System, device, and method of provisioning cryptographic data to electronic devices

US 9,231,758 B2
Filed: 02/23/2014
Issued: 01/05/2016
Est. Priority Date: 11/16/2009
Status: Active Grant

First Claim

Patent Images

1. A method of cryptographic material provisioning (CMP), the method comprising:

(a) generating a delegation message at a first provisioning server computer,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning server computer to a second provisioning server computer with regard to subsequent provisioning of cryptographic assets to an electronic device,wherein generating the delegation message comprises at least one of;

(A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning server computer using a public key of said electronic device, wherein said association key is unknown to the first provisioning server computer, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;

(B) inserting into the delegation message a public key of the second provisioning server computer;

enabling the electronic device to locally generate said association key unknown to the first provisioning server computer;

wherein the association key is retrievable by the second provisioning server computer based on the public key of the second provisioning server computer;

(b) delivering the delegation message from the first provisioning server computer to the electronic device;

(c) at the second provisioning server, provisioning one or more cryptographic assets to the electronic device, using said association key;

wherein the method comprises, prior to performing step (a);

securely delivering from the second provisioning server computer to the first provisioning server computer, via a secure communication channel, (A) a public encryption key of the second provisioning server computer, and (B) a class-wide association key encrypted with a key that allows the association key to be decrypted by said electronic device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, device, and method of provisioning cryptographic assets to electronic devices. A delegation message is generated at a first provisioning server. The delegation message indicates provisioning rights that are delegated by the first provisioning server to a second provisioning server with regard to subsequent provisioning of cryptographic assets to an electronic device. The delegation message includes an association key unknown to the first provisioning server, encrypted using a public key of the electronic device. The delegation message further includes a public key of the second provisioning server. The electronic device locally generates the association key, which is unknown to the first provisioning server. The delegation message is delivered to the electronic device. Based on the delegation message, cryptographic assets are provisioned by the second provisioning server to the electronic device, using the association key.

47 Citations

View as Search Results

15 Claims

1. A method of cryptographic material provisioning (CMP), the method comprising:
- (a) generating a delegation message at a first provisioning server computer,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning server computer to a second provisioning server computer with regard to subsequent provisioning of cryptographic assets to an electronic device,wherein generating the delegation message comprises at least one of;
  
  (A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning server computer using a public key of said electronic device, wherein said association key is unknown to the first provisioning server computer, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;
  
  (B) inserting into the delegation message a public key of the second provisioning server computer;
  
  enabling the electronic device to locally generate said association key unknown to the first provisioning server computer;
  
  wherein the association key is retrievable by the second provisioning server computer based on the public key of the second provisioning server computer;
  
  (b) delivering the delegation message from the first provisioning server computer to the electronic device;
  
  (c) at the second provisioning server, provisioning one or more cryptographic assets to the electronic device, using said association key;
  
  wherein the method comprises, prior to performing step (a);
  
  securely delivering from the second provisioning server computer to the first provisioning server computer, via a secure communication channel, (A) a public encryption key of the second provisioning server computer, and (B) a class-wide association key encrypted with a key that allows the association key to be decrypted by said electronic device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first provisioning server computer, by listening to all communications among the first provisioning server computer, the second provisioning server computer, the electronic device, and an authorization server computer, cannot decipher the contents of one or more cryptographic assets that are provisioned by the second provisioning server computer to the electronic device, even though said first provisioning server computer delegated to said second provisioning server computer one or more provisioning rights to subsequently provision one or more of said cryptographic assets.
  - 3. The method of claim 1, wherein the first provisioning server computer, which introduced the second provisioning server computer to the electronic device for purposes of subsequent provisioning of cryptographic assets, cannot decipher data exchanged between the second provisioning server computer and the electronic device, even though the second provisioning server computer and the electronic device did not have any shared secrets and did not have any cryptographic key data usable for secure communication between the second provisioning server computer and the electronic device prior to said introduction by said first provisioning server computer.
  - 4. The method of claim 1, comprising:
    - delegating from the first provisioning server computer to the second provisioning server computer, a right to securely send a cryptographic asset from the second provisioning server computer to the electronic device, wherein the first provisioning server computer cannot decipher any cryptographic asset that is sent from the second provisioning server computer to the electronic device.
  - 5. The method of claim 1, wherein generating the delegation message comprises:
    - inserting into the delegation message said encrypted association key, wherein the association key is to be used by the second provisioning server computer to enable subsequent execution of provisioning of a cryptographic asset to one or more electronic devices using said association key.
  - 6. The method of claim 1, wherein delivering the delegation message to the electronic device is performed via a one-pass one-way communication from the first provisioning server computer to said electronic device.
  - 7. The method of claim 1, wherein provisioning the cryptographic asset to the electronic device is performed via a one-pass one-way communication from the second provisioning server computer to said electronic device.

