ONLINE SECURE DEVICE PROVISIONING WITH UPDATED OFFLINE IDENTITY DATA GENERATION AND OFFLINE DEVICE BINDING

US 20110258434A1
Filed: 04/15/2011
Published: 10/20/2011
Est. Priority Date: 04/15/2010
Status: Abandoned Application

First Claim

Patent Images

1. A system for generating new identity data for network-enabled devices, comprising:

a whitelist reader configured to extract attributes from a whitelist that includes, for each device specified in the whitelist, a previously assigned identifier of the first type, wherein the previously assigned identifiers of the first type are linked to identity data previously provisioned in each of the respective devices;

a data retrieval module configured to receive the identifiers of the first type from the whitelist reader and, based on each of the identifiers, retrieve each of the previously provisioned identity data records linked thereto;

a new data generation module configured to (i) obtain a cryptographic key associated with the identity data previously provisioned in the devices specified on the whitelist and the corresponding identifiers of the first type and (ii) generate new identity data records each linked to a new identifier and (iii) encrypt each of the new identity data records with one of the cryptographic keys and link each new identity data record to the identifier of the first type corresponding to each respective cryptographic key; and

a data output module configured to load onto an external source the encrypted new identity data records along with their respective new identifiers and their respective previously assigned identifiers of the first type.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for generating new identity data for network-enabled devices includes a whitelist reader configured to extract attributes from a whitelist. The whitelist includes, for each device specified in the whitelist, a previously assigned identifier of the first type. The previously assigned identifiers of the first type are linked to identity data previously provisioned in each of the respective devices. A data retrieval module is configured to receive the identifiers of the first type from the whitelist reader and, based on each of the identifiers, retrieve each of the previously provisioned identity data records linked thereto. A new data generation module is configured to (i) obtain a cryptographic key associated with the identity data previously provisioned in the devices specified on the whitelist and the corresponding identifiers of the first type, (ii) generate new identity data records each linked to a new identifier and (iii) encrypt each of the new identity data records with one of the cryptographic keys and link each new identity data record to the identifier of the first type corresponding to each respective cryptographic key. A data output module is configured to load onto an external source the encrypted new identity data records along with their respective new identifiers and their respective previously assigned identifiers of the first type.

38 Citations

View as Search Results

20 Claims

1. A system for generating new identity data for network-enabled devices, comprising:
- a whitelist reader configured to extract attributes from a whitelist that includes, for each device specified in the whitelist, a previously assigned identifier of the first type, wherein the previously assigned identifiers of the first type are linked to identity data previously provisioned in each of the respective devices;
  
  a data retrieval module configured to receive the identifiers of the first type from the whitelist reader and, based on each of the identifiers, retrieve each of the previously provisioned identity data records linked thereto;
  
  a new data generation module configured to (i) obtain a cryptographic key associated with the identity data previously provisioned in the devices specified on the whitelist and the corresponding identifiers of the first type and (ii) generate new identity data records each linked to a new identifier and (iii) encrypt each of the new identity data records with one of the cryptographic keys and link each new identity data record to the identifier of the first type corresponding to each respective cryptographic key; and
  
  a data output module configured to load onto an external source the encrypted new identity data records along with their respective new identifiers and their respective previously assigned identifiers of the first type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1 wherein the previously provisioned identity data records are encrypted and further comprising a key decryption module for decrypting the previously provisioned identity data records prior to receipt of the cryptographic key by the new data generation module.
  - 3. The system of claim 1 further comprising a validation module for validating at least a subset of the decrypted previously provisioned identity data records to ensure their accuracy.
  - 4. The system of claim 1 further comprising a first database configured to store (i) the attributes extracted by the whitelist reader from the whitelist and (ii) the cryptographic key and wherein the new data generation module is further configured to receive the cryptographic key from the first database.
  - 5. The system of claim 4 wherein the first database is further configured to store the encrypted new identity data records.
  - 6. The system of claim 1 wherein the new identifiers are identifiers previously provisioned in the devices at a manufacturing facility.
  - 7. The system of claim 1 wherein the new identity data records include a digital certificate and the new data generation module is further configured to embed the new identifier in the digital certificate of the respective new identity data record.
  - 8. The system of claim 1 wherein the new data generation module is further configured to obtain an asymmetric key that serves as the cryptographic key and retrieve the asymmetric key from a digital certificate associated with the identity data record previously provisioned in the devices specified on the whitelist.

