WO2003073688A1 - Authentification de dispositifs materiel comportant des certificats d'utilisateur - Google Patents

Authentification de dispositifs materiel comportant des certificats d'utilisateur Download PDF

Info

Publication number
WO2003073688A1
WO2003073688A1 PCT/US2003/004411 US0304411W WO03073688A1 WO 2003073688 A1 WO2003073688 A1 WO 2003073688A1 US 0304411 W US0304411 W US 0304411W WO 03073688 A1 WO03073688 A1 WO 03073688A1
Authority
WO
WIPO (PCT)
Prior art keywords
hardware
key
digest
hardware device
authenticating
Prior art date
Application number
PCT/US2003/004411
Other languages
English (en)
Inventor
Randall Johnson
Original Assignee
Emc Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Emc Corporation filed Critical Emc Corporation
Priority to AU2003213056A priority Critical patent/AU2003213056A1/en
Publication of WO2003073688A1 publication Critical patent/WO2003073688A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/86Secure or tamper-resistant housings
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user

Definitions

  • the present invention relates generally to the field of cryptography, and more specifically to the use of digital certificates for authenticating hardware devices and components.
  • Symmetric cryptography enables a single block cipher key to encrypt a message before it is sent and the same key to decrypt the message once it is received. This technology prevents anyone from deciphering the message without the block cipher key. This also ensures that any message that can be decrypted with the block cipher key came from a party who possesses the same key. In this manner it is theoretically possible to know or at least verify the identity of the party sending a message encrypted with the block cipher key, provided only two parties, the sender and the receiver, possess the block cipher key.
  • any communication based on symmetric cryptography is only as secure as the means for transmitting the block cipher key between the communicating parties.
  • Asymmetric cryptography overcomes some of these problems, which are associated with key transmission, by creating a pair of asymmetric keys, in which one key, known as a public key, is intentionally published and another key, known as a private key, is not published or transmitted, even to the intended recipient. With an asymmetric key pair, data that is encrypted with the private key can only be decrypted with the corresponding public key.
  • asymmetric cryptography data that is encrypted with the public key can also only be decrypted with the corresponding private key. Accordingly, a message encrypted with an asymmetric public key can be securely sent to a party holding the corresponding private key, irrespective of whether or not the public key has fallen into the hands of a hacker or an unintended recipient because the message can only be decrypted with the private key.
  • asymmetric cryptography requires substantial computing resources for the encryption and decryption of data, and is therefore impractical and inefficient for the transmission of large quantities of data. Therefore, asymmetric cryptography is often used exclusively to identify parties in communication and to transmit extremely sensitive information, such as a one-time use symmetric block cipher key which can be used for more efficient encryption.
  • Asymmetric cryptography can be used to identify the sender of a message, for example, because only messages encrypted with a private key can be decrypted with the corresponding public key that is publicly known to be associated with a particular person.
  • a digital certificate generally comprises a second layer of asymmetric cryptography that is applied by a trusted certificate authority. Trusted certificate authorities, such as Verisign®, are well known in the art. A trusted certificate authority certifies that a public key belongs to a particular party by digitally signing the public key along with information identifying the party that is assigned to the public key.
  • the trusted certificate authority To create a digital certificate, the trusted certificate authority first creates a hash number, or digest, of the party's public key and corresponding identification information. This may be accomplished, for example, when the trusted certificate authority applies a hash algorithm to the public key and corresponding identification information. Once the digest is created, the trusted certificate authority uses its own private key to encrypt the digest. The encrypted digest or digital certificate can then be used, as an accompaniment to any message, to certify the identity of the sender and the authenticity of the message. To create a signed message, the sender first creates a digest of the message using the well-known hash algorithm. The digest is then encrypted with the sender's private key.
  • a hash number or digest
  • the identity of the sender and the authenticity of the message can generally be authenticated by any recipient of the message by using the public key of the trusted certificate authority, which is publicly known, to decipher the encrypted certificate digest, thereby creating a decrypted digest of the certificate which contains the sender's public key.
