Secure installation activation

US 7,707,405 B1
Filed: 09/21/2004
Issued: 04/27/2010
Est. Priority Date: 09/21/2004
Status: Active Grant

First Claim

Patent Images

1. A method for providing credentials to a computational component in a distributed processing network, comprising:

generating a plurality of crypto-tokens, each crypto-token comprising a unique identifier and a public/private key pair and being configured for operative engagement with a selected computational component, whereby the selected computational component and a selected crypto-token can electrically communicate with one another;

receiving a unique identifier for the selected crypto-token; and

based on (i) a digital certificate comprising the public key and unique identifier and (ii) the private key in the selected crypto-token, establishing a secured communication session with the selected computational component to which the selected crypto-token is engaged, wherein any of the plurality of crypto-tokens are interchangeable such that any of the crypto-tokens may be engaged with the selected computational component to effect the establishing step, wherein, in the generating step, each crypto-token is not associated with a specific computational component and/or user, and wherein the unique identifier is received out-of-band from the digital certificate.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system 100 for providing credentials to a computational component in a distributed processing network is provided. The system 100 includes: (a) a plurality of crypto-tokens 150a-n, each crypto-token 150a-n comprising a unique identifier, optionally a digital certificate comprising a unique public key and the unique identifier, and a private key corresponding to the public key; (b) a provisioning system 100 comprising a certificate authority 104 operable to generate the plurality of crypto-tokens 150a-n; and (c) a computational component 128 comprising a drive operable to receive and communicate with a selected crypto-token 150. The computational component 128 uses the digital certificate and private key in any of the crypto-tokens 150a-n to establish a secured communication session with the provisioning system 100. Before the establishing operation, any of the plurality of crypto-tokens 150a-n can be engaged with the computational component 128 to establish the secure communication session.

316 Citations

32 Claims

1. A method for providing credentials to a computational component in a distributed processing network, comprising:
- generating a plurality of crypto-tokens, each crypto-token comprising a unique identifier and a public/private key pair and being configured for operative engagement with a selected computational component, whereby the selected computational component and a selected crypto-token can electrically communicate with one another;
  
  receiving a unique identifier for the selected crypto-token; and
  
  based on (i) a digital certificate comprising the public key and unique identifier and (ii) the private key in the selected crypto-token, establishing a secured communication session with the selected computational component to which the selected crypto-token is engaged, wherein any of the plurality of crypto-tokens are interchangeable such that any of the crypto-tokens may be engaged with the selected computational component to effect the establishing step, wherein, in the generating step, each crypto-token is not associated with a specific computational component and/or user, and wherein the unique identifier is received out-of-band from the digital certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the selected crypto-token comprises the digital certificate, wherein standard and extension portions of the digital certificate, before the establishing step, do not identify a specific computational component, wherein the digital certificate identifies uniquely the corresponding cryto-token, and wherein, before the establishing step, each crypto-token is not associated with a specific computational component, enterprise network, and user.
  - 3. The method of claim 2, wherein the digital certificate in each crypto-token comprises the corresponding unique identifier of the crypto-token, wherein the digital certificate in each crypto-token excludes a unique identifier of any computational component, and wherein the unique identifier of each crypto-token is visible on the outside of the crypto-token.
  - 4. The method of claim 1, wherein a provisioning system performs the generating and establishing steps and, after the receiving step, further comprising:
    - the provisioning system thereafter associating the unique identifier of the selected crypto-token with the selected computational component, wherein, before the associating step, the unique identifier of the crypto-token is not associated specifically with the selected computational component.
  - 5. The method of claim 1, wherein the plurality of crypto-tokens are not customer-specific any may be used in a computational component purchased by any customer and wherein before each crypto-token is not associated with either a specific computational component, enterprise network, or user.
  - 6. The method of claim 1, wherein the crypto-token is portable and at least one of a smart card and a dongle and wherein the unique identifier of the selected crypto-token is received before or during the establishing step.
  - 7. The method of claim 6, wherein the unique identifier is provided in a communication that is out-of-band relative to the secured communication session.
  - 8. The method of claim 6, wherein the unique identifier is provided over an unencrypted communication channel, wherein the digital certificate is in a chain of authority, the chain of authority including a root certificate of authority of an issuer of the selected crypto-token, an intermediate digital certificate of licensing generating module, and the digital certificate of the selected crypto-token, and further comprising:
    - determining a hash value over contents of a license file;
      
