Method and apparatus for establishing and using a secure credential infrastructure

US 7,275,156 B2
Filed: 09/05/2003
Issued: 09/25/2007
Est. Priority Date: 08/30/2002
Status: Active Grant

First Claim

Patent Images

1. A computer controlled method to construct a secure credential infrastructure comprising steps of:

exchanging key commitment information over a preferred channel between a credential issuing device and a prospective member device to pre-authenticate said prospective member device, wherein said preferred channel has both a demonstrative identification property and an authenticity property;

receiving a public key from said prospective member device;

verifying said public key with said key commitment information; and

automatically provisioning said prospective member device with a credential authorized by a credential issuing authority.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including wired and wireless networks, secure sensor networks (such as medical networks), emergency alert networks, as well as simply and automatically provisioning network devices whether secure or not.

209 Citations

76 Claims

1. A computer controlled method to construct a secure credential infrastructure comprising steps of:
- exchanging key commitment information over a preferred channel between a credential issuing device and a prospective member device to pre-authenticate said prospective member device, wherein said preferred channel has both a demonstrative identification property and an authenticity property;
  
  receiving a public key from said prospective member device;
  
  verifying said public key with said key commitment information; and
  
  automatically provisioning said prospective member device with a credential authorized by a credential issuing authority.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The computer controlled method of claim 1, further comprising establishing proof that said prospective member device is in possession of a private key corresponding to said public key.
  - 3. The computer controlled method of claim 2, further comprising establishing a communication channel between said prospective member device and said credential issuing authority responsive to the step of establishing proof.
  - 4. The computer controlled method of claim 3, wherein said credential is secret and said communication channel is a secure communication channel.
  - 5. The computer controlled method of claim 1, further comprising configuring said credential issuing authority.
  - 6. The computer controlled method of claim 1, wherein said credential issuing device includes said credential issuing authority.
  - 7. The computer controlled method of claim 1, wherein the step of exchanging further comprises sending network configuration information to said prospective member device.
  - 8. The computer controlled method of claim 1, wherein the step of automatically provisioning further comprises steps of:
    - determining provisioning information for said prospective member device; and
      
      sending said provisioning information to said prospective member device.
  - 9. The computer controlled method of claim 8, wherein said provisioning information further comprises application-specific configuration information.
  - 10. The computer controlled method of claim 1, wherein said preferred channel is a location-limited channel.
  - 11. The computer controlled method of claim 1, wherein said preferred channel uses a telephone switching system.
  - 12. The computer controlled method of claim 1, wherein said key commitment information is selected from one or more of the group consisting of a portion of said public key, said public key, an encoding of said public key, and a mathematical function of said public key.
  - 13. The computer controlled method of claim 1, wherein the step of automatically provisioning is performed by said credential issuing device.
  - 14. The computer controlled method of claim 1, wherein the step of automatically provisioning is performed by an enrollment station in communication with said credential issuing device.
  - 15. The computer controlled method of claim 14, wherein the method further comprises establishing secure communication between said enrollment station and said credential issuing device.
  - 16. The computer controlled method of claim 1, wherein said prospective member device is selected from one or more of the group consisting of a computer, a personal data assistant, a smart card, a cryptographic token, a medical device, a device containing personal information, a secure telephone, a cell telephone, a vehicle, a container, an access card, a biometric sensor, a wireless network device, a proximity sensor, a sensor device, traffic sensor, an alarm device, a robot, a device capable of receiving a credential, a device capable of issuing a credential.
  - 17. The computer controlled method of claim 1, wherein said secure credential infrastructure is a public key infrastructure, said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 18. The computer controlled method of claim 17, wherein the step of automatically provisioning further comprises steps of:
    - determining provisioning information forsaidprospectivememberdevice;
      
      creating a public key certificate as said credential responsive to said provisioning information; and
      
      sending said public key certificate to said prospective member device.
  - 19. The computer controlled method of claim 17, wherein the step of exchanging further comprises steps of:
    - creating a public key pair for said prospective member device; and
      
      sending said public key pair to said prospective member device over said preferred channel.
  - 20. The computer controlled method of claim 17, further comprises steps of:
    - creating a trusted key pair;
      
      storing said trusted key pair;
      
      establishing a certification authority public key certificate; and
      
      storing said certification authority public key certificate.
  - 21. The computer controlled method of claim 20, wherein the step of automatically provisioning is responsive to authorization from a registration agent.

22. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method to construct a secure credential infrastructure, the method comprising steps of:
- exchanging key commitment information over a preferred channel between a credential issuing device and a prospective member device to pre-authenticate said prospective member device, wherein said preferred channel has both a demonstrative identification property and an authenticity property;
  
  receiving a public key from said prospective member device;
  
  verifying said public key with said key commitment information; and
  
  automatically provisioning said prospective member device with a credential authorized by a credential issuing authority.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The computer-readable storage medium of claim 22, wherein said public key is received over said preferred channel.
  - 24. The computer-readable storage medium of claim 22, wherein the step of automatically provisioning further comprises steps of:
    - determining provisioning information for said prospective member device; and
      
      sending said provisioning information to said prospective member device.
  - 25. The computer-readable storage medium of claim 22, wherein the step of exchanging is initiated by said prospective member device.
  - 26. The computer-readable storage medium of claim 22, wherein the step of exchanging is initiated by said credential issuing device.
  - 27. The computer-readable storage medium of claim 22, wherein the step of automatically provisioning is performed by said credential issuing device.
  - 28. The computer-readable storage medium of claim 22, wherein said prospective member device is selected from one or more of the group consisting of a computer, a personal data assistant, a smart card, a cryptographic token, a medical device, a device containing personal information, a secure telephone, a cell telephone, a vehicle, a container, an access card, a biometric sensor, a wireless network device, a proximity sensor, a sensor device, traffic sensor, an alarm device, a robot, a device capable of receiving a credential, a device capable of issuing a credential.
  - 29. The computer-readable storage medium of claim 22, wherein said secure credential infrastructure is a public key infrastructure, said credential issuing authority is a certification authority and said credential is a public key certificate.

30. A credential issuing apparatus configured to construct a secure credential infrastructure comprising:
- at least one port configured to establish a preferred channel, wherein said preferred channel has both a demonstrative identification property and an authenticity property;
  
  a key commitment receiver mechanism configured to receive key commitment information over said preferred channel;
  
  a key receiver mechanism configured to receive a public key;
  
  a pre-authentication mechanism configured to verify said public key with said key commitment information; and
  
  a credential provisioning mechanism configured to be able to automatically provide a credential authorized by a credential issuing authority responsive to the pre-authentication mechanism.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 31. The apparatus of claim 30, wherein said public key is received over said preferred channel.
  - 32. The apparatus of claim 30, further comprising a key-pair validation mechanism configured to establish proof that a prospective member device is in possession of a private key corresponding to said public key.
  - 33. The apparatus of claim 30, further comprising an initialization mechanism configured to configure said credential issuing authority.
  - 34. The apparatus of claim 30, wherein said credential issuing device further comprises said credential issuing authority.
  - 35. The apparatus of claim 30, further comprises a network device configuration mechanism configured to send network configuration information over said preferred channel.
  - 36. The apparatus of claim 30, wherein the credential provisioning mechanism further comprises:
    - a determination mechanism configured to determine provisioning information for said prospective member device; and
      
      a transmission mechanism configure to send said provisioning information to said prospective member device.
  - 37. The apparatus of claim 30, wherein said key commitment information is selected from the group consisting of a portion of said public key, said public key, an encoding of said public key, and a mathematical function of said public key.
  - 38. The apparatus of claim 30, wherein the credential issuing device is an enrollment station capable of being in communication with said credential issuing authority.
  - 39. The apparatus of claim 30, wherein said secure credential infrastructure is a public key infrastructure, said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 40. The apparatus of claim 39, wherein the credential provisioning mechanism further comprises:
    - a services determination mechanism capable of determining provisioning information for a prospective member device;
      
      a certificate creation mechanism configured to create a public key certificate as said credential responsive to said provisioning information; and
      
      a sending mechanism capable of sending said public key certificate to said prospective member device.
  - 41. The apparatus of claim 39, wherein the key commitment receiver mechanism further comprises:
    - a key creation mechanism capable of creating a public key pair for a prospective member device; and
      
      a sending mechanism capable of sending said public key pair to said prospective member device over said preferred channel.
  - 42. The apparatus of claim 39, further comprising an automatic configuration mechanism comprising:
    - a key pair creation mechanism configured to create a trusted key pair;
      
