Authenticated radio frequency identification and key distribution system therefor

US 9,013,266 B2
Filed: 09/10/2007
Issued: 04/21/2015
Est. Priority Date: 09/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method for managing verification keys for RFID readers, said method comprising:

receiving, from a signer, a request for a new verification key;

returning, to said signer, a response associated with the new verification key;

updating permissions for RFID readers for using said new verification key;

obtaining the new verification key corresponding to a private key of the signer, said private key being used to generate a signature stored in memory on an RFID tag read by at least one of said RFID readers, said signature comprising;

(i) a first signature component generated by encrypting sensitive data comprising a product type using an encryption key, said product type identifying a product to which the RFID tag is attached, said first signature component being stored in a first portion of said memory and hiding said product type from RFID readers not having said new verification key, said sensitive data being recoverable from said first signature component using a decryption key generated using said new verification key;

(ii) a second signature component generated using said first signature component, said private key of said signer, and visible data, said second signature component being stored in a second portion of said memory and being used to generate said decryption key, and (iii) said visible data stored in plaintext in a third portion of said memory; and

distributing said new verification key to an RFID reader using a controlled channel, after determining that said RFID reader has permission to recover said sensitive data from said first signature component when verifying said signature.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authenticated RFID system is provided that uses elliptic curve cryptography (ECC) to reduce the signature size and read/write times when compared to traditional public key implementations such as RSA. Either ECDSA or ECPVS can be used to reduce the signature size and ECPVS can be used to hide a portion of the RFID tag that contains sensitive product identifying information. As a result, smaller tags can be used or multiple signatures can be written at different stages in a manufacturing or supply chain. A key management system is used to distribute the verification keys and aggregate signature schemes are also provided for adding multiple signatures to the RFID tags, for example in a supply chain.

Citations

30 Claims

1. A method for managing verification keys for RFID readers, said method comprising:
- receiving, from a signer, a request for a new verification key;
  
  returning, to said signer, a response associated with the new verification key;
  
  updating permissions for RFID readers for using said new verification key;
  
  obtaining the new verification key corresponding to a private key of the signer, said private key being used to generate a signature stored in memory on an RFID tag read by at least one of said RFID readers, said signature comprising;
  
  (i) a first signature component generated by encrypting sensitive data comprising a product type using an encryption key, said product type identifying a product to which the RFID tag is attached, said first signature component being stored in a first portion of said memory and hiding said product type from RFID readers not having said new verification key, said sensitive data being recoverable from said first signature component using a decryption key generated using said new verification key;
  
  (ii) a second signature component generated using said first signature component, said private key of said signer, and visible data, said second signature component being stored in a second portion of said memory and being used to generate said decryption key, and (iii) said visible data stored in plaintext in a third portion of said memory; and
  
  distributing said new verification key to an RFID reader using a controlled channel, after determining that said RFID reader has permission to recover said sensitive data from said first signature component when verifying said signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1 wherein said distributing is performed periodically for a plurality of RFID readers and a plurality of verification keys such that dedicated connections to said plurality of RFID readers are not required.
  - 3. The method according to claim 1, further comprising receiving a key update request from said RFID reader to determine whether or not said RFID reader has permission to recover said sensitive data.
  - 4. The method according to claim 1, further comprising receiving a registration request from a new RFID reader;
    - and determining whether said new RFID reader has permission to recover said sensitive data.
  - 5. The method according to claim 1, further comprising:
    - receiving, from a signing station associated with said signer, a certificate request associated with said new verification key;
      
      returning, to said signing station, a certificate for said new verification key;
      
      determining RFID readers that are entitled to said certificate;
      
      updating said permissions for said RFID readers; and
      
      storing said certificate for subsequent key updates.
  - 6. The method according to claim 1, further comprising receiving a report indicative of a usage of said verification key by said RFID reader;
    - and associating revenue with said usage.
  - 7. The method according to claim 1, further comprising receiving, from a signing station, a report indicating a number of signatures written on said RFID tags;
    - and associating revenue with said number of signatures.
  - 8. The method according to claim 1, further comprising receiving a subscription payment, and performing said distributing according to said subscription payment.
  - 9. The method according to claim 1, further comprising sending a key pair comprising a private key and a corresponding public key to said RFID reader.
  - 10. The method according to claim 1, wherein said sensitive data corresponds to one of a plurality of product types, said method further comprising determining that said RFID reader has permission to recover said sensitive data for a corresponding product type.

11. A non-transitory computer readable medium comprising computer executable instructions for managing verification keys for RFID readers by:
- receiving, from a signer, a request for a new verification key;
  
  returning, to said signer, a response associated with the new verification key;
  
  updating permissions for RFID readers for using said new verification key;
  
  obtaining the new verification key corresponding to a private key of the signer, said private key being used to generate a signature stored in memory on an RFID tag read by at least one of said RFID readers, said signature comprising;
  
  (i) a first signature component generated by encrypting sensitive data comprising a product type using an encryption key, said product type identifying a product to which the RFID tag is attached, said first signature component being stored in a first portion of said memory and hiding said product type from RFID readers not having said new verification key, said sensitive data being recoverable from said first signature component using a decryption key generated using said new verification key;
  
