Digital Identity and Authorization for Machines with Replaceable Parts

US 20160275525A1
Filed: 03/20/2015
Published: 09/22/2016
Est. Priority Date: 03/20/2015
Status: Active Grant

First Claim

Patent Images

1. A machine, the machine comprising:

a plurality of slots each of the slots configured to receive one or more components for implementing some functionality role of the slot in the machine;

one or more replaceable components in each of the slots wherein the components are configured to communicate or be communicated for, on behalf of a slot or the machine, to an external system or set of systems that implement rules to perform authorization or other operations based on the role of the slot in the context of the machine, and independent of the component per se; and

wherein a different derived key is used to communicate by or for each component with the external system, wherein each derived key for a component is derived from a machine proof for the machine and information identifying the slot in which the component is installed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A machine includes a number of slots. Each of the slots is configured to receive one or more components for implementing some functionality role of the slot in the machine. The machine further includes one or more replaceable components in each of the slots. The components are configured to communicate (or be communicated for) on behalf of a slot or the machine, to an external system(s). The external system(s) implement rules to perform authorization or other operations based on the role of the slot in the context of the machine. A different derived key is used to communicate by or for each component with the external system. Each derived key for a component is derived from a machine proof for the machine and information identifying the slot in which the component is installed.

14 Citations

View as Search Results

20 Claims

1. A machine, the machine comprising:
- a plurality of slots each of the slots configured to receive one or more components for implementing some functionality role of the slot in the machine;
  
  one or more replaceable components in each of the slots wherein the components are configured to communicate or be communicated for, on behalf of a slot or the machine, to an external system or set of systems that implement rules to perform authorization or other operations based on the role of the slot in the context of the machine, and independent of the component per se; and
  
  wherein a different derived key is used to communicate by or for each component with the external system, wherein each derived key for a component is derived from a machine proof for the machine and information identifying the slot in which the component is installed.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The machine of claim 1, wherein each derived key is derived from a discriminator.
  - 3. The machine of claim 2, wherein the discriminator is a time based discriminator when a derived key has a time-based expiration.
  - 4. The machine of claim 2, wherein the discriminator is an iteration based discriminator defined by a key iteration based on the total number of derived keys that have been generated for a given slot.
  - 5. The machine of claim 2, wherein the discriminator is an iteration based discriminator defined by a component iteration based on the total number of components that have been installed in a given slot.
  - 6. The machine of claim 1, wherein each derived key for a component is derived from a machine proof for the machine and information identifying the slot in which the component is installed by the external system or set of systems and provided to a component or the machine without revealing the machine proof to the component or the machine.

7. In a computing environment, a method of verifying a component by verifying a machine in which the component is implemented and the role of the component within the machine, the method comprising:
- receive a request from a machine for a component to perform some function;
  
  receive a token or a key for the component in conjunction with the request;
  
  authenticate the token or key to the machine in which the component is implemented;
  
  authenticate the token or key to a particular role of the component within the machine; and
  
  based on both authenticating the token or key to the machine and authenticating the token or key to the particular role of the component within the machine, authorize the function by verifying the machine and the role, but not the specific component for the role.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method of claim 7, wherein the acts are performed by an external authority.
  - 9. The method of claim 7, wherein the acts are performed by a component within the machine.
  - 10. The method of claim 7, wherein the token or key is derived from a machine token or key.
  - 11. The method of claim 10, wherein the token or key is a token and that is signed by a machine key.
  - 12. The method of claim 11, wherein the token is a time based token with an expiration.
  - 13. The method of claim 10, wherein the token or key is a key and is derived from the machine key.
  - 14. The method of claim 7, further comprising maintaining of blacklist of tokens or keys that are not authorized to be used in the context of any roles in the machine.

15. A system for verifying a component by verifying the machine in which the component is implemented and the role of the component within the machine, the method comprising:
- a key vault, wherein the key vault is configured to store cryptographic proof for one or more machines;
  
  one or more processors; and
  
  one or more computer-readable media, wherein the one or more computer-readable media comprise computer-executable instructions that when executed by at least one of the one or more processors cause at least one of the one or more processors to perform the following;
  
  receive a request from a machine for a component to perform some function;
  
  receive a token or a key for the component in conjunction with the request, wherein the token or key for the component is based on a machine key for the machine, stored in the key vault;
  
  receive information identifying the machine;
  
  receive information identifying a particular role of the component in the machine;
  
  authenticate the token or key to the machine in which the component is implemented by using the machine key for the machine in the key vault;
  
  authenticate the token or key to the particular role of the component within the machine; and
  
  based on both authenticating the token or key to the machine and authenticating the token or key to the particular role of the component within the machine, authorize the function by verifying the machine and the role, but not the specific component for the role.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the token or key is derived from a machine token or key.
  - 17. The system of claim 15, wherein the token or key is a token and that is signed by a machine key.
  - 18. The system of claim 17, wherein the token is a time based token with an expiration.
  - 19. The system of claim 15, further comprising a blacklist of tokens or keys that are not authorized to be used in the context of any roles in the machine.
  - 20. The system of claim 15, further comprising:
    - a role key computation module configured to generate role keys from machine keys stored in the key vault for components installed in machines; and
      
      a role key distribution module configured to provide role keys to components of machines having machine keys stored in the key vault.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Vasters, Clemens Friedrich

Granted Patent

US 9,830,603 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06Q 10/20   Administration of product r...

G06Q 30/018   Certifying business or prod...

H04L 63/06   for supporting key manageme...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

Digital Identity and Authorization for Machines with Replaceable Parts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Digital Identity and Authorization for Machines with Replaceable Parts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others