      a key pair storage mechanism configured to store said trusted key pair;
      
      a public key certificate generation mechanism configured to establish a certification authority public key certificate responsive to said trusted key pair; and
      
      a certificate storage mechanism configured to store said certification authority public key certificate.
  - 43. The apparatus of claim 42, wherein the public key certificate generation mechanism further comprises a parent CA receiver mechanism configured to receive said certification authority public key certificate from a parent certification authority.
  - 44. The apparatus of claim 32, wherein said prospective member device is selected from one or more of the group consisting of a computer, a personal data assistant, a smart card, a cryptographic token, a medical device, a device containing personal information, a secure telephone, a cell telephone, a vehicle, a container, an access card, a biometric sensor, a wireless network device, a proximity sensor, a sensor device, traffic sensor, an alarm device, a robot, a device capable of receiving a credential, a device capable of issuing a credential.

45. A credential issuing apparatus configured to construct a secure credential infrastructure comprising:
- at least one port configured to establish a preferred channel;
  
  a key commitment receiver mechanism configured to receive commitment information for a secret through said at least one port;
  
  a key receiver mechanism configured to receive said secret;
  
  a pre-authentication mechanism configured to verify said secret with said commitment information; and
  
  a credential provisioning mechanism configured to be able to automatically provide a credential authorized by a credential issuing authority responsive to the pre-authentication mechanism.

46. A computer controlled method to join a prospective member device with a secure credential infrastructure comprising steps of:
- exchanging key commitment information over a preferred channel between a credential issuing device and said prospective member device, wherein said preferred channel has both a demonstrative identification property and an authenticity property;
  
  receiving a public key by said prospective member device;
  
  verifying said public key with said key commitment information; and
  
  receiving a credential authorized by a credential issuing authority.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
- - 47. The computer controlled method of claim 46, further comprising establishing proof that said credential issuing device is in possession of a private key corresponding to said public key.
  - 48. The computercontrolled method of claim 47, further comprising establishing a communication channel between said prospective member device and said credential issuing authority responsive to the step of establishing proof.
  - 49. The computer controlled method of claim 46, wherein said secure credential infrastructure is a public key infrastructure, said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 50. The computer controlled method of claim 49, further comprising receiving a public key pair by said prospective member device.
  - 51. The computer controlled method of claim 46, wherein said preferred channel is a location-limited channel.
  - 52. The computer controlled method of claim 46, wherein said preferred channel uses a telephone switching system.
  - 53. The computer controlled method of claim 46, wherein the step of exchanging is initiated by said prospective member device.
  - 54. The computer controlled method of claim 46, wherein the step of exchanging is initiated by said credential issuing device.
  - 55. The computer controlled method of claim 46, wherein said key commitment information comprises a portion of said public key.
  - 56. The computer controlled method of claim 46, wherein said key commitment information comprises a function of said public key.
  - 57. The computer controlled method of claim 46, further comprising receiving provisioning information by said prospective member device.
  - 58. The computer controlled method of claim 46, wherein said prospective member device is selected from one or more of the group consisting of a computer, a personal data assistant, a smart card, a cryptographic token, a medical device, a device containing personal information, a secure telephone, a cell telephone, a vehicle, a container, an access card, a biometric sensor, a wireless network device, a proximity sensor, a sensor device, traffic sensor, an alarm device, a robot, a device capable of receiving a credential, a device capable of issuing a credential.

59. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to join a prospective member device with a secure credential infrastructure, the method comprising steps of:
- exchanging key commitment information over a preferred channel between a credential issuing device and said prospective member device, wherein said preferred channel has both a demonstrative identification property and an authenticity property;
  
  receiving a public key by said prospective member device;
  
  verifying said public key with said key commitment information; and
  
  receiving a credential authorized by a credential issuing authority.
- View Dependent Claims (60, 61, 62, 63, 64)
- - 60. The computer-readable storage medium of claim 59, wherein said preferred channel uses a telephone switching system.
  - 61. The computer-readable storage medium of claim 59, wherein the step of exchanging is initiated by said prospective member device.
  - 62. The computer-readable storage medium of claim 59, wherein the step of exchanging is initiated by said credential issuing device.
  - 63. The computer-readable storage medium of claim 59, wherein said key commitment information comprises a function of said public key.
  - 64. The computer-readable storage medium of claim 59, wherein said prospective member device is selected from one or more of the group consisting of a computer, a personal data assistant, a smart card, a cryptographic token, a medical device, a device containing personal information, a secure telephone, a cell telephone, a vehicle, a container, an access card, a biometric sensor, a wireless network device, a proximity sensor, a sensor device, traffic sensor, an alarm device, a robot, a device capable of receiving a credential, a device capable of issuing a credential.