  (ii) a second signature component generated using said first signature component, said private key of said signer, and visible data, said second signature component being stored in a second portion of said memory and being used to generate said decryption key, and (iii) said visible data stored in plaintext in a third portion of said memory; and
  
  distributing said new verification key to an RFID reader using a controlled channel, after determining that said RFID reader has permission to recover said sensitive data from said first signature component when verifying said signature.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The non-transitory computer readable medium according to claim 11, further comprising instructions for receiving a registration request from a new RFID reader;
    - and determining whether said new RFID reader has permission to recover said sensitive data.
  - 13. The non-transitory computer readable medium according to claim 11, further comprising instructions for:
    - receiving, from a signing station, a certificate request associated with said new verification key;
      
      returning, to said signing station associated with said signer, a certificate for said new verification key;
      
      determining RFID readers that are entitled to said certificate;
      
      updating said permissions for said RFID readers; and
      
      storing said certificate for subsequent key updates.
  - 14. The non-transitory computer readable medium according to claim 11, further comprising instructions for receiving a report indicative of a usage of said verification key by said RFID reader;
    - and associating revenue with said usage.
  - 15. The non-transitory computer readable medium according to claim 11, further comprising instructions for receiving, from a signing station, a report indicating a number of signatures written on said RFID tags;
    - and associating revenue with said number of signatures.
  - 16. The non-transitory computer readable medium according to claim 11, further comprising instructions for receiving a subscription payment, and performing said distributing according to said subscription payment.
  - 17. The non-transitory computer readable medium according to claim 11, further comprising instructions for sending a key pair comprising a private key and a corresponding public key to said RFID reader.
  - 18. The non-transitory computer readable medium according to claim 11, wherein said sensitive data corresponds to one of a plurality of product types, said method further comprising determining that said RFID reader has permission to recover said sensitive data for a corresponding product type.

19. A key management system for managing verification keys for RFID readers, said key management system being configured for:
- receiving, from a signer, a request for a new verification key;
  
  returning, to said signer, a response associated with the new verification key;
  
  updating permissions for RFID readers for using said new verification key;
  
  obtaining the new verification key corresponding to a private key of the signer, said private key being used to generate a signature stored in memory on an RFID tag read by at least one of said RFID readers, said signature comprising;
  
  (i) a first signature component generated by encrypting sensitive data comprising a product type using an encryption key, said product type identifying a product to which the RFID tag is attached, said first signature component being stored in a first portion of said memory and hiding said product type from RFID readers not having said new verification key, said sensitive data being recoverable from said first signature component using a decryption key generated using said new verification key;
  
  (ii) a second signature component generated using said first signature component, said private key of said signer, and visible data, said second signature component being stored in a second portion of said memory and being used to generate said decryption key, and (iii) said visible data stored in plaintext in a third portion of said memory; and
  
  distributing said new verification key to an RFID reader using a controlled channel, after determining that said RFID reader has permission to recover said sensitive data from said first signature component when verifying said signature.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 20. The key management system according to claim 19, further comprising:
    - a certificate agent for issuing certificates for a plurality of verification keys;
      
      a certificate server; and
      
      a conditional access database for storing certificates associated with said plurality of verification keys.
  - 21. The key management system according to claim 19, further comprising at least one controller for monitoring signing of RFID tags by one or more signing stations, and for monitoring verification of RFID tags using verification keys distributed to a plurality of RFID readers.
  - 22. The key management system according to claim 19, wherein said distributing is performed periodically for a plurality of RFID readers and a plurality of verification keys such that dedicated connections to said plurality of RFID readers are not required.
  - 23. The key management system according to claim 19, further configured for receiving a key update request from said RFID reader to determine whether or not said RFID reader has permission to recover said sensitive data.
  - 24. The key management system according to claim 19, further configured for receiving a registration request from a new RFID reader;
    - and determining whether said new RFID reader has permission to recover said sensitive data.
  - 25. The key management system according to claim 19, further configured for:
    - receiving, from a signing station, a certificate request associated with said new verification key;
      
      returning, to said signing station associated with said signer, a certificate for said new verification key;
      
      determining RFID readers that are entitled to said certificate;
      
      updating said permissions for said RFID readers; and
      
      storing said certificate for subsequent key updates.
  - 26. The key management system according to claim 19, further configured for receiving a report indicative of a usage of said verification key by said RFID reader;
    - and associating revenue with said usage.
  - 27. The key management system according to claim 19, further configured for receiving, from a signing station, a report indicating a number of signatures written to corresponding RFID tags;
    - and associating revenue with said number of signatures.
  - 28. The key management system according to claim 19, further configured for receiving a subscription payment, and performing said distributing according to said subscription payment.
  - 29. The key management system according to claim 19, further configured for sending a key pair comprising a private key and a corresponding public key to said RFID reader.
  - 30. The key management system according to claim 19, wherein said sensitive data corresponds to one of a plurality of product types, said method further comprising determining that said RFID reader has permission to recover said sensitive data for a corresponding product type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Certicom Corporation (Blackberry Limited)
Inventors
Griffiths-Harvey, Michael, Neill, Brian, Smith, Keelan, Rosati, Tony, Davis, Walt
Primary Examiner(s)
Nguyen, Tai T

Application Number

US11/898,181
Publication Number

US 20080164976A1
Time in Patent Office

2,780 Days
Field of Search

340/5.2, 340/5.61, 340/5.26, 340/10.1, 340/10.51, 340/572.1, 340/572.4, 340/572.7, 713/171, 713/176
US Class Current

340/5.2
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/3066   involving algebraic varieti...

H04L 9/3252   using DSA or related signat...

Authenticated radio frequency identification and key distribution system therefor

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticated radio frequency identification and key distribution system therefor

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links