System and method for creating a trusted network capable of facilitating secure open network transactions using batch credentials

US 7,925,878 B2
Filed: 09/24/2002
Issued: 04/12/2011
Est. Priority Date: 10/03/2001
Status: Active Grant

First Claim

Patent Images

1. A method for deploying a trusted network capable of securely updating devices that allows for secure transactions over an open communications network, comprising the steps of:

binding a single credential to a plurality of devices to be used in secure transactions over the open communications network;

maintaining a manifest identifying each device of the plurality of devices bound to the single credential;

where in the manifest lists the plurality of devices at the time of creation, is stored in an escrow database, and forms a list that is not altered;

maintaining a current list of devices approved to securely transact over the open communications network, each device being related in the current list of devices to the single credential bound to the plurality of devices to which the device belongs; and

before allowing any of the plurality of devices to send a message over the open communications network, determining whether the device is authenticated to be a trusted device for transacting over the open communications network by verifying the validity of the single credential bound to the device based on the manifest and the current list.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for creating a trusted network capable of facilitating secure transactions via an open network using batch credentials, such as batch PKI certificates, is presented. A certificate is bound to a group, or batch, or devices. This certificate is referenced by an activation authority upon processing a request for service by a device. Information regarding the device batch certificate is maintained in a permanent, or escrow, database. A user identity is bound to a device, as a device key is used to sign a user key created on the device in the presence of the user, and a copy of the device key is later used to decrypt the signed user key upon its transmission and receipt.

59 Citations

View as Search Results

35 Claims

1. A method for deploying a trusted network capable of securely updating devices that allows for secure transactions over an open communications network, comprising the steps of:
- binding a single credential to a plurality of devices to be used in secure transactions over the open communications network;
  
  maintaining a manifest identifying each device of the plurality of devices bound to the single credential;
  
  where in the manifest lists the plurality of devices at the time of creation, is stored in an escrow database, and forms a list that is not altered;
  
  maintaining a current list of devices approved to securely transact over the open communications network, each device being related in the current list of devices to the single credential bound to the plurality of devices to which the device belongs; and
  
  before allowing any of the plurality of devices to send a message over the open communications network, determining whether the device is authenticated to be a trusted device for transacting over the open communications network by verifying the validity of the single credential bound to the device based on the manifest and the current list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising the step of:
    - using at least one of the plurality of devices to securely transact over the open communications network.
  - 3. The method of claim 1, wherein the single credential comprises a digital certificate.
  - 4. The method of claim 3, wherein the digital certificate is issued by a certification authority.
  - 5. The method of claim 1, wherein the manifest is also maintained by a certification authority.
  - 6. The method of claim 1, wherein the open communications network comprises the Internet.
  - 7. The method of claim 1, wherein the open communications network comprises a mobile telephone network.
  - 8. The method of claim 7, wherein the mobile telephone network comprises the global system for mobile communications (GSM).
  - 9. The method of claim 8, wherein each of the plurality of devices comprises a subscriber identity module (SIM).
  - 10. The method of claim 1, wherein each of the plurality of devices comprises a smart card.
  - 11. The method of claim 1, wherein a manufacturer of the plurality of devices requests the single credential.
  - 12. The method of claim 11, wherein the manufacturer requests the single credential from a certification authority.
  - 13. The method of claim 1, further comprising the steps of:
    - storing a device key pair, comprising a device public key and a device private key within each of the plurality of devices;
      
      generating a user key pair, comprising a user public key and a user private key, within the device;
      
      signing the user public key using the device private key;
      
      transmitting the signed user public key to a verification entity;
      
      decrypting the signed user public key using a copy of the device public key retained by the verification entity.
  - 14. The method of claim 13, wherein the step of storing further comprises:
    - storing a reference pointer to a device manifest within a device.
  - 15. The method of claim 13, wherein the step of generating is performed while the device is under the control of the user with whom the user key is associated.

