News Column

"System, Device, and Method of Provisioning Cryptographic Data to Electronic Devices" in Patent Application Approval Process

July 29, 2014



By a News Reporter-Staff News Editor at Information Technology Newsweekly -- A patent application by the inventors BAR-EL, Hagai (Rehovot, IL); KLIMOV, Alexander (Hadera, IL); SHEN, Asaf (Palo Alto, CA), filed on February 23, 2014, was made available online on July 17, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application has not been assigned to a company or institution.

The following quote was obtained by the news editors from the background information supplied by the inventors: "Key Provisioning is a problem common to many cryptographic modules. Whenever a cryptographic device is designed to perform operations using internally-stored key material, this key material needs to be available to the cryptographic device.

"For most key material, provisioning may be performed by means defined at the application level. Most applications may support methods to securely communicate keys to the participants of their security protocols. Provisioning methods specified by applications may usually rely on pre-existing key material, which may be used to secure a subsequent provisioning process. Other applications may perform provisioning without pre-existing key material, for example, if their threat models allow that."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "The present invention may comprise, for example, systems, devices, and methods of provisioning cryptographic materials, or any other data or data items, to one or more electronic devices. The provisioned cryptographic materials may comprise, for example, security key materials, encryption keys, decryption keys, public keys, private keys, passwords, pass-phrases, Personal Identification Number (PIN), or other data intended to be securely provisioned.

"For example, a method of cryptographic material provisioning (CMP) may comprise: (a) generating a delegation message at a first provisioning server, wherein the delegation message indicates provisioning rights that are delegated by the first provisioning server to a second provisioning server with regard to subsequent provisioning of cryptographic assets to an electronic device, wherein generating the delegation message comprises at least one of: (A) inserting into the delegation message an association key unknown to the first provisioning server, encrypted using a public key of said electronic device, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device; (B) inserting into the delegation message a public key of the second provisioning server; enabling the electronic device to locally generate said association key unknown to the first provisioning server; wherein the association key is retrievable by the second provisioning server based on the public key of the second provisioning server; (b) delivering the delegation message from the first provisioning server to the electronic device; at the second provisioning server, and based on said delegation message, provisioning one or more cryptographic assets to the electronic device, using said association key.

"In some embodiments, the first provisioning server, by listening to all communications among the first provisioning server, the second provisioning server, the electronic device, and an authorization server, cannot decipher the contents of one or more cryptographic assets that are provisioned by the second provisioning server to the electronic device, even though said first provisioning server delegated to said second provisioning server one or more provisioning rights to subsequently provision one or more of said cryptographic assets.

"In some embodiments, the first provisioning server, which introduced the second provisioning server to the electronic device for purposes of subsequent provisioning of cryptographic assets, cannot decipher data exchanged between the second provisioning server and the electronic device, even though the second provisioning server and the electronic device did not have any shared secrets and did not have any cryptographic key data usable for secure communication between the second provisioning server and the electronic device prior to said introduction by said first provisioning server.

"In some embodiments, the method may comprise: delegating from the first provisioning sever to the second provisioning server, a right to securely send a cryptographic asset from the second provisioning server to the electronic device, wherein the first provisioning server cannot decipher any cryptographic asset that is sent from the second provisioning server to the electronic device.

"In some embodiments, generating the delegation message comprises: inserting into the delegation message a public key of the second provisioning server, to enable execution of an identification protocol for subsequent personalized provisioning of a cryptographic asset to said electronic device.

"In some embodiments, generating the delegation message comprises: inserting into the delegation message an association key to be used with the second provisioning server, to enable subsequent execution of provisioning of a cryptographic asset to one or more electronic devices using said association key.

"In some embodiments, delivering the delegation message to the electronic device is performed via a one-pass one-way communication from the first provisioning server to said electronic device.

"In some embodiments, the method may comprise, prior to performing step (a): securely delivering from the second provisioning server to the first provisioning server, via a secure communication channel, (A) a public encryption key of the second provisioning server, and (B) a class-wide association key encrypted with a key that allows the association key to be decrypted by said electronic device.

"In some embodiments, the method may comprise: provisioning from the first provisioning server to the electronic device, via a one-pass one-way provisioning protocol, at least: (i) the public encryption key of the second provisioning server, (ii) the server certificate of the second provisioning server, digitally signed by an authorization server; (iii) an indication of which cryptographic assets the second provisioning server is authorized to subsequently provision to the electronic device.