  • the decrypted digest can then be compared to a comparison digest that is created by the recipient applying the aforementioned hash algorithm to the personal identifying information and public key of the party sending the message.
  • the association of the party sending the message and the public key contained in the certificate is verified if the comparison digest and the decrypted digest of the certificate are the same.
  • the authenticity of the message signature is then finally verified by applying the previously verified public key to the digest of the message encrypted with the sender's private key and successfully comparing the decrypted digest to a digest of the message created by the recipient.
  • Asymmetric cryptography is generally more secure than symmetric cryptography because the private key does not have to be transmitted to the intended recipient of an encrypted message.
  • the security of a private key it is still possible for the security of a private key to be compromised by a hacker with access to the device storing the private key.
  • the hardware or devices used to store the asymmetric key pair can be stolen, accessed, or misused by an unauthorized party unassociated with the digital certificate or private key stored on the device.
  • a device such as a smart card, containing a personal private key or a digital certificate may be stolen or used by another person without authorization to send an unauthorized message or digitally sign a document under the alias of another.
  • One method for improving security and for preventing the abuse of asymmetric keys described above is to tie the access and operation of the asymmetric keys and digital certificate to an independent identification or verification of the user, such as for example, with a biometric device or another verification device.
  • Biometric devices such as fingerprint devices and iris scanners, used to detect uniquely identifiable features of a person are well known in the art.
  • a biometric device may be used, for example, to independently verify the identity of an authorized user before enabling access to or operation of a device containing a private key or digital certificate. Therefore, even if the device is stolen, the private key or digital certificate on the device cannot be accessed or utilized until the person using the device is independently verified as an authorized user of the device.
  • Biometric devices are in and of themselves limited in their ability to protect the user against fraudulent use, as described below, and are therefore correspondingly limited in their ability to provide adequate security.
  • Existing biometric authentication systems consist of multiple components which must work together to authenticate a user.
  • the biometric authentication system may include a biometric device which copies an image of a particular physical characteristic of a user (e.g.
  • an image processor which converts the copied image into data that is easier to work with
  • an extractor which is configured to recognize key features within the image and to put them into a normalized/listed "feature vector" form
  • computer hardware or computer modules that use a matching algorithm to compare the captured feature vector against a specific stored feature vector to authenticate the user.
  • the computer hardware can also use a matching algorithm to compare the captured feature vector against a database of stored feature vector templates for identifying the user.
  • the result of using a matching algorithm in biometric systems is a "match" or “no match” verification signal which either validates or invalidates the authentication of the user.
  • a hacker can monitor any point of communication between the components of the biometric system, thereby capturing data which can be replayed, or otherwise spoofed to generate a bogus authentication.
  • biometric scanning devices also transmit biometric information to other devices which extract features and match against stored templates.
  • a hacker monitoring the transmission channel may also be able to capture the biometric data that is transmitted to the other devices and spoof the system at a later time by replaying the previously captured data into the transmission channel.
  • the hacker can operate any device that is conditionally enabled only upon receiving the 'match' signal from the biometric system, thereby enabling the hacker to bypass the security features provided by the biometric system.
  • the hacker could use the spoofed 'match 5 signal to enable a device storing a private key to execute an unauthorized digital signature with that private key.
  • any independent verification of a person's identity such as with a biometric device, can only be considered valid if it can be assured that the verification signal is an authentic signal coming from an authentic verification device, rather than a spoofed signal. Accordingly, there is currently a need in the art to improve the ability to authenticate verification devices and the signals generated by the verification devices to ensure that they have not been spoofed.
  • the ability to authenticate a piece of hardware could also be useful in other industries and applications, such as, for example, manufacturing industries.
  • manufacturing industries it is common for a manufacturer seeking to secure revenue associated with selling accessory products to design the base product so that it will only interoperate with or enable the accessory products produced by that manufacturer.