65. An apparatus capable of joining a secure credential infrastructure comprising:
- at least one port configured to establish a preferred channel, wherein said preferred channel has both a demonstrative identification property and an authenticity property;
  
  a key commitment receiver mechanism configured to receive key commitment information over said preferred channel;
  
  a key receiver mechanism configured to receive a public key;
  
  a pre-authentication mechanism configured to verify said public key with said key commitment information; and
  
  a credential receiving mechanism configured to receive a credential responsive to the pre-authentication mechanism.
- View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73, 74)
- - 66. The apparatus of claim 65, further comprising a key-pair validation mechanism configured to establish proof that a credential issuing device is in possession of a private key corresponding to said public key.
  - 67. The apparatus of claim 66, further comprising a network interface configured to establish a communication channel with a credential issuing authority responsive to the key-pair validation mechanism.
  - 68. The apparatus of claim 65, wherein said secure credential infrastructure is a public key infrastructure, said credential issuing authority is a certification authority and said credential is a public key certificate.
  - 69. The apparatus of claim 68, further comprising a receiving mechanism capable of receiving a public key pair.
  - 70. The apparatus of claim 65, wherein said preferred channel is a location limited channel.
  - 71. The apparatus of claim 65, wherein said key commitment information comprises a portion of said public key.
  - 72. The apparatus of claim 65, wherein said key commitment information comprises a function of said public key.
  - 73. The apparatus of claim 65, further comprising a receiving mechanism capable of receiving provisioning information.
  - 74. The apparatus of claim 65, further including one or more components selected from the group consisting of a computer, a personal data assistant, a smart card, a cryptographic token, a medical device, a device containing personal information, a secure telephone, a cell telephone, a vehicle, a container, an access card, a biometric sensor, a wireless network device, a proximity sensor, a sensor device, traffic sensor, an alarm device, a robot, a device capable of receiving a credential, a device capable of issuing a credential.

75. A computer controlled method to construct a secure credential infrastructure comprising steps of:
- exchanging key commitment information over a preferred channel between a credential issuing device and a prospective member device to pre-authenticate said prospective member device;
  
  sending network configuration information over said preferred channel to said prospective member device;
  
  receiving a public key from said prospective member device;
  
  verifying said public key with said key commitment information; and
  
  automatically provisioning said prospective member device with a credential authorized by a credential issuing authority.

76. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method to construct a secure credential infrastructure, the method comprising steps of:
- exchanging key commitment information over a preferred channel between a credential issuing device and a prospective member device to pre-authenticate said prospective member device;
  
  sending network configuration information over said preferred channel to said prospective member device;
  
  receiving a public key from said prospective member device;
  
  verifying said public key with said key commitment information; and
  
  automatically provisioning said prospective member device with a credential authorized by a credential issuing authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Xerox Corporation (Xerox Holdings Corp.)
Inventors
Smetters, Diana K., Balfanz, Dirk, Durfee, Glenn E., Wong, Hao-Chi, Grinter, Rebecca E., Stewart, Paul Joseph
Primary Examiner(s)
Song; Hosuk

Application Number

US10/656,550
Publication Number

US 20040098581A1
Time in Patent Office

1,481 Days
Field of Search

713/168, 713170-171, 380/277, 380/282, 380/285, 726/2, 726/5, 726/27
US Class Current

713/168
CPC Class Codes

H04L 12/1818   Conference organisation arr...

H04L 12/1822   Conducting the conference, ...

H04L 63/0492   by using a location-limited...

H04L 63/065   for group communications cr...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/104   Grouping of entities

H04L 63/18   using different networks or...

H04L 67/12   specially adapted for propr...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Method and apparatus for establishing and using a secure credential infrastructure

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

209 Citations

76 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for establishing and using a secure credential infrastructure

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

209 Citations

76 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others