Patent application number | Description | Published |
20090006852 | Method and Apparatus for Securing Unlock Password Generation and Distribution - A process may be utilized for securing unlock password generation and distribution. A first set of exclusive responsibilities, assigned to a trusted authority, includes random generation and encryption of an unlock password to compose a randomly generated encrypted unlock password. Further, a second set of exclusive responsibilities, assigned to a security agent, includes sending information associated with the unlock password and a digital signature of information associated with the unlock password to a communication device configured for a network in order to mate the unlock password to the communication device, and sending the randomly generated and encrypted unlock password along with mating data to a password processing center. In addition, a third set of exclusive responsibilities, assigned to a password processing center, includes decrypting the randomly generated and encrypted unlock password. | 01-01-2009 |
20090031131 | Token-Based Management System for PKI Personalization Process - A system for token-based management of a PKI personalization process includes a token request and management system (TRMS) configured to gather request information from a requestor; and a token personalization system (TPS) configured to personalize a hardware token such that usage of the hardware token is constrained by the request information. A method for token-based management of a PKI personalization process includes: requesting a hardware token; personalizing a hardware token such that the hardware token is confined to operation within limiting parameters; binding the hardware token to a workstation which is configured receive the hardware token and use credentials within the hardware token to request and download PKI data from a PKI server, the workstation being further configured to personalize an end user product by loading the PKI data into internal memory contained within the end user product; and monitoring usage of the hardware token and the PKI data. | 01-29-2009 |
20090037931 | Method and Apparatus for a Dynamic and Real-Time Configurable Software Architecture for Manufacturing Personalization - A process receives a personalization request to personalize a communication device. Further, the process provides the personalization request to a message controller that composes a message having personalization information with a message composer engine according to a set of rules and configures one or more communication parameters for the message with a message flow control engine according to the set of rules. The set of rules indicates a distributed environment set of files that the message composer engine and the message flow control engine utilize in a distributed environment, and a centralized environment set of files that the message composer engine and the message flow control engine utilize in a centralized environment. | 02-05-2009 |
20090274295 | Configurable Encryption/Decryption for Multiple Services Support - A system to transmit a set of programs from a transmitter to a receiver is used to accommodate different levels of security used for each program. When a high level of security is necessary for transmitting or receiving a program the transmitter and/or receiver is operable to accommodate that level of security. Thus, both transmitters and receivers are operable to be reconfigured to encrypt or decrypt, respectively, at different levels. Accordingly, differing amounts of programs can be transmitted or received based on the resource requirements needed at any level of security. Consequently, a high level of encryption/decryption requires more resources and allows the processing of fewer services, while a lower level of encryption/decryption allows more services to be transmitted/received. | 11-05-2009 |
20100215171 | TRANSPORT PACKET DECRYPTION TESTING IN A CLIENT DEVICE - In a method for testing a transport packet decrypting module of a client device, a first decryption operation of the transport packet decrypting module is implemented on a test encrypted control word using a content decryption key ladder to derive a test control word, a second decryption operation of the transport packet decrypting module is implemented on one or more test transport packets using the test control word via a predetermined content decryption algorithm, the KIV is derived from the decrypted transport packets, and the derived KIV is compared with a value stored in the client device to verify whether the transport packet decrypting module of the client device is functioning properly. | 08-26-2010 |
20110047374 | METHOD AND APPARATUS FOR A CONFIGURABLE ONLINE PUBLIC KEY INFRASTRUCTURE (PKI) MANAGEMENT SYSTEM - A method and apparatus are provided for generating identity data to be provisioned in product devices that are a part of a project. The method includes establishing a template associated with each CA in a hierarchical chain of CAs having a root CA at a highest level in the chain and a signing CA at a lowest level in the chain. The template associated with the signing CA inherits mandatory attribute fields specified in the root CA and any intermediate CA in the hierarchical chain. The mandatory attribute fields are user-specifiable fields to be populated with PKI data. A configuration file is generated upon receipt of an order for digital certificates using PKI data provided by a user to populate the mandatory attribute fields of the template associated with the signing CA. The digital certificates requested in the order are generated using the PKI data in the configuration file. | 02-24-2011 |
20110138177 | ONLINE PUBLIC KEY INFRASTRUCTURE (PKI) SYSTEM - A method is provided for updating network-enabled devices with new identity data. The method includes requesting new identity data for a plurality of network-enabled devices and receiving notification that the new identity data is ready to be delivered to the plurality of network-enabled devices. A software object is delivered to the plurality of network-enabled devices over a first communications network. Each of the software objects is configured to cause the network-enabled devices to download the new identity data to the respective network-enabled device over a second communications network and install the new identity data at a time based at least in part on information included with the software object. | 06-09-2011 |