8. A method of cryptographic material provisioning (CMP), the method comprising:
- (a) generating a delegation message at a first provisioning server computer,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning server computer to a second provisioning server computer with regard to subsequent provisioning of cryptographic assets to an electronic device,wherein generating the delegation message comprises at least one of;
  
  (A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning server computer using a public key of said electronic device, wherein said association key is unknown to the first provisioning server computer, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;
  
  (B) inserting into the delegation message a public key of the second provisioning server computer, enabling the electronic device to locally generate said association key unknown to the first provisioning server computer;
  
  wherein the association key is retrievable by the second provisioning server computer based on the public key of the second provisioning server computer;
  
  (b) delivering the delegation message from the first provisioning server computer to the electronic device;
  
  (c) at the second provisioning server computer, provisioning one or more cryptographic assets to the electronic device, using said association key;
  
  wherein generating the delegation message comprises;
  
  inserting into the delegation message a public key of the second provisioning server computer, to enable execution of an identification protocol for subsequent personalized provisioning of a cryptographic asset to said electronic device.

9. A method of cryptographic material provisioning (CMP), the method comprising:
- (a) generating a delegation message at a first provisioning server computer,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning server computer to a second provisioning server computer with regard to subsequent provisioning of cryptographic assets to an electronic device,wherein generating the delegation message comprises at least one of;
  
  (A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning server computer using a public key of said electronic device, wherein said association key is unknown to the first provisioning server computer, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;
  
  (B) inserting into the delegation message a public key of the second provisioning server computer, enabling the electronic device to locally generate said association key unknown to the first provisioning server computer;
  
  wherein the association key is retrievable by the second provisioning server computer based on the public key of the second provisioning server computer;
  
  (b) delivering the delegation message from the first provisioning server computer to the electronic device;
  
  (c) at the second provisioning server computer, provisioning one or more cryptographic assets to the electronic device, using said association key;
  
  (d) provisioning from the first provisioning server computer to the electronic device, via a one-pass one-way provisioning protocol, at least;
  
  (i) the public encryption key of the second provisioning server computer,(ii) the server certificate of the second provisioning server computer, digitally signed by an authorization server computer, (iii) an indication of which cryptographic assets the second provisioning server is authorized to subsequently provision to the electronic device.

10. A method of cryptographic material provisioning (CMP), the method comprising:
- (a) generating a delegation message at a first provisioning server computer,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning server computer to a second provisioning server computer with regard to subsequent provisioning of cryptographic assets to an electronic device,wherein generating the delegation message comprises at least one of;
  
  (A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning server computer using a public key of said electronic device, wherein said association key is unknown to the first provisioning server computer, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;
  
  (B) inserting into the delegation message a public key of the second provisioning server computer, enabling the electronic device to locally generate said association key unknown to the first provisioning server computer;
  
  wherein the association key is retrievable by the second provisioning server computer based on the public key of the second provisioning server computer;
  
  (b) delivering the delegation message from the first provisioning server computer to the electronic device;
  
  (c) at the second provisioning server computer, provisioning one or more cryptographic assets to the electronic device, using said association key;
  
  wherein generating the delegation message comprises;
  
  inserting into the delegation message one or more flags indicating to the electronic device whether the second provisioning server computer is authorized to provision;
  
  (X) only personalized cryptographic assets, or (Y) only class-wide cryptographic assets for a class of multiple electronic devices, or (Z) both personalized and class-wide cryptographic assets.

