Digital identity and authorization for machines with replaceable parts

US 9,830,603 B2
Filed: 03/20/2015
Issued: 11/28/2017
Est. Priority Date: 03/20/2015
Status: Active Grant

First Claim

Patent Images

1. A machine comprising:

a plurality of slots each configured to receive a component of a machine, each slot representing a particular role to be performed by the component for that corresponding slot;

a plurality of components each corresponding to one of the plurality of slots, and each component representing an instance of a device that fills the particular role represented by the corresponding slot at which the component is installed, and wherein each component is configured to communicate or be communicated for, on behalf of each component'"'"'s corresponding slot or the machine, to an external system or set of systems; and

wherein a different derived key is used to verify communication by or for each component with the external system;

wherein irrespective of whether a component is an original component or a replacement component, each derived key for any given component is i) derived from a discriminator so as to be unique to the instance of the device of the given component that fills the particular role represented by the corresponding slot at which the given component is installed, and is ii) derived from a machine proof for the machine and information identifying the corresponding slot in which the given component is installed; and

wherein the discriminator of each derived key comprises at least one of the following;

an iteration based discriminator based on a total number of derived keys that have been generated for a given slot; and

an iteration based discriminator based on a total number of components that have installed in a given slot.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A machine includes a number of slots. Each of the slots is configured to receive one or more components for implementing some functionality role of the slot in the machine. The machine further includes one or more replaceable components in each of the slots. The components are configured to communicate (or be communicated for) on behalf of a slot or the machine, to an external system(s). The external system(s) implement rules to perform authorization or other operations based on the role of the slot in the context of the machine. A different derived key is used to communicate by or for each component with the external system. Each derived key for a component is derived from a machine proof for the machine and information identifying the slot in which the component is installed.

105 Citations

16 Claims

1. A machine comprising:
- a plurality of slots each configured to receive a component of a machine, each slot representing a particular role to be performed by the component for that corresponding slot;
  
  a plurality of components each corresponding to one of the plurality of slots, and each component representing an instance of a device that fills the particular role represented by the corresponding slot at which the component is installed, and wherein each component is configured to communicate or be communicated for, on behalf of each component'"'"'s corresponding slot or the machine, to an external system or set of systems; and
  
  wherein a different derived key is used to verify communication by or for each component with the external system;
  
  wherein irrespective of whether a component is an original component or a replacement component, each derived key for any given component is i) derived from a discriminator so as to be unique to the instance of the device of the given component that fills the particular role represented by the corresponding slot at which the given component is installed, and is ii) derived from a machine proof for the machine and information identifying the corresponding slot in which the given component is installed; and
  
  wherein the discriminator of each derived key comprises at least one of the following;
  
  an iteration based discriminator based on a total number of derived keys that have been generated for a given slot; and
  
  an iteration based discriminator based on a total number of components that have installed in a given slot.
- View Dependent Claims (2)
- - 2. The machine of claim 1, wherein each derived key for a component is derived by the external system or set of systems and provided to the component or the machine without revealing the machine proof to the component or the machine.

3. A computer-implemented method of verifying a component by verifying a machine in which the component is implemented and the role of the component within the machine in order to maintain the machine'"'"'s existence identity even in the face of changing components, the computer-implemented method comprising:
- receiving a request from a machine for a component to perform a given function;
  
  generating a key for the component derived from i) a discriminator so as to be unique to an instance of the component for a particular role performed by the component for the machine, and ii) a machine proof for the machine and information identifying a corresponding slot in which the component is installed at the machine, and wherein the discriminator comprises at least one of the following;
  
  an iteration based discriminator based on a total number of derived keys that have been generated for a given slot; and
  
  an iteration based discriminator based on a total number of components that have installed in a given slot;
  
  receiving a key for the component in conjunction with the request;
  
  authenticating the key to the machine at which the component is installed;
  
  authenticating the key to the particular role of the component;
  
  generating a token signed with key;
  
  based on authenticating either the signed token or key to the machine and authenticating the either the token or key to the particular role of the component within the machine, verifying the machine and the particular role, but not the specific component for the role; and
  
  based on the verification, authorizing the component to perform the given function.
- View Dependent Claims (4, 5, 6, 7, 8)
- - 4. The computer-implemented method of claim 3, wherein the computer-implemented method is performed by an external authority.
  - 5. The computer-implemented method of claim 3, wherein the computer-implemented method is performed by a component within the machine.
  - 6. The method of claim 3, wherein the generated key is a role key.
  - 7. The method of claim 6, wherein the machine proof is based on machine key.
  - 8. The method of claim 3, further comprising;
    - maintaining of blacklist of tokens or keys that are not authorized to be used in the context of any roles in the machine; and
      
      determining whether either the token or key are on the blacklist prior to authentication either the token or key.

9. A system comprising:
- a key vault that stores cryptographic machine keys for one or more machines;
  
  one or more processors; and
  
  one or more computer-readable media, wherein the one or more computer-readable media comprise computer-executable instructions that when executed by at least one of the one or more processors cause at least one of the one or more processors to perform a computer-implemented method for verifying a component by verifying the machine in which the component is implemented and the role of the component within the machine, and wherein the computer-implemented method comprises;
  
  receiving a request from a given machine for a component to perform some function;
  
  receiving a token or a key for the component in conjunction with the request, wherein the token or key for the component is based on the machine key stored for the given machine in the key vault;
  
  receiving information identifying the given machine;
  
  receiving information identifying a particular role of the component in the given machine;
  
  authenticating the token or key to the given machine in which the component is installed by using the machine key stored for the given machine in the key vault;
  
  authenticating the token or key to the particular role of the component within the given machine;
  
  based on both authenticating the token or key to the given machine and authenticating the token or key to the particular role of the component within the given machine, authorizing the function by verifying the given machine and the particular role, but not the component for the particular role;
  
  generating at a role key computation module a role key for the component installed in the given machine from the machine key stored in the key vault for the given machine; and
  
  from a role key distribution module providing the role key to one or more components of the given machine.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the token or role key is derived from the machine key for the given machine.
  - 11. The system of claim 9, wherein the token is signed by the machine key for the given machine.
  - 12. The system of claim 9, wherein the token is a time based token with an expiration.
  - 13. The system of claim 9, further comprising a blacklist of tokens or role keys that are not authorized to be used in the context of any roles in the given machine.
  - 14. The system of claim 9, wherein the discriminator is a time based discriminator having a time based expiration.
  - 15. The system of claim 9, wherein the discriminator is an iteration based discriminator based on a total number of role keys that have been generated for the particular role.
  - 16. The system of claim 9, wherein the discriminator is an iteration based discriminator based on a total number of components that have been installed for the particular role at the given machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Vasters, Clemens Friedrich
Primary Examiner(s)
Tabor, Amare F

Application Number

US14/663,699
Publication Number

US 20160275525A1
Time in Patent Office

984 Days
Field of Search

713193
US Class Current
CPC Class Codes

G06Q 10/20   Administration of product r...

G06Q 30/018   Certifying business or prod...

H04L 63/06   for supporting key manageme...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

Digital identity and authorization for machines with replaceable parts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

105 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Digital identity and authorization for machines with replaceable parts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links