"In some embodiments, generating the delegation message comprises: inserting into the delegation message one or more flags indicating to the electronic device whether the second provisioning server is authorized to provision: (X) only personalized cryptographic assets, or (Y) only class-wide cryptographic assets for a class of multiple electronic device, or (Z) both personalized and class-wide cryptographic assets.

"In some embodiments, the method may comprise: prior to provisioning a particular cryptographic asset from the second provisioning server to the electronic device, performing: acquiring by the second provisioning server an authorization ticket, from an authorization server, indicating that the second provisioning server is authorized to provision the particular cryptographic asset to said electronic device.

"In some embodiments, said acquiring of the authorization ticket is triggered by a flag, indicating that authorization is required for each provisioning event performed by the second provisioning server, the flag located in a server certificate issued by said authorization server to the second provisioning server.

"In some embodiments, the acquiring comprises: at the second provisioning server, contacting the authorization server to present to the authorization server (A) a server certificate of the second provisioning server, and (B) a hash of the particular cryptographic asset intended to be provisioned by the second provisioning server to the electronic device.

"In some embodiments, the acquiring further comprises: receiving at the second provisioning server, from said authorization server, said authorization ticket which comprises a digital signature by the authorization server on the hash of the particular cryptographic asset intended to be provisioned by the second provisioning server to the electronic device; wherein said digital signature enables said electronic device to verify by the electronic device prior to storing said particular cryptographic asset.

"In some embodiments, provisioning the cryptographic asset to the electronic device is performed via a one-pass one-way communication from the second provisioning server to said electronic device.

"In some embodiments, a device or apparatus or system for cryptographic material provisioning (CMP) may comprise: a first provisioning server to generate a delegation message, wherein the delegation message indicates provisioning rights that are delegated by the first provisioning server to a second provisioning server with regard to subsequent provisioning of cryptographic assets to an electronic device, wherein the first provisioning server is to generate the delegation message by performing at least one of: (A) inserting into the delegation message an association key unknown to the first provisioning server, encrypted using a public key of said electronic device, wherein said public key of said electronic device is usable to encrypt data for subsequent decrypting by said electronic device using said private encryption key of said electronic device; (B) inserting into the delegation message a public key of the second provisioning server; enabling the electronic device to locally generate said association key unknown to the first provisioning server; wherein the association key is retrievable by the second provisioning server based on the public key of the second provisioning server; wherein the first provisioning server is to cause delivery of the delegation message from the first provisioning server to the electronic device; wherein the second provisioning server is to provision, and based on said delegation message, one or more cryptographic assets to the electronic device, using said association key.

"The present invention may provide other and/or additional benefits or advantages.

BRIEF DESCRIPTION OF THE DRAWINGS

"For simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity of presentation. Furthermore, reference numerals may be repeated among the figures to indicate corresponding or analogous elements. The figures are listed below.

"FIG. 1 is a schematic block diagram illustration of a provisioning message preamble generator, which may be used by a target device root owner, in accordance with some demonstrative embodiments of the present invention;

"FIG. 2 is a schematic block diagram illustration of a provisioning message generator, which may be used by a first delegate, in accordance with some demonstrative embodiments of the present invention;

"FIG. 3 is a schematic block diagram illustration of a provisioning message preamble generator, which may be used by a first delegate to generate a message second portion for a preamble useable by a second delegate, in accordance with some demonstrative embodiments of the present invention;

"FIG. 4 is a schematic block diagram illustration of a provisioning message generator, which may be used by a second delegate, in accordance with some demonstrative embodiments of the present invention;

"FIG. 5 is a schematic block diagram illustration of a target device comprising a cryptographic material provisioning module able to receive a provisioning message, in accordance with some demonstrative embodiments of the present invention;

"FIG. 6 is a schematic block diagram illustration of an electronic device, in accordance with some demonstrative embodiments of the present invention; and

"FIGS. 7A-7E are schematic block-diagram illustrations of a system and its components, in accordance with some demonstrative embodiments of the present invention."

URL and more information on this patent application, see: BAR-EL, Hagai; KLIMOV, Alexander; SHEN, Asaf. System, Device, and Method of Provisioning Cryptographic Data to Electronic Devices. Filed February 23, 2014 and posted July 17, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=380&p=8&f=G&l=50&d=PG01&S1=20140710.PD.&OS=PD/20140710&RS=PD/20140710

Keywords for this news article include: Information Technology, Information and Cryptography, Information and Data Encoding and Encryption, Patents.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Information Technology Newsweekly


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters