Secure seed provisioning
First Claim
1. A method for use in secure seed provisioning, the method comprising the steps of:
- deriving, by an authentication device, data from an inherent source of randomness in the authentication device;
based on the data, provisioning, by the authentication device, the authentication device with a seed;
preventing, by the authentication device, direct external exposure of the seed during the lifetime of the authentication device; and
receiving, by the authentication device and from a programming station, a configuration command to provision the authentication device with the seed, the authentication device being provisioned with the seed in response to the configuration command;
wherein deriving the data from an inherent source of randomness in the authentication device includes;
generating, by a processor of the authentication device, the data based on a counter value which represents an amount of time between (i) when a battery of the authentication device is connected to the processor and (ii) when the configuration command is received from the programming station.
24 Assignments
0 Petitions
Accused Products
Abstract
A technique is utilized in the configuration and seeding of security tokens at third party facilities, particularly at facilities of a configuration agent, such that a token can be configured without the configuration agent having security-defeating knowledge about the token. Such a technique allows a third party to provision a token with a seed, but in such a way that the third party will not know, or be able to construct, the seed after the seed provisioning process is complete. The seed may include, by way of example, a symmetric key or other secret shared by two or more entities. In some arrangements, a method is used for secure seed provisioning. Data is derived from inherent randomness in a token or other authentication device. Based on the data, the token or other authentication device is provisioned with a seed.
-
Citations
22 Claims
-
1. A method for use in secure seed provisioning, the method comprising the steps of:
-
deriving, by an authentication device, data from an inherent source of randomness in the authentication device; based on the data, provisioning, by the authentication device, the authentication device with a seed; preventing, by the authentication device, direct external exposure of the seed during the lifetime of the authentication device; and receiving, by the authentication device and from a programming station, a configuration command to provision the authentication device with the seed, the authentication device being provisioned with the seed in response to the configuration command; wherein deriving the data from an inherent source of randomness in the authentication device includes; generating, by a processor of the authentication device, the data based on a counter value which represents an amount of time between (i) when a battery of the authentication device is connected to the processor and (ii) when the configuration command is received from the programming station. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for use in secure seed provisioning, the method comprising the steps of:
-
deriving, by a first authentication device, data from a secret number embedded in multiple authentication devices including the first authentication device, and from a unique number embedded in the first authentication device only; based on the data, provisioning, by the first authentication device, the first authentication device with a seed; preventing, by the first authentication device, direct external exposure of the seed from the first authentication device during the lifetime of the first authentication device; and receiving, by the first authentication device and from a programming station, a configuration command to provision the first authentication device with the seed, the authentication device being provisioned with the seed in response to the configuration command; wherein deriving the data from the secret number embedded in the multiple authentication devices and from a unique number embedded in the first authentication device only includes; generating, by a processor of the first authentication device, the data based on a counter value which represents an amount of time between (i) when a battery of the first authentication device is connected to the processor and (ii) when the configuration command is received from the programming station.
-
-
21. A method for use in secure seed provisioning, the method comprising the steps of:
-
deriving, by an authentication device, a first number from an internal source of randomness; receiving, by the authentication device, a second number based on an external source of randomness; receiving, by the authentication device, a serial number; internally retrieving, by the authentication device, a non-unique secret key; deriving, by the authentication device, a third number from the first number, serial number, and the non-unique secret key; externally exposing the third number while preventing direct external exposure of the seed from the authentication device during the lifetime of the authentication device; and deriving a key from the second and third numbers; wherein deriving the first number from the internal source of randomness includes; generating, by a processor of the authentication device, the first number based on a counter value which represents an amount of time between (i) when a battery of the authentication device is connected to the processor and (ii) when the second number is received. - View Dependent Claims (22)
-
Specification