20110196793 | GENERIC FEATURE LICENSING FRAMEWORK - A system enables customers to provision devices with feature licenses that enable specified features in the devices. The system includes a feature definition module configured to store product feature information associated with different products available from a plurality of different manufacturers. The system also includes a feature license management module configured to generate, update and revoke feature licenses. The feature licenses that are generated all have a common format. The system further includes a feature credit management module configured to monitor and account for feature credits available to customer organization units. A user management module is also provided in the system, which is configured to authenticate users of the system. A user interface is accessible over a communications network through which authenticated users can request and receive feature licenses. | 08-11-2011 |
20110197061 | CONFIGURABLE ONLINE PUBLIC KEY INFRASTRUCTURE (PKI) MANAGEMENT FRAMEWORK - A method and apparatus is provided for establishing a process for provisioning a digital certificate service delivered by a PKI system. The method includes receiving a request for a digital certificate service and receiving data specifying a project that includes at least one product to be provisioned with a digital certificate. Data specifying an identification of an owner organization of the project and at least one participant organization participating in the project is also received. Attributes with which PKI data to be included in the digital certificates is to comply is received from the owner organization. Based on the received data and attributes, an account is established for each of the organizations associated with the project through which users associated with each of the organizations can respectively request digital certificates for the at least one product in accordance with the attributes received from the owner organization. | 08-11-2011 |
20110197077 | SOFTWARE FEATURE AUTHORIZATION THROUGH DELEGATED AGENTS - A method enables selected features of a software product residing on an end user electronic device with a license delivered from a licensing provider to a service provider of the end user electronic device. The method includes requesting at least one license to authorize a first service provider. An encrypted installation key uniquely associated with the first service provider is received as well as an authorization agent module for installation on one or more authorization agent devices associated with the first service provider. The encrypted installation key and the authorization agent module are installed on the authorization agent devices. A device-unique identifier (DUID) is generated for each authorization agent device based on hardware characteristics of the respective authorization agent devices. The DUID and the encrypted installation key are sent from the authorization agent device to a licensing provider to obtain the requested license. The requested license is received by the authorization agent devices if the DUID and the encrypted installation key are validated by the licensing provider. The license on authorization agent device authorizes and enables the selected features of the software product on an end user electronic device. | 08-11-2011 |
20110213957 | LAYERED PROTECTION AND VALIDATION OF IDENTITY DATA DELIVERED ONLINE VIA MULTIPLE INTERMEDIATE CLIENTS - A method is provided for securely delivering identity data units over a communications network to a client device. The method includes receiving a selection from a customer identifying a final zipped package to be unpacked. The final zipped package is unpacked to obtain a common package and a digital signature file signed by an entity generating identity data requested by the customer. The digital signature in the digital signature file is verified and the common package is unpacked to obtain a plurality of outer packages and an encrypted symmetric key. The symmetric key is decrypted with a private key associated with the customer and each of the outer packages is decrypted with the symmetric key to obtain a plurality of identity data units. | 09-01-2011 |
20110258434 | ONLINE SECURE DEVICE PROVISIONING WITH UPDATED OFFLINE IDENTITY DATA GENERATION AND OFFLINE DEVICE BINDING - A system for generating new identity data for network-enabled devices includes a whitelist reader configured to extract attributes from a whitelist. The whitelist includes, for each device specified in the whitelist, a previously assigned identifier of the first type. The previously assigned identifiers of the first type are linked to identity data previously provisioned in each of the respective devices. A data retrieval module is configured to receive the identifiers of the first type from the whitelist reader and, based on each of the identifiers, retrieve each of the previously provisioned identity data records linked thereto. A new data generation module is configured to (i) obtain a cryptographic key associated with the identity data previously provisioned in the devices specified on the whitelist and the corresponding identifiers of the first type, (ii) generate new identity data records each linked to a new identifier and (iii) encrypt each of the new identity data records with one of the cryptographic keys and link each new identity data record to the identifier of the first type corresponding to each respective cryptographic key. A data output module is configured to load onto an external source the encrypted new identity data records along with their respective new identifiers and their respective previously assigned identifiers of the first type. | 10-20-2011 |