  • manufacturers often succeed in designing, producing, and marketing unauthentic and sometimes infringing accessories that are compatible with the manufacturer's exclusive base product. This is possible, in part, because there are no adequate conventional methods for manufacturers to tie the operability of an accessory product to its authenticity.
  • Another industry that could benefit from the ability to authenticate a hardware device is the wireless telephone industry. For example, it could be useful to authenticate an authorized telephone device as the source of a telephone signal prior to enabling any telephone communication with that telephone signal, to ensure that the telephone signal is not originating from a fraudulent or unauthorized device using a spoofed telephone signal.
  • Other industries that could benefit from the ability to authenticate hardware include the automotive and home security industries, among others. For example, it could be useful when a car is started to be able to authenticate that the ignition signal is generated from an authentic key engaging the ignition, rather than from a short circuit that is generated by a thief hotwiring the ignition.
  • the present invention relates to methods and systems for authenticating hardware devices, and more particularly to methods and systems for certifying the authenticity of hardware devices incorporating digital certificates.
  • hardware devices store digital certificates certifying the authenticity of the hardware devices and any signals originating therefrom.
  • a digital certificate is created for a hardware device by a trusted certificate authority that generates and associates hardware data with the hardware device.
  • Hardware data generally comprises information identifying or associated with the hardware device.
  • Hardware data may include, for example, serial numbers, model numbers, manufacturer and part names, public hardware keys, etc.
  • the trusted certificate authority generates a hash number or a digest of the hardware data, comprising the public hardware key and corresponding information identifying the hardware device, by applying a hash algorithm to the hardware data.
  • the digest is encrypted with a private key of the trusted certificate authority.
  • the private key of the trusted certificate authority is an asymmetric key from a key pair that includes a corresponding public key.
  • the encrypted digest and hardware data are stored in a storage component of the hardware device.
  • the encrypted digest and hardware data are accessed by an authenticating device, which may comprise any device or system interacting with the hardware device.
  • the authenticating device applies the aforementioned hash algorithm to the hardware data, thereby generating a new hash number, or comparison digest, of the hardware data.
  • the authenticating device also generates a decrypted digest by deciphering the encrypted digest with the trusted certificate authority's public key.
  • the decrypted digest and the comparison digest are then compared and the hardware device is finally authenticated when the decrypted digest is the same as the comparison digest. If the decrypted digest differs from the comparison digest then the hardware device is not authenticated.
  • the authentication of the hardware device may be used as a condition precedent for the operation of the hardware device, the operation of the authenticating device, the operation of any other device, or access to data stored on the hardware device, the authenticating device, or any other device. Authentication of the hardware device can also be required prior to enabling communication between the hardware device and another device or between any combination of other devices.
  • the invention extends to the use of tamperproof materials, such as ceramics or potting materials, to encapsulate the storage component of the hardware device so that any attempt to remove the storage component will result in fracturing or rendering inoperable the storage component or the hardware device.
  • the invention extends to a variety of novel processes that are enabled using the hardware authentication techniques of the invention. Examples of such processes include those in manufacturing industries, wireless telephone industries, home and automotive security systems, and others.
  • Figure 2 illustrates one exemplary flowchart comprising acts performed by a hardware device, a trusted certificate authority, and an authenticating device according to one embodiment of the methods of the invention for authenticating the hardware device;
  • Figure 3 illustrates one embodiment of the hardware storage component of the hardware device of the invention that is capable of storing hardware data
  • Figure 4 illustrates one embodiment of a system for utilizing the methods of the invention that includes a computer device, a biometric hardware device, and a remote server operating as a hardware authentication device;
  • Figure 5 illustrates one embodiment of a system for utilizing the methods of the invention that includes a biometric hardware device, a smart card operating as a hardware authenticating device, a computer, and a remote server operating as a third party system
  • Figure 5B illustrates one embodiment of a system for utilizing the methods of the invention in which a biometric hardware device is authenticated by a security system that includes a security door with a solenoid that is activated upon receiving an authenticated signal from the iris scanner;
  • Figure 6 illustrates one embodiment of a system for utilizing the methods of the invention that includes a key operating as a hardware device and a lock operating as a hardware authenticating device
  • Figure 7 illustrates one embodiment of a system for utilizing the methods of the invention that includes a wireless telephone operating as a hardware device and a communications tower operating as a hardware authentication device
  • Figure 8 illustrates one embodiment of a system for utilizing the methods of the invention that includes a computer memory chip operating as a hardware device and as an accessory component to a circuit board that operates as a hardware authenticating device.
