Networked device branding for secure interaction in trust webs on open networks

US 7,500,104 B2
Filed: 06/15/2001
Issued: 03/03/2009
Est. Priority Date: 06/15/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A branding process to establish cryptographically secured interaction among networked computing devices within a trust group, the trust group comprising a group of devices, on an open multi-access network, comprising:

securely networking a security-uninitialized device with a branding device via a secured network medium;

generating a branding certificate at the branding device, the branding certificate instructing that the security-uninitialized device trust the branding device, the branding certificate further containing key data for verifying certificates provided by other devices on the open multi-access network to the security-uninitialized device are authenticated by the branding device;

transmitting the branding certificate from the branding device to the security-uninitialized device via the secured network medium;

generating a trust group membership certificate at the branding device which is signed by the branding device, the trust group membership certificate containing a signed group name as well as a signed key identifying the security-uninitialized device such that, when the security-uninitialized device sends the trust group certificate to a branded device which is a member of the trust group, the trust group certificate is validated by the branded device, and the branded device verifies that the security-uninitialized device identified in the trust group membership certificate is a member of the trust group of devices referred to by the group name;

transmitting the trust group membership certificate from the branding device to the security-uninitialized device via the secured network medium; and

initializing a security resolver of the security-uninitialized device to use the key data of the branding certificate to authenticate other devices interacting with the security-uninitialized device on the open multi-access network are in the trust group, and to provide the trust group membership certificate to such other devices as authentication that the security-uninitialized device is a member of the trust group, such that at least some interaction via the open multi-access network with the security-uninitialized device is cryptographically secured to only other devices in the trust group.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A branding process provides a networked computing device with initial set up information, including a name, a public/private key pair, and a set of certificates the device will need to inter-operate with other devices in the trust group. A branding device conveys the initial set-up information to the networked computing device via a limited access network interface, or alternatively via a broadcast network media with the device enclosed in a wave guide and/or Faraday cage. The networked computing device can then use the set up information to verify that other devices on the network that seek to interact with the device are also members of the trust group, with which networked computing device can interact.

Citations

19 Claims

1. A branding process to establish cryptographically secured interaction among networked computing devices within a trust group, the trust group comprising a group of devices, on an open multi-access network, comprising:
- securely networking a security-uninitialized device with a branding device via a secured network medium;
  
  generating a branding certificate at the branding device, the branding certificate instructing that the security-uninitialized device trust the branding device, the branding certificate further containing key data for verifying certificates provided by other devices on the open multi-access network to the security-uninitialized device are authenticated by the branding device;
  
  transmitting the branding certificate from the branding device to the security-uninitialized device via the secured network medium;
  
  generating a trust group membership certificate at the branding device which is signed by the branding device, the trust group membership certificate containing a signed group name as well as a signed key identifying the security-uninitialized device such that, when the security-uninitialized device sends the trust group certificate to a branded device which is a member of the trust group, the trust group certificate is validated by the branded device, and the branded device verifies that the security-uninitialized device identified in the trust group membership certificate is a member of the trust group of devices referred to by the group name;
  
  transmitting the trust group membership certificate from the branding device to the security-uninitialized device via the secured network medium; and
  
  initializing a security resolver of the security-uninitialized device to use the key data of the branding certificate to authenticate other devices interacting with the security-uninitialized device on the open multi-access network are in the trust group, and to provide the trust group membership certificate to such other devices as authentication that the security-uninitialized device is a member of the trust group, such that at least some interaction via the open multi-access network with the security-uninitialized device is cryptographically secured to only other devices in the trust group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The branding process of claim 1 wherein securely networking the security-uninitialized and branding devices comprises networking the devices via a limited access network interface of the security-uninitialized device that is separate from the security-uninitialized device'"'"'s interface to the open multi-access network.
  - 3. The branding process of claim 2 wherein the limited access network interface is of a direct device-to-device wired networking medium.
  - 4. The branding process of claim 2 wherein the limited access network interface is of a directional wireless networking medium.
  - 5. The branding process of claim 1 wherein securely networking the security-uninitialized and branding devices comprises:
    - placing transmitter/receivers of the security-uninitialized and branding devices for an omni-directional wireless networking medium into a wave guide and/or Faraday cage; and
      
      networking the devices with the wave guide and/or Faraday cage via the omni-directional wireless networking medium.
  - 6. The branding process of claim 1 further comprising:
    - transmitting a principal identifier from the branding device to the security-uninitialized device, the principal identifier providing a cryptographically secured identity to the security-uninitialized device, the principal identifier containing a public/private key pair; and
      
      using the public/private key pair to encrypt interaction of the security-uninitialized device with said other devices authenticated to be in the trust group.
  - 7. The branding process of claim 6 wherein the principal identifier further contains a name for the security-uninitialized device, the process further comprising identifying the security-uninitialized device to human operators using the name.
  - 8. The branding process of claim 7 further comprising prompting a human user of the branding device to enter the name upon performing the branding process on the security-uninitialized device.
  - 9. The branding process of claim 1 further comprising initially distributing the security-uninitialized device in a retail channel prior to having the branding process performed on the security-uninitialized device.
  - 10. The branding process of claim 9 further comprising upon completion of initializing the security resolver, disallowing the security-uninitialized device from having the branding process again performed on the security-uninitialized device until the now initialized security of the security-unitialized device is reset.
  - 11. The branding process of claim 9 further comprising upon completion of initializing the security resolver, allowing the branding process to be performed only via a limited access network interface of the security-uninitialized device.

12. A networked computing device supporting branding to establish cryptographically secured interaction with other devices within a trust group of devices on an open-access network, the networked computing device comprising:
- a network interface for communicating on the open-access network;
  
  a security initializer operational to receive a branding certificate from a branding device securely networked to the networked computing device, the branding device having previously generated the branding certificate and trust group membership certificates, the security initializer further operational to initialize security resolvers with the branding certificate, wherein the branding certificate comprises branding key data for verifying certificates provided by other devices within the trust group on the open-access network; and
  
  a security resolver operational, after being initialized with the branding public key to authenticate trust group membership certificates separate from the branding certificate provided to the networked computing device from other devices via the network interface using the branding key data and to verify that the other devices providing trust group membership certificates are members of the trust group of devices, and further operational to inhibit interaction via the network interface with other devices not authenticated as in the trust group of devices, the security resolver being initially uninitialized;
  
  wherein each trust group membership certificate received after the security resolver is initialized is sent by an other device and each trust group membership certificates comprises;
  
  a signed name for a trust group; and
  
  a signed identifier for the other device sending the trust group membership certificate.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The networked computing device of claim 12 further comprising:
    - a limited access networking interface; and
      
      wherein the security initializer further is operational to accept the branding public key when received from the branding device only via the limited access networking interface.
  - 14. The networked computing device of claim 12 wherein:
    - the security initializer further is operational to accept the branding public key when received from the branding device via the network interface when in an initial unbranded state; and
      
      the device further comprises a branding reset operational upon activation to return the security initializer to the initial unbranded state.
  - 15. The networked computing device of claim 12 further comprising:
    - a branding mode activator operational to place the networked computing device in a branding mode; and
      
      wherein the security initializer further operational to accept the branding public key when received from the branding device via the network interface when in the branding mode.
  - 16. The networked computing device of claim 12 wherein:
    - the security resolver is further operational when initialized with a trust group membership certificate to provide the trust group membership certificate to other devices via the network interface to attest to membership of the networked computing in the trust group; and
      
      the security initializer is further operational to receive the trust group membership certificate from the branding device while securely networked to the networked computing device, and further operational to initialize the security resolver with the trust group membership certificate.
  - 17. The networked computing device of claim 12 wherein:
    - the security resolver is further operational when initialized with a public/private key pair to encrypt interaction via the network interface with other devices authenticated as in the trust group using the public/private key pair; and
      
      the security initializer is further operational to receive the public/private key pair from the branding device while securely networked to the networked computing device, and further operational to initialize the security resolver with the public/private key pair.
  - 18. The networked computing device of claim 12, wherein:
    - the security resolver is configured to authenticate trust group membership certificates by;
      
      authenticating, from the trust group membership certificate, the signed name for the trust group and the signed identifier for the other device sending the trust group membership certificate using the branding public key; and
      
      when the signed name for a trust group matches the trust group, verifying that the other device sending the trust group membership certificate is a member of the trust group.

19. One or more computer-readable storage media containing instructions which, when executed on a computer, cause the computer to perform a branding process to establish cryptographically secured interaction among networked computing devices within a trust group, the trust group comprising a group of devices, on an open multi-access network, the branding process comprising:
- securely networking a security-uninitialized device with a branding device via a secured network medium;
  
  generating a branding certificate at the branding device, the branding certificate instructing that the security-uninitialized device trust the branding device, the branding certificate further containing key data for verifying certificates provided by other devices on the open multi-access network to the security-uninitialized device are authenticated by the branding device;
  
  transmitting the branding certificate from the branding device to the security-uninitialized device via the secured network medium;
  
  generating a trust group membership certificate at the branding device which is signed by the branding device, the trust group membership certificate containing a signed group name as well as a signed key identifying the security-uninitialized device such that, when the security-uninitialized device sends the trust group certificate to a branded device which is a member of the trust group, the trust group certificate is validated by the branded device, and the branded device verifies that the security-uninitialized device identified in the trust group membership certificate is a member of the trust group of devices referred to by the group name;
  
  transmitting the trust group membership certificate from the branding device to the security-uninitialized device via the secured network medium; and
  
  initializing a security resolver of the security-uninitialized device to use the key data of the branding certificate to authenticate other devices interacting with the security-uninitialized device on the open multi-access network are in the trust group, and to provide the trust group membership certificate to such other devices as authentication that the security-uninitialized device is a member of the trust group, such that at least some interaction via the open multi-access network with the security-uninitialized device is cryptographically secured to only other devices in the trust group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Goland, Yaron
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
SHAW, YIN CHEN

Application Number

US09/882,491
Publication Number

US 20030056114A1
Time in Patent Office

2,818 Days
Field of Search

713/151, 713/171, 713/168, 713/170, 713/156, 713/175, 726/27, 726 2- 5, 726/10, 380277-278
US Class Current

713/175
CPC Class Codes

H04L 2209/68   Special signature format, e...

H04L 2209/80   Wireless network architectu...

H04L 2463/102   applying security measure f...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 9/3263   involving certificates, e.g...

Networked device branding for secure interaction in trust webs on open networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Networked device branding for secure interaction in trust webs on open networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links