20110258454 | CROSS-DOMAIN IDENTITY MANAGEMENT FOR A WHITELIST-BASED ONLINE SECURE DEVICE PROVISIONING FRAMEWORK - A method for managing identifiers associated with network-enabled devices and used in an identity data system provisioning the network-enabled devices with identity data includes receiving a first set data that includes a previously assigned identifier for one or more of the network-enabled devices that are authorized to be provisioned with new identity data. If identity data is currently installed on the one or more network-enabled devices, each of the previously assigned identifiers in the first set of data is associated with a corresponding identifier linked to the identity data currently installed on the one or more network-enabled devices to establish a second set of data. New identity data is bound to each of the one or more network-enabled devices by assigning a new identifier linked with the new identity data to each of the one or more network-enabled devices to establish a whitelist. The whitelist specifies, for each of the one or more network-enabled devices, its previously assigned identifier, its corresponding identifier and its new identifier that is linked with the new identity data. | 10-20-2011 |
20110258685 | ONLINE SECURE DEVICE PROVISIONING FRAMEWORK - A method for updating network-enabled devices with new identity data includes generating a plurality of new identity data records and loading the new identity data records onto an update server. A request is received at the update server for new identity data from at least one network-enabled device having a previously assigned identity linked to an identifier. The previously assigned identifier is linked to a new identifier that is linked to one of the new identity data records. One or more new identity data records are securely delivered to the network-enabled device. | 10-20-2011 |
20120089839 | ONLINE SECURE DEVICE PROVISIONING WITH ONLINE DEVICE BINDING USING WHITELISTS - One or more servers are provided including a session manager, authentication module, authorization module, encryption module, database, and protocol handler. The session manager is configured to receive requests for new identity data from network-enabled devices. Each request is authenticated first by the update server via its authentication module by validating the signature of the request message as well as the certificate chain trusted by the update server. The authorization module is configured to determine if the network-enabled devices specified on a whitelist are authorized to be provisioned with new identity data. The database is configured to receive new identity records generated by an identity data generation system. Each of the new identity records includes a new identifier. The new identifier is not associated or linked to any previously assigned/used identifiers and identity data, thus all the new identity records are generated independently and then loaded to the update server. | 04-12-2012 |
20120143766 | Secure Large Volume Feature License Provisioning System - Disclosed is a manufacturing process and feature licensing system for provisioning personalized (device-unique) licenses to devices. The secure system uses a secure key wrapping mechanism to deliver the LSK to LPS. Another feature is that various network communication links are secured using standard security protocol. Application messages, license templates, licenses are digitally signed. The system is flexible, configured to allow multiple manufacturers and to allow various feature configurations via the use of License Template; scalable, as it is possible to use multiple LPS hosts to serve multiple programming stations; and available in that the delegation of license signing capability from CLS to LPS eliminates the dependency on unreliable Internet connections. Redundant LPS hosts provide high level of availability required for high volume license provisioning. The system is traceable: license and device association are replicated back to the CLS to provide full license request and generation traceability. | 06-07-2012 |
20120204269 | SECURE AUTOMATED FEATURE LICENSE UPDATE SYSTEM AND METHODS - A method for providing a secure automated feature license update is disclosed. This method may be performed at a central license server. A license template including features for enablement on a device is generated. The license template is sent to an authorized user. A license update request is received from an entity. An updated license is generated by the central license server. A response is sent to the entity. | 08-09-2012 |
20120213370 | SECURE MANAGEMENT AND PERSONALIZATION OF UNIQUE CODE SIGNING KEYS - A method and system generates and distributes unique cryptographic device keys. The method includes generating at least a first device key and encrypting the first device key with a first encrypting key to produce a first encrypted copy of the device key. The method also includes encrypting the first device key with a second encrypting key to produce a second encrypted copy of the device key. The second encrypting key is different from said first encrypting key. The first and second encrypted copies of the device keys are associated with a device ID identifying a computing device being manufactured. The second encrypted copy of the device key is loaded onto the computing device. The first encrypted copy of the device key and the device ID with which it is associated are stored onto at least one server for subsequent use after the computing device has been deployed to a customer. | 08-23-2012 |
20130139198 | DIGITAL TRANSPORT ADAPTER REGIONALIZATION - A method, a digital content consumption device, and a conditional access system are disclosed. A network interface may receive in a digital content consumption device a public key message that includes an encrypted key. A processor may decrypt the encrypted key using a secret key to produce the transmitted public key, identify a region descriptor in the public key message, and determine the secret key based on the region descriptor. | 05-30-2013 |
20130185173 | FEATURE LICENSING FRAMEWORK FOR THIRD PARTY FEATURE CREDIT MANAGEMENT - A method and apparatus for provisioning devices. One method includes authenticating a first customer as an authenticated user and receiving from a first customer a first request to establish a credit record for a specified number of upgraded feature licenses. The upgraded feature licenses are obtainable from a third party supplier and are associated with components available from the third party supplier. The credit record includes feature credits to be made available to the first customer to obtain the upgraded feature licenses from the third party supplier. A second request is received from the first customer to release the feature credits to a credit pool associated with the first customer so that the feature credits are available to the first customer. The upgraded feature licenses are generated and the credit pool associated with the first customer is debited for the number of credits needed to obtain the upgraded feature licenses. | 07-18-2013 |
