers of the first type, wherein the whitelist manager is configured to access the one or more databases to retrieve identifiers of the first and second type which correspond to the identifiers of the first type included in the first set of data and to establish a whitelist that includes corresponding identifiers of the first and second type and to deliver said whitelist to an identity data generator and to an update server;
  
  an identity data generator configured to generate identity data records that are each identified by an identifier of the second type, said generated identity records being generated for network-enabled devices specified on the whitelist received from the whitelist manager, wherein the identity data generator is further configured to associate the identity data records with the whitelist; and
  
  an update server configured to receive over a communications network a request for new identity data from a deployed network-enabled device, and, said update server being further configured to send the generated identity data records received from the identity data generator to the deployed network-enabled devices respectively identified by identifiers of the first type in the whitelist and in data received from the identity data generator.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The identity data management system of claim 26 wherein the plurality of network-enabled devices are associated with at least three identifiers, the whitelist manager being further configured to establish the whitelist so as to include an identifier of a third type associated with each of the network-enabled devices.
  - 28. The identity data management system of claim 26 wherein the identity data records and the data specifying identifiers of the second type are both received from the identity data generator in an off-line manner.
  - 29. The identity data management system of claim 26 wherein the identity data generator is further configured to generate and then encrypt the identity data records assigned with a given identifier of the second type using a key previously installed in a network-enabled device identified by the given identifier of the first type.
  - 30. The identity data management system of claim 26 wherein the identity data newly assigned to each network-enabled device is encrypted by a key previously installed in each respective network-enabled device.

31. At least one computer-readable medium encoded with instructions which, when executed by a processor, performs a method for updating network-enabled devices with new identity data, each of said network-enabled devices having at least two types of identifiers associated therewith, comprising:
- receiving over a communications network a request for new identity data for a plurality of network-enabled devices, each of said requests including an identifier of the second type associated with the network-enabled devices;
  
  obtaining an identifier of the first type associated with each of the network-enabled devices, said first identifier type being an identifier that is included in identity data with which the network-enabled device is currently provisioned, wherein the network-enabled devices have previously been provisioned with identifiers of the first type by respectively assigning the identifiers of the first type to network-enabled devices that are already identified by identifiers of the second type;
  
  receiving new identity data assigned with new identifiers of the second type, wherein each of the new identifiers is matched with a corresponding identifier of the first type; and
  
  delivering over the communications network the new identity data to respective ones of the network-enabled devices in accordance with their respective second identifiers.
- View Dependent Claims (32, 33, 34)
- - 32. The computer-readable medium of claim 31 further comprising receiving a whitelist to obtain the identifier of the first type and to receive the new identifier matched with the corresponding identifier of the first type, said whitelist providing authorization to provision the network-enabled devices with new identity data.
  - 33. The computer-readable medium of claim 32 further comprising establishing the whitelist by correlating a previously assigned identifier of a third type for each of the network-enabled devices authorized to be provisioned with respective ones of the identifiers of the first and second types and further comprising tracking device inventory based on the previously assigned identifier of the third type.
  - 34. The computer-readable medium of claim 33 further comprising encrypting the new identity data record with the identity data with which each of the respective network-enabled device are currently provisioned.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
General Instrument Corporation (CommScope Holding Company, Inc.)
Inventors
Medvinsky, Alexander, Moskovics, Stuart P., Yao, Ting, Qiu, Xin, Sprunk, Eric J., Pasion, Jason A., Wang, Fan

Granted Patent

US 9,130,928 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/572   Secure firmware programming...

H04L 2463/102   applying security measure f...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

ONLINE SECURE DEVICE PROVISIONING FRAMEWORK

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

ONLINE SECURE DEVICE PROVISIONING FRAMEWORK

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links