System and method for remote device registration

US 8,423,765 B2
Filed: 04/27/2010
Issued: 04/16/2013
Est. Priority Date: 06/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for distributing and monitoring insertion of sensitive data into devices, said method comprising:

arranging a controller to be communicably connectable to a server being located remote therefrom, said server configured to be communicably connectable to equipment responsible for inserting said sensitive data into said devices, said controller being configured for distributing said sensitive data to said server to enable said server to provide said sensitive data to said equipment, said controller comprising a secure module for performing cryptographic operations;

said controller using said secure module to cryptographically protect said sensitive data;

said controller sending a cryptographically protected data transmission comprising said sensitive data to said server to enable said server to extract said sensitive data therefrom;

said controller providing a credit value to said server indicative of a number of sensitive data insertions that are permitted before requesting more of said sensitive data from said controller to enable said server to update said credit value according to amounts of said sensitive data provided to said equipment;

said controller receiving a log report from said server, said log report pertaining to the insertion of an amount of said sensitive data into respective devices by said equipment upon said equipment obtaining said amount of sensitive data from said server upon request, said log report having been generated from at least one log record obtained by said server from said equipment; and

said controller enabling said log report to be compared to a record generated by said controller indicative of distribution of said sensitive data to said server to monitor said insertion of said sensitive data.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for remote device registration, to monitor and meter the injection of keying or other confidential information onto a device, is provided. A producer who utilizes one or more separate manufacturers, operates a remote module that communicates over forward and backward channels with a local module at the manufacturer. Encrypted data transmissions are sent by producer to the manufacturer and are decrypted to obtain sensitive data used in the devices. As data transmissions are decrypted, credits from a credit pool are depleted and can be replenished by the producer through credit instructions. As distribution images are decrypted, usage records are created and eventually concatenated, and sent as usage reports back to the producer, to enable the producer to monitor and meter production at the manufacturer.

28 Citations

View as Search Results

36 Claims

1. A method for distributing and monitoring insertion of sensitive data into devices, said method comprising:
- arranging a controller to be communicably connectable to a server being located remote therefrom, said server configured to be communicably connectable to equipment responsible for inserting said sensitive data into said devices, said controller being configured for distributing said sensitive data to said server to enable said server to provide said sensitive data to said equipment, said controller comprising a secure module for performing cryptographic operations;
  
  said controller using said secure module to cryptographically protect said sensitive data;
  
  said controller sending a cryptographically protected data transmission comprising said sensitive data to said server to enable said server to extract said sensitive data therefrom;
  
  said controller providing a credit value to said server indicative of a number of sensitive data insertions that are permitted before requesting more of said sensitive data from said controller to enable said server to update said credit value according to amounts of said sensitive data provided to said equipment;
  
  said controller receiving a log report from said server, said log report pertaining to the insertion of an amount of said sensitive data into respective devices by said equipment upon said equipment obtaining said amount of sensitive data from said server upon request, said log report having been generated from at least one log record obtained by said server from said equipment; and
  
  said controller enabling said log report to be compared to a record generated by said controller indicative of distribution of said sensitive data to said server to monitor said insertion of said sensitive data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method according to claim 1, further comprising receiving a request from said server for additional sensitive data, and providing said additional sensitive data and a new credit value to said server.
  - 3. The method according to claim 1, wherein said log report further comprises a log record indicative of the distribution of said amount of sensitive data by said server to said equipment.
  - 4. The method according to claim 1 wherein said secure module encrypts a header included in said data transmission to protect a key, said key enabling said server to decrypt said transmission and extract said sensitive data therefrom.
  - 5. The method according to claim 1, further comprising initiating a provisioning procedure executed prior to sending said sensitive data to said server, said provisioning procedure being used to initialize said server and said secure module.
  - 6. The method according to claim 1 comprising sending said data transmission to a plurality of servers.
  - 7. The method according to claim 1 further comprising said controller sending a credit instruction to said server indicating an update for said credit value.
  - 8. The method according to claim 1 further comprising said controller sending to said server, an object for implementing an existing data insertion solution, said existing solution modifying said data;
    - said object having been signed to be provided to a secure module for said server to store said signed object, verify said signed object, and modify said sensitive data according to said existing solution if said signed object is verified.
  - 9. The method according to claim 1 wherein said data transmission includes a plurality of types of sensitive data, said method further comprising said secure module sending certain ones of said types according to permissions established by said controller.
  - 10. The method according to claim 9 wherein said log report includes an indication of which one of said types has been provided by said secure module to said equipment.
  - 11. The method according to claim 1 further comprising said controller sending a configuration message to said server for use in modifying settings in a secure module at said server.
  - 12. The method according to claim 1, wherein said log report is received by said controller in response to a poll initiated by one of said server and said controller.
  - 13. The method according to claim 1, wherein said log report is received by said controller for obtaining additional sensitive data, wherein a further data transmission is sent to said server if comparison of said log report to said record generated by said controller indicative of distribution of said sensitive data to said server is favourable, and additional sensitive data is required;
    - and wherein said controller sends to said server an instruction to inhibit further extraction of said sensitive data from any previous transmission if said comparison is not favourable.
  - 14. The method according to claim 1 wherein said sensitive data comprises a plurality of keys, said data transmission including a quantity of said keys encrypted by said secure module to enable said server to decrypt one or more of said keys as indicated by instructions provided by said controller apriori.
  - 15. The method according to claim 14 wherein said secure module encrypts said quantity of keys to enable said server to individually re-encrypt each key;
    - wherein certain ones of said keys are decrypted for use by said equipment upon a request made by said equipment.
  - 16. The method according to claim 1 wherein said secure module contains a symmetric key for communicating over forward and backward communication channels between said server and said controller.
  - 17. The method according to claim 1, wherein inserting said sensitive data comprises injecting information into said devices.
  - 18. The method according to claim 1, wherein inserting said sensitive data comprises keying said devices.