      encrypting, using a private key of a of licensing system, the hash value;
      
      thereafter transmitting the license file and encrypted hash value to the selected computational component; and
      
      decrypting, by the selected computational component, the hash value using a public key, of the licensing system.
  - 9. The method of claim 1, further comprising before the receiving step:
    - forming, by the selected computational component, a host name; and
      
      obtaining, by the selected computational component, an electronic address on the network; and
      
      further comprising after the establishing step;
      
      generating, by at least one of the selected crypto-token and selected computational component, a new unsigned digital certificate request that comprises information specifically identifying the selected computational component;
      
      forwarding, by the selected computational component, the unsigned digital certificate request to a certificate authority;
      
      digitally signing, by the certificate authority, the new digital certificate request; and
      
      replacing the original certificate specific to the selected crypto-token with the new signed certificate specific to the selected computational component.
  - 10. The method of claim 9, wherein the original and new certificates comprise the same public key.
  - 11. The method of claim 9, wherein the new certificate comprises at least one of an enterprise network identifier, a module identifier, and a system identifier.
  - 12. The method of claim 9, wherein the new certificate comprises at least one of a serial number and host name associated with the computational component.
  - 13. The method of claim 1, further comprising after the establishing step and during the secured communication session:
    - forwarding a license file to the selected computational component.
  - 14. The method of claim 1, wherein the selected computational component is at least one of a gateway, a media server, a voice messaging server, an instant messaging server, an email server, and a port network.

15. A computer readable medium encoded with processor-executable instructions to perform the steps:
- generating a plurality of crypto-tokens, each crypto-token comprising a unique identifier and a public/private key pair and being configured for operative engagement with a selected computational component, whereby the selected computational component and a selected crypto-token can electrically communicate with one another;
  
  receiving a unique identifier for the selected crypto-token; and
  
  based on (i) a digital certificate comprising the public key and unique identifier and (ii) the private key in the selected crypto-token, establishing a secured communication session with the selected computational component to which the selected crypto-token is engaged, wherein the crypto-tokens are interchangeable such that any of the plurality of crypto-tokens may be engaged with the selected computational component to effect the establishing step, wherein, in the generating step, each crypto-token is not associated with a specific computational component and/or user, and wherein the unique identifier is received out-of-band from the digital certificate.
- View Dependent Claims (16)
- - 16. The computer readable medium of claim 15, wherein the instructions are further operable to perform the further steps:
    - generating, by at least one of the selected crypto-token and selected computational component, a new unsigned digital certificate request that comprises information specifically identifying the selected computational component;
      
      forwarding, by the selected computational component, the unsigned digital certificate request to the certificate authority;
      
      digitally signing, by the certificate authority, the new digital certificate request; and
      
      replacing the original certificate specific to the selected crypto-token with the new signed certificate specific to the selected computational component.

17. A system for providing credentials to a selected computational component in a distributed processing network, comprising:
- a plurality of crypto-tokens, each crypto-token comprising a unique identifier and a public/private key pair and being configured for operative engagement with a selected computational component;
  