9. A method for generating new identity data for network-enabled devices, comprising:
- receiving a whitelist that specifies a plurality of network-enabled devices to be provisioned with new identity data wherein, for each device, the whitelist includes a previously assigned identifier of the first type, wherein the previously assigned identifiers of the first type are linked to identity data records previously provisioned in each of the respective devices;
  
  extracting the identifiers of the first type from the whitelist and, based on each of the identifiers, retrieving each of the previously provisioned identity data records linked thereto;
  
  obtaining a cryptographic key associated with the identity data records previously provisioned in the devices specified on the whitelist and the corresponding identifiers of the first type;
  
  generating new identity data records each linked to a new identifier;
  
  encrypting each of the new identity records with one of the cryptographic keys and linking each new identity record to the previously assigned identifier of the first type corresponding to each respective cryptographic key; and
  
  providing an output that includes, for each of the devices specified on the whitelist, the encrypted new identity records along with their respective new identifiers and their respective previously assigned identifiers of the first type.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9 wherein the cryptographic key is an asymmetric key and obtaining the cryptographic key includes retrieving the asymmetric key from a digital certificate associated with the identity data record previously provisioned in the devices specified on the whitelist.
  - 11. The method of claim 9 wherein the whitelist that is received includes authorization to provision the plurality of network-enabled devices with the new identity data.

12. A method for updating network-enabled devices with new identity data, comprising:
- receiving a request for new identity data from a plurality of network-enabled devices, said request including a previous identifier linked to previous identity data previously provisioned in the network-enabled devices;
  
  receiving a plurality of new identity records that each include new identity data and new identifiers respectively linked to the new identity data, and a previous identifier linked to previous identity data previously provisioned in network-enabled devices authorized to receive new identity data;
  
  determining that each of the plurality of network-enabled devices specified in the request for new identity data are authorized to receive new identity data;
  
  retrieving a first of the new identity records that includes a first previous identifier of a first of the network-enabled devices; and
  
  sending the new identity data included in the first new identity record to the network-enabled device identified by the first previous identifier.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12 wherein at least a portion of the new identity data send to a particular device is encrypted with a cryptographic key associated with the previous identity data of the particular device.
  - 14. The method of claim 12 further comprising validating the request by at least verifying a signature of the request.
  - 15. The method of claim 12 wherein determining that each of the plurality of network-enabled devices specified in the request for new identity data are authorized to receive the new identity data includes confirming that the previous identifier included in the request is also included in the new identity records that have been received.
  - 16. The method of claim 12 wherein, if determining that each of the plurality of network-enabled devices specified in the request for new identity data are authorized to receive the new identity data fails, sending a message requesting any information missing from the new identity records.
  - 17. The method of claim 12 further comprising determining that a number of requests for new identity data is not received from a given network-enabled devices more than a maximum allowed number of times.

18. A server, comprising:
- a session manager configured to receive requests for new identity data from network-enabled devices, each of said requests including a previously assigned identifier identifying the respective network-enabled device sending the request, the previously assigned identifier being linked to identity data records previously provisioned in the respective network-enabled device;
  
  an authorization module configured to determine if the network-enabled devices specified on the whitelist are authorized to be provisioned with new identity data;
  
  a database configured to receive new identity records generated by an identity data generation system, wherein the new identity records include pairing information associating one of the previously assigned identifiers with a new identifier of one of the new identity records; and
  
  a protocol handler configured to deliver a data response message to each of the network-enabled devices requesting new identity data, each of the data response messages including a new identity record that is selected based at least in part on the previously assigned identifier of the network-enabled device to which the data response message is sent.
- View Dependent Claims (19, 20)
- - 19. The server of claim 18, further comprising a configuration manager for receiving user input specifying a maximum number of repeat requests that are allowed from a particular network-enabled device.
  - 20. The server of claim 18, wherein the authorization module is configured to determine if the network-enabled devices specified on the whitelist are authorized to be provisioned with new identity data by determining if pairing information included in the request is also in the database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
General Instrument Corporation (CommScope Holding Company, Inc.)
Inventors
Nakanishi, Greg N., Medvinsky, Alexander, Moskovics, Stuart P., Yao, Ting, Qiu, Xin, Pasion, Jason A., Wang, Fan

Application Number

US13/087,972
Publication Number

US 20110258434A1
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/006   involving public key infras...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0866   involving user or device id...

H04L 9/0891   Revocation or update of sec...

ONLINE SECURE DEVICE PROVISIONING WITH UPDATED OFFLINE IDENTITY DATA GENERATION AND OFFLINE DEVICE BINDING

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ONLINE SECURE DEVICE PROVISIONING WITH UPDATED OFFLINE IDENTITY DATA GENERATION AND OFFLINE DEVICE BINDING

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links