11. A method of cryptographic material provisioning (CMP), the method comprising:
- (a) generating a delegation message at a first provisioning server computer,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning server computer to a second provisioning server computer with regard to subsequent provisioning of cryptographic assets to an electronic device,wherein generating the delegation message comprises at least one of;
  
  (A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning server computer using a public key of said electronic device, wherein said association key is unknown to the first provisioning server computer, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;
  
  (B) inserting into the delegation message a public key of the second provisioning server computer, enabling the electronic device to locally generate said association key unknown to the first provisioning server computer;
  
  wherein the association key is retrievable by the second provisioning server computer based on the public key of the second provisioning server computer;
  
  (b) delivering the delegation message from the first provisioning server computer to the electronic device;
  
  (c) at the second provisioning server computer, provisioning one or more cryptographic assets to the electronic device, using said association key;
  
  prior to provisioning a particular cryptographic asset from the second provisioning server computer to the electronic device, performing;
  
  acquiring by the second provisioning server computer an authorization ticket, from an authorization server computer, indicating that the second provisioning server computer is authorized to provision the particular cryptographic asset to said electronic device.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein said acquiring of the authorization ticket is triggered by a flag, indicating that authorization is required for each provisioning event performed by the second provisioning server computer, wherein the flag is located in a server certificate issued by said authorization server computer to the second provisioning server computer.
  - 13. The method of claim 11, wherein the acquiring comprises:
    - at the second provisioning server computer, contacting the authorization server computer to present to the authorization server computer (A) a server certificate of the second provisioning server computer, and (B) a hash of the particular cryptographic asset intended to be provisioned by the second provisioning server computer to the electronic device.
  - 14. The method of claim 13, wherein the acquiring further comprises:
    - receiving at the second provisioning server computer, from said authorization server computer, said authorization ticket which comprises a digital signature by the authorization server computer on the hash of the particular cryptographic asset intended to be provisioned by the second provisioning server computer to the electronic device;
      
      wherein said digital signature enables said electronic device to verify said particular cryptographic asset prior to storing said particular cryptographic asset.

15. A system for cryptographic material provisioning (CMP), the system comprising:
- a first provisioning server computer to generate a delegation message,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning server computer to a second provisioning server computer with regard to subsequent provisioning of cryptographic assets to an electronic device,wherein the first provisioning server computer is to generate the delegation message by performing at least one of;
  
  (A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning server computer using a public key of said electronic device, wherein said association key is unknown to the first provisioning server computer, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;
  
  (B) inserting into the delegation message a public key of the second provisioning server computer;
  
  enabling the electronic device to locally generate said association key unknown to the first provisioning server computer;
  
  wherein the association key is retrievable by the second provisioning server computer based on the public key of the second provisioning server computer;
  
  wherein, subsequent to delivery of the delegation message from the first provisioning server to the electronic device, the second provisioning server computer is to provision one or more cryptographic assets to the electronic device, using said association key;
  
  wherein, prior to generation of the delegation message, the following items are securely delivered from the second provisioning server computer to the first provisioning server computer, via a secure communication channel, (A) a public encryption key of the second provisioning server computer, and (B) a class-wide association key encrypted with a key that allows the association key to be decrypted by said electronic device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arm Limited (SoftBank Group Corp.)
Original Assignee
ARM Technologies Israel Ltd.
Inventors
Bar-El, Hagai, Klimov, Alexander, Shen, Asaf
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US14/187,275
Publication Number

US 20140195807A1
Time in Patent Office

681 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 9/083   involving central third par...

H04L 9/0877   using additional device, e....

H04L 9/088   Usage controlling of secret...

System, device, and method of provisioning cryptographic data to electronic devices

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System, device, and method of provisioning cryptographic data to electronic devices

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links