  a provisioning system operable to generate the plurality of crypto-tokens; and
  
  the selected computational component comprising a reader operable to receive and communicate electrically with a selected crypto-token, the selected computational component being operable to use (i) a digital certificate, comprising the unique identifier and the public key and (ii) the private key in the selected crypto-token to establish a secured communication session with the provisioning system, wherein each of the plurality of crypto-tokens are interchangeable to effect establishment of secured communication session with the selected computational component, whereby any of the plurality of crypto-tokens may be engaged with the selected computational component to perform the establishing operation, wherein each crypto-token is not associated with a specific computational component and/or user, and wherein the unique identifier is received out-of-band from the digital certificate.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 18. The system of claim 17, wherein the crypto-token comprises the digital certificate, wherein standard and extension portions of the digital certificate, before the establishing step, do not identify a specific computational component, wherein the digital certificate identifies uniquely the corresponding cryto-token, and wherein each crypto-token is not associated with a specific computational component and user.
  - 19. The system of claim 18, wherein the digital certificate in each crypto-token comprises the corresponding unique identifier of the crypto-token, wherein the digital certificate in each crypto-token excludes a unique identifier of any computational component, and wherein the unique identifier of each crypto-token is visible on the outside of the crypto-token.
  - 20. The system of claim 17, wherein the provisioning system, after the establishing operation, is further operable to associate the unique identifier of the selected crypto-token with the computational component, wherein, before the associating function, the unique identifier of the selected crypto-token is not associated specifically with the computational component.
  - 21. The system of claim 17, wherein the plurality of crypto-tokens are not customer-specific any may be used in a computational component purchased by any customer and wherein each crypto-token is not associated with a specific computational component, enterprise network, or user.
  - 22. The system of claim 17, wherein the crypto-token is portable and at least one of a smart card and a dongle and wherein the provisioning system comprises an input operable to receive the unique identifier of the selected crypto-token before or during the establishing operation.
  - 23. The system of claim 17, wherein the unique identifier is provided in a communication that is out-of-band relative to the secured communication session.
  - 24. The system of claim 17, wherein the unique identifier is provided over an unencrypted communication channel and wherein the digital certificate is in a chain of authority, the chain of authority including a root certificate of authority of an issuer of the selected crypto-token, an intermediate digital certificate of licensing generating module, and the digital certificate of the selected crypto-token.
  - 25. The system of claim 17, wherein, after the establishing function, the selected crypto-token and computational component are operable to generate a new unsigned digital certificate request that comprises information specifically identifying the computational component;
    - forward the unsigned digital certificate request to the certificate authority;
      
      receive, from the certificate authority, a digitally signed new digital certificate; and
      
      replace the original certificate specific to the selected crypto-token with the new signed certificate specific to the computational component.
  - 26. The system of claim 25, wherein the original and new certificates comprise the same public key.
  - 27. The system of claim 25, wherein the new certificate comprises at least one of an enterprise network identifier, a module identifier, and a system identifier.
  - 28. The system of claim 25, wherein the new certificate comprises at least one of a serial number and host name associated with the computational component.
  - 29. The system of claim 17, wherein the provisioning system is further operable, after the establishing operation and during the secured communication session, to forward a license file to the computational component.
  - 30. The system of claim 17, wherein the computational component is at least one of a gateway, a media server, a voice messaging server, an instant messaging server, an email server, and a port network.

31. A crypto-token comprising:
- (a) a memory comprising a unique crypto-token identifier, a digital certificate comprising a unique public key and the unique identifier, and a private key; and
  
  (b) a processor operable to;
  
  (i) provide the digital certificate to a first computational component operatively engaged with the crypto-token, and(ii) to encrypt plain text and decrypt cipher text using the private key, the plain text and cipher text being received from the first computational component,wherein, at a time of providing to a user, the digital certificate is not specifically associated with the first computational component and/or user, andwhereby the crypto-token may be operatively engaged with a second computational component, and the processor in the second computational component remains operable to perform operations (i) and (ii) for the second computational component, andwherein the digital certificate does not include an identifier uniquely associated with the first and second computational components and wherein a unique identifier is provided to the first computational component out-of-band from the digital certificate.
- View Dependent Claims (32)
- - 32. The crypto-token of claim 31, wherein the digital certificate is not associated with the first computational component, wherein the digital certificate is not associated with the user, and wherein the processor is operable to:
    - (iii) generate a public/private key pair and (iv) generate the digital certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Serkowski, Robert J., Robinson, Richard L., Gilman, Robert R.
Primary Examiner(s)
Moazzami, Nasser
Assistant Examiner(s)
Traore, Fatoumata

Application Number

US10/947,418
Time in Patent Office

2,044 Days
Field of Search

None
US Class Current

713/156
CPC Class Codes

G06F 21/33   using certificates

H04L 2209/56   Financial cryptography, e.g...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/083   involving central third par...

H04L 9/3234   involving additional secure...

H04L 9/3265   using certificate chains, t...

Secure installation activation

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

316 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Secure installation activation

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

316 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links