16. A method for effecting secure transactions via an open communications network, comprising the steps of:
- binding a single credential to a plurality of devices to be used in secure transactions over the open communications network;
  
  maintaining a manifest identifying each device of the plurality of devices bound to the single credential;
  
  where in the manifest lists the plurality of devices at the time of creation, is stored in an escrow database, and forms a list that is not altered;
  
  maintaining a current list of devices approved to use the single credential bound to the plurality of devices, each device being related in the current list of devices to the single credential bound to the plurality of devices to which the device belongs;
  
  before allowing any of the plurality of devices to send a message over the open communications network, determining whether the device is authenticated to be a trusted device for transacting over the open communications network by verifying the validity of the single credential bound to the device based on the manifest and the current list; and
  
  performing a secure transaction via one of the devices using the single credential bound to the plurality of devices to which the device belongs.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein the single credential is a digital certificate.
  - 18. The method of claim 16, wherein the step of verifying is accomplished by way of a verification authority.
  - 19. The method of claim 16, further comprising the step of requesting the single credential for the plurality of devices, andwherein the step of binding is performed in response to the step of requesting.
  - 20. The method of claim 19, wherein the step of requesting is accomplished by way of a registration authority.
  - 21. The method of claim 20, wherein the registration authority is a manufacturer of the plurality of devices.
  - 22. The method of claim 16, wherein the step of maintaining a current list comprises maintaining a revocation list.

23. A method of associating a credential with a plurality of devices, comprising the steps of:
- a manufacturer of the plurality of devices storing data regarding the plurality of devices;
  
  a registration authority transmitting request data to a certification authority and requesting a credential for the plurality of devices;
  
  the certification authority recording credential data to be associated with the plurality of devices and issuing a single credential that is associated with the plurality of devices;
  
  the certification authority providing the single credential to the manufacturer; and
  
  the manufacturer providing each of the plurality of devices having the single credential associated therewith to a plurality of users.
- View Dependent Claims (24, 25)
- - 24. The method of claim 23, wherein the registration authority is the manufacturer.
  - 25. The method of claim 23, further comprising the steps of:
    - the manufacturer creating and storing a manifest of the single credential and each of the devices of the plurality of devices and the single credential associated with the plurality of devices.

26. A system for activation of services for a device over an open communications network, comprising:
- an activation authority configured to request activation of a device, on behalf of the device;
  
  a certification authority for certifying a credential of the device for which activation is requested by the activation authority;
  
  a certification storage device for storing information regarding credentials for a plurality of devices;
  
  a registration authority configured to request certification of a device from the certification authority;
  
  a user database accessible to the registration authority and to the activation authority configured to store information regarding users associated with the plurality of devices; and
  
  a device database accessible to the activation authority for maintaining information regarding the plurality of devices.
- View Dependent Claims (27)
- - 27. The system of claim 26, wherein the registration authority comprises a service provider.

28. A system capable of securely updating devices that allow for secure transactions over an open network, comprising:
- a manufacturer that manufactures a plurality of devices;
  
  an activation authority configured to request activation of each of the plurality of devices;
  
  a device certification authority configured to issue a credential for the plurality of devices;
  
  a device registration authority for requesting a credential for the plurality of devices from the device certification authority;
  
  a user certification authority configured to issue a credential for users of the plurality of devices;
  
  a user registration authority for requesting a credential for the users of the plurality of devices from the user certification authority.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
- - 29. The system of claim 28, further comprising:
    - a service provider for providing service to at least one of the plurality of devices.
  - 30. The system of claim 29, wherein the service provider is the user registration authority.
  - 31. The system of claim 28, further comprising an escrow database accessible to the manufacturer, the device registration authority, and the device certification authority.
  - 32. The system of claim 28, further comprising a user database accessible to the user registration authority.
  - 33. The system of claim 28, further comprising a certificate database accessible to the user certification authority and the activation authority.
  - 34. The system of claim 28, further comprising a device database accessible to the manufacturer and the activation authority.
  - 35. The system of claim 28, wherein the device registration authority comprises the manufacturer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS France SA
Original Assignee
Gemalto SA (Thales SA)
Inventors
Miller, Paul, Carrara, Jean-Louis, Bebic, Youri, Merrien, Lionel
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US10/252,517
Publication Number

US 20030084311A1
Time in Patent Office

3,122 Days
Field of Search

713/155, 713/185, 713/191, 713/157, 713/173, 713/175, 726/9, 709/223, 709/229, 455/3.01
US Class Current

713/155
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/3829   involving key management

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/0823   using certificates cryptogr...

H04L 63/104   Grouping of entities

H04L 63/12   Applying verification of th...

H04L 67/30   Profiles

H04L 9/006   involving public key infras...

H04L 9/3268   using certificate validatio...

System and method for creating a trusted network capable of facilitating secure open network transactions using batch credentials

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for creating a trusted network capable of facilitating secure open network transactions using batch credentials

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links