Method, system, and device of provisioning cryptographic data to electronic devices

US 9,866,376 B2
Filed: 06/11/2017
Issued: 01/09/2018
Est. Priority Date: 11/16/2009
Status: Active Grant

First Claim

Patent Images

1. A method of provisioning digital assets, the method comprising:

(a) generating a delegation message at a first provisioning apparatus,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning apparatus to a second provisioning apparatus with regard to subsequent provisioning of digital assets to an electronic device,wherein generating the delegation message comprises at least one of;

(A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning apparatus using a public key of said electronic device, wherein said association key is unknown to the first provisioning apparatus, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;

(B) inserting into the delegation message a public key of the second provisioning apparatus;

enabling the electronic device to locally generate said association key unknown to the first provisioning apparatus;

wherein the association key is retrievable by the second provisioning apparatus based on the public key of the second provisioning apparatus;

(b) delivering the delegation message from the first provisioning apparatus to the electronic device;

(c) at the second provisioning apparatus, and based on said delegation message, provisioning one or more digital assets to the electronic device, using said association key;

wherein generating the delegation message comprises;

inserting into the delegation message the public key of the second provisioning apparatus, to enable execution of an identification protocol for subsequent personalized provisioning of a digital asset to said electronic device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, device, and method of provisioning cryptographic assets to electronic devices. A delegation message is generated at a first provisioning server. The delegation message indicates provisioning rights that are delegated by the first provisioning server to a second provisioning server with regard to subsequent provisioning of cryptographic assets to an electronic device. The delegation message includes an association key unknown to the first provisioning server, encrypted using a public key of the electronic device. The delegation message further includes a public key of the second provisioning server. The electronic device locally generates the association key, which is unknown to the first provisioning server. The delegation message is delivered to the electronic device. Based on the delegation message, cryptographic assets are provisioned by the second provisioning server to the electronic device, using the association key.

60 Citations

View as Search Results

14 Claims

1. A method of provisioning digital assets, the method comprising:
- (a) generating a delegation message at a first provisioning apparatus,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning apparatus to a second provisioning apparatus with regard to subsequent provisioning of digital assets to an electronic device,wherein generating the delegation message comprises at least one of;
  
  (A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning apparatus using a public key of said electronic device, wherein said association key is unknown to the first provisioning apparatus, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;
  
  (B) inserting into the delegation message a public key of the second provisioning apparatus;
  
  enabling the electronic device to locally generate said association key unknown to the first provisioning apparatus;
  
  wherein the association key is retrievable by the second provisioning apparatus based on the public key of the second provisioning apparatus;
  
  (b) delivering the delegation message from the first provisioning apparatus to the electronic device;
  
  (c) at the second provisioning apparatus, and based on said delegation message, provisioning one or more digital assets to the electronic device, using said association key;
  
  wherein generating the delegation message comprises;
  
  inserting into the delegation message the public key of the second provisioning apparatus, to enable execution of an identification protocol for subsequent personalized provisioning of a digital asset to said electronic device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first provisioning apparatus, by listening to all communications among the first provisioning apparatus, the second provisioning apparatus, the electronic device, and an authorization apparatus, cannot decipher the contents of one or more digital assets that are provisioned by the second provisioning apparatus to the electronic device, even though said first provisioning apparatus delegated to said second provisioning apparatus one or more provisioning rights to subsequently provision one or more of said digital assets.
  - 3. The method of claim 1, wherein the first provisioning apparatus, which introduced the second provisioning apparatus to the electronic device for purposes of subsequent provisioning of digital assets, cannot decipher data exchanged between the second provisioning apparatus and the electronic device, even though the second provisioning apparatus and the electronic device did not have any shared secrets and did not have any cryptographic key data usable for secure communication between the second provisioning apparatus and the electronic device prior to said introduction by said first provisioning apparatus.
  - 4. The method of claim 1, comprising:
    - delegating from the first provisioning apparatus to the second provisioning apparatus, a right to securely send a cryptographic asset from the second provisioning apparatus to the electronic device, wherein the first provisioning cannot decipher any cryptographic asset that is sent from the second provisioning apparatus to the electronic device.
  - 5. The method of claim 1, wherein generating the delegation message comprises:
    - inserting into the delegation message an association key to be used with the second provisioning apparatus, to enable subsequent execution of provisioning of a digital asset to one or more electronic devices using said association key.
  - 6. The method of claim 1, wherein delivering the delegation message to the electronic device is performed via a one-pass one-way communication from the first provisioning apparatus to said electronic device.
  - 7. The method of claim 1, comprising, prior to performing step (a):
    - securely delivering from the second provisioning apparatus to the first provisioning apparatus, via a secure communication channel, (A) a public encryption key of the second provisioning apparatus, and (B) a class-wide association key encrypted with a key that allows the association key to be decrypted by said electronic device.
  - 8. The method of claim 1, comprising:
    - provisioning from the first provisioning apparatus to the electronic device, via a one-pass one-way provisioning protocol, at least;
      