20130227077 | IDENTITY DATA MANAGEMENT SYSTEM FOR HIGH VOLUME PRODUCTION OF PRODUCT-SPECIFIC IDENTITY DATA - A method and apparatus is provided for maintaining inventory levels of identity data to be provisioned in electronic devices. The method includes monitoring over a communications network inventory levels of identity data records stored on a plurality of identity data personalization servers that each provision electronic devices with an identity data record. Additionally, if the inventory level on at least one of the identity data personalization servers falls below a minimum specified level, a refill request is sent to an identity data management authority requesting that additional identity data records be uploaded to the identity data personalization server. | 08-29-2013 |
20140082701 | DYNAMICALLY CONFIGURABLE ONLINE DATA UPDATE SYSTEM - A data object update system provides a flexible framework that can be used to upgrade, renew, replace or supplement data objects that are provisioned in a large base of network-enabled devices that been deployed in the field to end users. The system has the flexibility to configure, for example, the following items, based on different requirements received from network operators: which device key and/or certificate is to be used to authenticate request messages from network-enabled devices before a specific data object update request is accepted into the system; which device identifier is to be used to authorize data object update requests; which device identifier is to be used for generating device specific data objects; and which protection mechanism is to be used to secure the delivery of data objects to network-enabled devices. | 03-20-2014 |
20140123172 | CHALLENGE-RESPONSE CABLE SET-TOP-BOX SYSTEM TO SECURELY AUTHENTICATE SOFTWARE APPLICATION PROGRAM INTERFACES (APIs) - A system for securely authenticating software Application Program Interfaces (APIs) includes a handshake protocol provided between a Conditional Access System (CAS) and Middleware running on a Set-Top-Box. The handshake is a Challenge-Response protocol that includes several steps. The CAS or the Middleware can either act as a Claimant or Verifier in Challenge-Response process. First, a Claimant sends a request to a Verifier requesting access to a function F through the API. The Verifier reacts to the request by outputting a Challenge that is sent to the Claimant The Challenge is also retained by the Verifier for use in its internal calculation to verify the Claimant's response. The Claimant next processes the Challenge using components under a patent License Agreement, known as Hook IP, and issues a Response to the Verifier. The Verifier can then verify the Response to allow the Claimant access to the API. | 05-01-2014 |
20140123220 | BUSINESS METHOD INCLUDING CHALLENGE-RESPONSE SYSTEM TO SECURELY AUTHENTICATE SOFTWARE APPLICATION PROGRAM INTERFACES (APIs) - A system for securely authenticating software Application Program Interfaces (APIs) includes a handshake protocol that is provided to validate whether the parties involved are licensed to use the system which includes rights to Intellectual Property (IP) and corresponding obligations. The handshake is a Challenge-Response protocol that includes several steps. First, a Claimant sends a request to a Verifier requesting access to a function through an API. The Verifier reacts to the request by outputting a Challenge that is sent to the Claimant. The Challenge is also retained by the Verifier for use in its internal calculation to verify the Claimant's response. The Claimant next processes the Challenge using components under the license, known as Hook IP, and issues a Response to the Verifier. The Verifier compares the possibly-correct Candidate Response from the Claimant to the known-correct Target Response and if a match occurs the Verifier allows the Claimant access to the API. | 05-01-2014 |
20140141762 | GENERIC FEATURE-LICENSING FRAMEWORK - Disclosed is an arrangement to enable customers to provision devices with feature licenses that enable specified features in the devices. The arrangement includes a feature-licensing system for performing feature-licensing processes to provision the devices with feature licenses and a feature-licensing process configuration system. | 05-22-2014 |
20140201518 | FRAMEWORK FOR PROVISIONING DEVICES WITH EXTERNALLY ACQUIRED COMPONENT-BASED IDENTITY DATA - A method is provided for updating identity data on devices. The method provides for acquiring a device comprising a component associated with a component identifier and having a One Time Programmable Key installed on the component, submitting the component identifier and the One Time Programmable Key to an External Trust Authority, receiving new identity data tied to the component identifier from the External Trust Authority that is encrypted with the One Time Programmable Key, loading the new identity data onto an Update Server, receiving a request at the Update Server from the device that requests new identity data, and providing the new identity data upon receipt of the request, upon which the device decrypts and installs the identity data using the One Time Programmable Key installed on the component within the device. | 07-17-2014 |
20140280828 | FEATURE LICENSE-RELATED REPAIR/REPLACEMENT PROCESSES AND CREDIT HANDLING - A system and method for issuing a license for a device through a license server is provided. A server receives identification information for a device that communicates to the server if a first license binding identity and/or a first display identity has changed. A previous license for the device is revoked and a previous license credit is returned to a user's credit pool if the first license binding identity and/or the first display identity has changed. A license request is received, which includes a second license binding identity identifying the device. If the second license binding identity is the same as the first license binding identity, the previous license for the device is issued. If the second license binding identity is not the same as the first license binding identity, a new license for the device is issued and a new license credit is deducted from the user's credit pool. | 09-18-2014 |