Privacy enforcement via localized personalization
US-2017039389-A1 · Feb 9, 2017 · US
Securely provisioning a target device
US11895109B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11895109-B2 |
| Application number | US-202217722226-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 15, 2022 |
| Priority date | May 7, 2014 |
| Publication date | Feb 6, 2024 |
| Grant date | Feb 6, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.
First claim
Opening claim text (preview).
What is claimed is: 1. A target device comprising: a System on Chip (SoC); a register interface located on a SoC bus; and a cryptographic circuit to control feature activation, configuration management, and secure key management of the target device, wherein the cryptographic circuit is accessed via the register interface, wherein the cryptographic circuit is to: receive a module sequence from a tester device located at a first facility during an operation phase of a manufacturing lifecycle of the target device, wherein the tester device is operatively coupled to the target device and is an untrusted device, wherein the module sequence is generated by a module, the module being an application that, when executed by an appliance device, securely provisions a data asset to the target device via the tester device; and perform a sequence of operations that securely provisions the data asset of the module to the SoC. 2. The target device of claim 1 , wherein the data asset is a pre-computed data (PCD) asset specifically corresponding to the target device. 3. The target device of claim 2 , wherein the PCD asset comprises at least one of a root-generated key, a serial number, or a High-bandwidth Digital Content Protection (HDCP) key. 4. The target device of claim 1 , wherein the data asset is firmware. 5. The target device of claim 1 , wherein the data asset is a pre-computed data (PCD) file, wherein the PCD file is encrypted so that only the appliance device has access to the PCD file. 6. The target device of claim 1 , wherein the module sequence comprises data derived from tester information, pre-computed data (PCD), and a delegate signing block (DSB). 7. The target device of claim 1 , wherein the cryptographic circuit is further to: receive a signing key, associated with the appliance device, from the tester device; and authenticate the module sequence using the signing key. 8. The target device of claim 1 , wherein the module is associated with a ticket, wherein the ticket is data that enables enforcement of usage count limits and uniqueness of the data asset being securely provisioned to the target device. 9. The target device of claim 1 , wherein the module is delivered to the appliance device over a network from a Service device at a second facility, different from the first facility. 10. A method comprising: receiving, by a target device comprising an System on Chip (SoC) and a cryptographic circuit, a module sequence from a tester device located at a first facility during an operation phase of a manufacturing lifecycle of the target device, wherein the module sequence is generated by a module, the module being an application that, when executed by an appliance device, securely provisions a data asset to the target device via the tester device, wherein the tester device is an untrusted device; and performing, by the cryptographic circuit, a sequence of operations that securely provisions the data asset of the module to the SoC. 11. The method of claim 10 , wherein the data asset is a pre-computed data (PCD) asset specifically corresponding to the target device. 12. The method of claim 11 , wherein the PCD asset comprises at least one of a root-generated key, a serial number, or a High-bandwidth Digital Content Protection (HDCP) key. 13. The method of claim 10 , The method of claim 2 , wherein the data asset is firmware. 14. The method of claim 10 , wherein the data asset is a pre-computed data (PCD) file, wherein the PCD file is encrypted so that only the Appliance device has access to the PCD file. 15. The method of claim 10 , wherein the Module sequence comprises data derived from tester information, pre-computed data (PCD), and a delegate signing block (DSB). 16. The method of claim 10 , The method of claim 2 , further comprising: receiving, by the cryptographic circuit from the tester device, a signing key associated with the appliance device; and authenticating, by the cryptographic circuit, the module sequence using the signing key. 17. The method of claim 10 , wherein the module is associated with a ticket, wherein the ticket is data that enables enforcement of usage count limits and uniqueness of the data asset being securely provisioned to the target device. 18. The method of claim 10 , wherein the Module is delivered to the Appliance device over a network from a Service device at a second facility, different from the first facility. 19. A non-transitory computer-readable storage medium storing instructions that, when executed by a processor of a target device comprising an System on Chip (SoC) and a cryptographic circuit, cause the cryptographic circuit to perform operations comprising: receiving a module sequence from a tester device located at a first facility during an operation phase of a manufacturing lifecycle of the target device, wherein the module sequence is generated by a module, the module being an application that, when executed by an appliance device, securely provisions a data asset to the target device via the tester device, wherein the tester device is an untrusted device; and performing a sequence of operations that securely provisions the data asset of the module to the SoC. 20. The non-transitory computer-readable storage medium of claim 19 , wherein the operations further comprise: receiving, from the tester device, a signing key associated with the appliance device; and authenticating the module sequence using the signing key.
Assignees
Inventors
Classifications
- H04L63/0853Primary
using an additional device, e.g. smartcard, SIM or a different communication terminal (cryptographic mechanisms or cryptographic arrangements for entity authentication involving additional secure or trusted devices H04L9/3234) · CPC title
- G06F21/335Primary
for accessing specific resources, e.g. using Kerberos tickets · CPC title
Providing cryptographic facilities or services · CPC title
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
in cryptographic circuits · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11895109B2 cover?
- The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Templat…
- Who is the assignee on this patent?
- Cryptography Res Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0853. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 06 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).