      (i) the public encryption key of the second provisioning apparatus,(ii) the server certificate of the second provisioning apparatus, digitally signed by an authorization apparatus;
      
      (iii) an indication of which digital assets the second provisioning apparatus is authorized to subsequently provision to the electronic device.
  - 9. The method of claim 1, wherein provisioning the cryptographic asset to the electronic device is performed via a one-pass one-way communication from the second provisioning apparatus to said electronic device.

10. A method of provisioning digital assets, the method comprising:
- (a) generating a delegation message at a first provisioning apparatus,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning apparatus to a second provisioning apparatus with regard to subsequent provisioning of digital assets to an electronic device,wherein generating the delegation message comprises at least one of;
  
  (A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning apparatus using a public key of said electronic device, wherein said association key is unknown to the first provisioning apparatus, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;
  
  (B) inserting into the delegation message a public key of the second provisioning apparatus;
  
  enabling the electronic device to locally generate said association key unknown to the first provisioning apparatus;
  
  wherein the association key is retrievable by the second provisioning apparatus based on the public key of the second provisioning apparatus;
  
  (b) delivering the delegation message from the first provisioning apparatus to the electronic device;
  
  (c) at the second provisioning apparatus, and based on said delegation message, provisioning one or more digital assets to the electronic device, using said association key;
  
  wherein generating the delegation message comprises;
  
  inserting into the delegation message one or more flags indicating to the electronic device whether the second provisioning apparatus is authorized to provision;
  
  (X) only personalized digital assets, or (Y) only class-wide digital assets for a class of multiple electronic devices, or (Z) both personalized and class-wide digital assets.

11. A method of provisioning digital assets, the method comprising:
- (a) generating a delegation message at a first provisioning apparatus,wherein the delegation message indicates provisioning rights that are delegated by the first provisioning apparatus to a second provisioning apparatus with regard to subsequent provisioning of digital assets to an electronic device,wherein generating the delegation message comprises at least one of;
  
  (A) inserting into the delegation message an encrypted association key that was encrypted by the second provisioning apparatus using a public key of said electronic device, wherein said association key is unknown to the first provisioning apparatus, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device;
  
  (B) inserting into the delegation message a public key of the second provisioning apparatus;
  
  enabling the electronic device to locally generate said association key unknown to the first provisioning apparatus;
  
  wherein the association key is retrievable by the second provisioning apparatus based on the public key of the second provisioning apparatus;
  
  (b) delivering the delegation message from the first provisioning apparatus to the electronic device;
  
  (c) at the second provisioning apparatus, and based on said delegation message, provisioning one or more digital assets to the electronic device, using said association key;
  
  wherein the method comprises;
  
  prior to provisioning a particular digital asset from the second provisioning apparatus to the electronic device, performing;
  
  acquiring by the second provisioning apparatus an authorization ticket, from an authorization apparatus, indicating that the second provisioning apparatus is authorized to provision the particular digital asset to said electronic device.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein said acquiring of the authorization ticket is triggered by a flag, indicating that authorization is required for each provisioning event performed by the second provisioning apparatus, wherein the flag is located in a server certificate issued by said authorization apparatus to the second provisioning apparatus.
  - 13. The method of claim 11, wherein the acquiring comprises:
    - at the second provisioning apparatus, contacting the authorization apparatus to present to the authorization apparatus (A) a server certificate of the second provisioning apparatus, and (B) a hash of the particular digital asset intended to be provisioned by the second provisioning apparatus to the electronic device.
  - 14. The method of claim 13, wherein the acquiring further comprises:
    - receiving at the second provisioning apparatus, from said authorization apparatus, said authorization ticket which comprises a digital signature by the authorization apparatus on the hash of the particular digital asset intended to be provisioned by the second provisioning apparatus to the electronic device;
      
      wherein said digital signature enables said electronic device to verify by the electronic device prior to storing said particular digital asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arm Limited (SoftBank Group Corp.)
Original Assignee
Arm Limited (SoftBank Group Corp.)
Inventors
Bar-El, Hagai, Klimov, Alexander, Shen, Asaf
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US15/619,488
Publication Number

US 20170272240A1
Time in Patent Office

212 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 9/083   involving central third par...

H04L 9/0877   using additional device, e....

H04L 9/088   Usage controlling of secret...

Method, system, and device of provisioning cryptographic data to electronic devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method, system, and device of provisioning cryptographic data to electronic devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links