  • the present invention relates to methods and systems for authenticating hardware devices, and more particularly to methods and systems for certifying the authenticity of hardware devices incorporating digital certificates.
  • hardware devices incorporating digital certificates of a trusted certificate authority are authenticated for enabling the hardware device or any other devices or systems to perform a desired operation.
  • Embodiments of the invention may comprise special purpose or general-purpose computers comprising various computer components and hardware devices. Embodiments may also include computer-readable media having computer-executable instructions or data structures stored thereon. Such computer- readable media can be any available media that can be accessed by a general-purpose or special-purpose computer. By way of example, and not limitation, such computer- readable media can comprise RAM, ROM, EEPROM, CD-ROM, other optical storage medium, magnetic storage medium, digital storage medium, or any other medium which can be used to store the desired data, digital certificates, executable instructions, or other data structures utilized by the invention and which can be accessed by a general-purpose or special-purpose computing device.
  • Computer-executable instructions comprise, for example, instructions and data which cause a general- purpose computer, special-purpose computer, or special-purpose processing device to perform a certain function or group of functions.
  • the computer-executable instructions and associated data structures represent an example of program code means for executing the acts of the invention disclosed herein.
  • program modules include routines, programs, objects, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • program modules include routines, programs, objects, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the invention may be practiced with any type of computing system or device, including embedded LSI, VLSI, and ASIC devices, smartcards, hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, and the like.
  • the invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote memory storage devices.
  • Hardware authenticating device 110 includes any computing system or device that is capable of communicating with other computing systems and device, such as hardware device 130 and third party system 140. Accordingly, the hardware authenticating device 110 preferably includes a communications module 144 for communicating with other computing systems and devices, such as hardware device 130, and third party system 140, which also each preferably includes a communications module 144 for enabling communication.
  • Hardware authenticating device 110 also preferably includes a hardware authenticating module 146 that is capable of authenticating any hardware device 130 according to the methods of the invention.
  • hardware authenticating module 146 is capable of executing computer-executable instructions for performing any necessary acts of the methods of the invention, which are described in more detail below in general reference to acts 258-272 of Figure 2.
  • Hardware device 130 includes any component or device that may benefit from being authenticated according to the methods of the invention.
  • hardware device 130 may include biometric identification devices, other identification devices, electrical keys, magnetic keys, electro-mechanical keys, other keys and security devices, wireless telephones, other communications devices, computer hardware components, computer cards, and any accessory products.
  • Third party system 140 includes any computing device or system that is capable of communicating with the hardware authenticating device 110 for receiving or providing data or for performing a desired transaction upon receiving an authorized request from the hardware authenticating device 110 or any hardware device 130 authenticated according to the invention.
  • the hardware authenticating device 110 is shown to be linked to two hardware devices 130 and one third party system 140, it will be appreciated that hardware authenticating device 110 may be linked to any number or combination of hardware devices 130 and/or third party systems 140.
  • hardware authenticating device 110 may be linked to hardware device 130 and third party system 140 with a direct communication link 150, which may include a USB port connection, a COM port connection, or any other type of cabling, coupling, adapter, or physical connection, as well as any wireless connection incorporating analog or digital technology, such as, but not limited to Bluetooth and 802.11 wireless technologies.
  • a direct communication link 150 may include a USB port connection, a COM port connection, or any other type of cabling, coupling, adapter, or physical connection, as well as any wireless connection incorporating analog or digital technology, such as, but not limited to Bluetooth and 802.11 wireless technologies.