19. A system for distributing and monitoring insertion of sensitive data into devices, said system comprising:
- a controller device communicably connectable to a server being located remote therefrom, said server configured to be communicably connectable to equipment responsible for inserting said sensitive data into said devices, said controller device being configured for distributing said sensitive data to said server to enable said server to provide said sensitive data to said equipment, said controller device comprising a secure module for performing cryptographic operations;
  
  said controller device being configured for;
  
  using said secure module to cryptographically protect said sensitive data;
  
  sending a cryptographically protected data transmission comprising said sensitive data to said server to enable said server to extract said sensitive data therefrom;
  
  providing a credit value to said server indicative of a number of sensitive data insertions that are permitted before requesting more of said sensitive data from said controller device to enable said server to update said credit value according to amounts of said sensitive data provided to said equipment;
  
  receiving a log report from said server, said log report pertaining to the insertion of an amount of said sensitive data into respective devices by said equipment upon said equipment obtaining said amount of sensitive data from said server upon request, said log report having been generated from at least one log record obtained by said server from said equipment; and
  
  enabling said log report to be compared to a record generated by said controller indicative of distribution of said sensitive data to said server to monitor said insertion of said sensitive data.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The system according to claim 19, wherein said controller device is further configured for receiving a request from said server for additional sensitive data, and providing said additional sensitive data and a new credit value to said server.
  - 21. The system according to claim 19, wherein said log report further comprises a log record indicative of the distribution of said amount of sensitive data by said server to said equipment.
  - 22. The system according to claim 19 wherein said secure module encrypts a header included in said data transmission to protect a key, said key enabling said server to decrypt said transmission and extract said sensitive data therefrom.
  - 23. The system according to claim 19, wherein said controller device is further configured for initiating a provisioning procedure executed prior to sending said sensitive data to said server, said provisioning procedure being used to initialize said server and said secure module.
  - 24. The system according to claim 19, wherein said controller device is further configured for sending said data transmission to a plurality of servers.
  - 25. The system according to claim 19, wherein said controller device is further configured for sending a credit instruction to said server indicating an update for said credit value.
  - 26. The system according to claim 19, wherein said controller device is further configured for sending to said server, an object for implementing an existing data insertion solution, said existing solution modifying said data;
    - said object having been signed to be provided to a secure module for said server to store said signed object, verify said signed object, and modify said sensitive data according to said existing solution if said signed object is verified.
  - 27. The system according to claim 19 wherein said data transmission includes a plurality of types of sensitive data, and wherein said controller device is further configured for sending certain ones of said types according to permissions established by said controller system.
  - 28. The system according to claim 27 wherein said log report includes an indication of which one of said types has been provided by said secure module to said equipment.
  - 29. The system according to claim 19 wherein said controller device is further configured for sending a configuration message to said server for use in modifying settings in a secure module at said server.
  - 30. The system according to claim 19, wherein said log report is received by said controller device in response to a poll initiated by one of said server and said controller.
  - 31. The system according to claim 19, wherein said log report is received by said controller for obtaining additional sensitive data, wherein a further data transmission is sent to said server if comparison of said log report to said record generated by said controller indicative of distribution of said sensitive data to said server is favourable, and additional sensitive data is required;
    - and wherein said controller sends to said server an instruction to inhibit further extraction of said sensitive data from any previous transmission if said comparison is not favourable.
  - 32. The system according to claim 19 wherein said sensitive data comprises a plurality of keys, said data transmission including a quantity of said keys encrypted by said secure module to enable said server to decrypt one or more of said keys as indicated by instructions provided by said controller apriori.
  - 33. The system according to claim 32 wherein said secure module encrypts said quantity of keys to enable said server to individually re-encrypt each key;
    - wherein certain ones of said keys are decrypted for use by said equipment upon a request made by said equipment.
  - 34. The system according to claim 19 wherein said secure module contains a symmetric key for communicating over forward and backward communication channels between said server and said controller.
  - 35. The system according to claim 19, wherein inserting said sensitive data comprises injecting information into said devices.
  - 36. The system according to claim 19, inserting said sensitive data comprises keying said devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Certicom Corporation (Blackberry Limited)
Inventors
Neill, Brian, Vadekar, Ashok, Xu, Patrick
Primary Examiner(s)
Parthasarathy, Pramila

Application Number

US12/767,957
Publication Number

US 20100205433A1
Time in Patent Office

1,085 Days
Field of Search

None
US Class Current

713/165
CPC Class Codes

G06F 21/72   in cryptographic circuits

H04L 2209/04   Masking or blinding

H04L 2209/60   Digital content management,...

H04L 2463/062   applying encryption of the ...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0897   involving additional device...

System and method for remote device registration

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for remote device registration

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links