Binding a device to a provider
First Claim
1. A method for configuring and provisioning a computer for metered operation, the computer comprising a main processor and memory, and a hardware security module comprising a cryptographic unit, a processor, and a tamper resistant memory, the method comprising:
- providing the computer with first and second components that are associated with first and second service providers, respectively;
causing the computer to receive from a scheme owner at least a portion of a unique program identifier that represents the first and second components of the computer;
causing a scheme owner to receive a request for a registration document for the computer, the request comprising a full unique program identifier and a hardware identifier, the hardware identifier associated with the computer for uniquely identifying the computer, including the first and second components thereof, within a domain;
receiving the registration document from the scheme owner at the computer, the registration document digitally signed and includes the hardware identifier and a complete version of the unique program identifier, the registration being verified by the cryptographic unit and in response providing an amount of time according to which the hardware security module meters use of the first or second hardware components;
causing a provisioning request to be sent from the computer to the scheme owner;
preparing a provisioning instruction that is digitally signed and comprises the unique program identifier and the hardware identifier for use in qualifying the provisioning instruction;
providing the provisioning instruction to the computer for configuring the computer according to the provisioning instruction, the hardware security module verifying the provisioning instruction and in response enabling permanent access to the first or second component;
wherein the unique program identifier allows (i) the first service provider to maintain the contribution of the first component to the computer without accessing the second component and allows (ii) the second service provider to maintain the contribution of the second component to the computer without accessing the first component;
wherein the first and second components both comprise a peripheral device physically connected to a port of the computer or a computer program stored within a memory of the computer; and
wherein the tamper resistant memory stores the unique program identifier and hardware identifier, the computer being capable of gaining access to the tamper resistant memory only upon cryptographic authorization by the cryptographic unit.
2 Assignments
0 Petitions
Accused Products
Abstract
A pay-per-use or pay-as-you-go computer uses a secure memory to store individual unique program identifiers. Each unique program identifier is associated with a particular hardware or software component, or service, or the entire computer available to a user. By combining the unique program identifier with a computer hardware identifier uniquely identified transactions may be tracked for both billing and reconciliation. Certificates associated with each unique program identifier, and coupled to the hardware identifier, provide a cryptographic basis for mutual verification of messages, requests, configuration instructions, and provisioning.
-
Citations
8 Claims
-
1. A method for configuring and provisioning a computer for metered operation, the computer comprising a main processor and memory, and a hardware security module comprising a cryptographic unit, a processor, and a tamper resistant memory, the method comprising:
-
providing the computer with first and second components that are associated with first and second service providers, respectively; causing the computer to receive from a scheme owner at least a portion of a unique program identifier that represents the first and second components of the computer; causing a scheme owner to receive a request for a registration document for the computer, the request comprising a full unique program identifier and a hardware identifier, the hardware identifier associated with the computer for uniquely identifying the computer, including the first and second components thereof, within a domain; receiving the registration document from the scheme owner at the computer, the registration document digitally signed and includes the hardware identifier and a complete version of the unique program identifier, the registration being verified by the cryptographic unit and in response providing an amount of time according to which the hardware security module meters use of the first or second hardware components; causing a provisioning request to be sent from the computer to the scheme owner; preparing a provisioning instruction that is digitally signed and comprises the unique program identifier and the hardware identifier for use in qualifying the provisioning instruction; providing the provisioning instruction to the computer for configuring the computer according to the provisioning instruction, the hardware security module verifying the provisioning instruction and in response enabling permanent access to the first or second component; wherein the unique program identifier allows (i) the first service provider to maintain the contribution of the first component to the computer without accessing the second component and allows (ii) the second service provider to maintain the contribution of the second component to the computer without accessing the first component; wherein the first and second components both comprise a peripheral device physically connected to a port of the computer or a computer program stored within a memory of the computer; and wherein the tamper resistant memory stores the unique program identifier and hardware identifier, the computer being capable of gaining access to the tamper resistant memory only upon cryptographic authorization by the cryptographic unit. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for configuring and provisioning a computer for metered operation, the computer comprising a main processor and memory, and a hardware security module comprising a cryptographic unit, a processor, and a tamper resistant memory, the method comprising:
-
providing the computer with first and second components that are associated with first and second service providers, respectively; causing a computer to receive from a scheme owner at least a portion of a unique program identifier that represents the first and second components of the computer; causing a scheme owner to receive a request for a registration document for the computer, the request comprising a full unique program identifier and a hardware identifier, the hardware identifier associated with the computer for uniquely identifying the computer, including the first and second components thereof, within a domain; sending the registration document from the scheme owner to the computer, the registration document digitally signed with a signature and includes the hardware identifier and a complete version of the unique program identifier, the hardware security module verifying the signature and in response permitting metered access to the first or second component, and during the metered access continued access to the first or second component requires periodic updates from the scheme owner which are verified by the hardware security module to permit continued metered access; causing a provisioning request to be sent from the computer to the scheme owner; preparing a provisioning instruction that is digitally signed and comprises the unique program identifier and the hardware identifier for use in qualifying the provisioning instruction; while the metered access is in effect, providing the provisioning instruction to the computer for configuring the computer according to the provisioning instruction, wherein a signature of the provisioning instruction is verified by the hardware security module and in response permanent access is granted to the first or second component; and wherein the unique program identifier allows (i) the first service provider to maintain the contribution of the first component to the computer without accessing the second component and allows (ii) the second service provider to maintain the contribution of the second component to the computer without accessing the first component; wherein the first and second components both comprise a product, a program or a service provided by the computer; wherein the unique identifier comprises first and second unique identifiers, the first unique program identifier comprising a first business code and a first model code, the second unique program identifier comprising a second business code and a second model code; wherein the first and second components both comprise a peripheral device physically connected to a port of the computer or a computer program stored within a memory of the computer; wherein the computer includes the tamper resistant memory in which the unique program identifier and hardware identifier are stored, the computer being capable of gaining access to the tamper resistant memory only upon cryptographic authorization; and receiving a provisioning packet, verifying the provisioning packet by the hardware security module, and in response converting access to the first or second component from metered access to permanent access.
-
Specification