  • Figure 1 shows the hardware device 130 are connected directly to the hardware authenticating device 110, it will be appreciated that the hardware device 130 may be indirectly connected to authenticating device 110 through other devices or network connections.
  • the connection between the hardware authenticating device 110, hardware device 130 and any third party system 140 may also include a network connection 160, such as an Internet connection, another type of wide area network (WAN) connection, or any local access network (
  • Methods for authenticating hardware devices incorporating digital certificates include the acts that are illustrated in the flowchart 200 of Figure 2, and which are generally performed by a hardware device 130, a hardware authenticating device 110, and a trusted certificate authority 230.
  • trusted certificate authority should generally be construed to include any entity, organization, corporation, person, business, system, or device that is authorized or trusted to create digital certificates for certifying the authenticity of a hardware device according to the invention.
  • trusted certificate authority may also refer to any sublicensee or agent of the trusted certificate authority 230 that is authorized by the trusted certificate authority 230 to generate and assign digital certificates to hardware devices.
  • the trusted certificate authority 230 may include a manufacturer of the hardware device 130.
  • Figure 2 illustrates various acts 240-272 that may be performed according to the methods of the invention for authenticating hardware devices. It will be appreciated that although the acts 240-272 are shown in a particular sequence, they may be performed, according to the invention, in any logical or desired sequence.
  • the methods of the invention commence with the generation and assignment of an asymmetric key pair, act 240.
  • the term "hardware data" is generally defined herein to include any identification information, such as, but not limited to the name of the hardware device, the name of the manufacturer of the hardware device, the serial number of the hardware device, the model number of the hardware device, and any other information corresponding to the hardware device.
  • hardware data includes at least enough information to identify the hardware device.
  • hardware data also includes a public key from an asymmetric key pair that is assigned to the hardware device.
  • pairs which are well known in the art, generally include a unique public key and a unique private key, each of which is capable of encrypting data and decrypting the data encrypted with the other key.
  • the private key is theoretically kept secret and private, whereas the public key is published and constructively made available to the public, hence their names.
  • the public key is hereinafter referred to as the public hardware key and the corresponding private key is hereinafter referred to as a private hardware key.
  • the hardware key pairs are used to encrypt data transferred between mutually authenticated hardware devices. For example, but not limitation, once two or more hardware devices have authenticated each other, one device may create a random symmetric block cipher key which it may then encrypt with its hardware private key and transmit to the other devices.
  • a digest is generated of the hardware data.
  • a digest of the hardware data is generated, according to the invention, by applying a hash algorithm to the hardware data.
  • Hash algorithms and digests which are also known as hash numbers, are well known in the art.
  • act 244 the trusted certificate authority 230 encrypts the digest to create an encrypted digest. This may be accomplished, for example, by encrypting the digest with a private key of the trusted certificate authority 230. Because this private key and a corresponding public key, which constitute an asymmetric key pair, are associated with the trusted certificate authority, they are hereinafter referred to respectively as the private certification key and public certification key.
  • act 246 includes publishing the public certification key so that it is at least made available to the hardware authenticating device 220, such as, for example, through a direct connection or a network connection, which are described above in reference to Figure 1. According to embodiments in which hardware data includes a public hardware key, act 246 may also include publishing the public hardware key.
  • the final act performed by the trusted certificate authority 230 is act 248, which includes storing the hardware data and encrypted digest on the hardware device 130.
  • the hardware data and encrypted digest may be stored, for example, in a storage component of the hardware device 130.
  • the hardware storage component 300 which is also illustrated in Figure 1, stores hardware data 310.
  • hardware data 310 may include a public hardware key 320 and identification information 330.
  • the hardware storage component 300 also stores the encrypted digest 340, and may optionally store a private hardware key 350. In such an embodiment, in which the hardware storage component 300 stores the private hardware key 350, it is preferred that the private hardware key 350 be stored separately from the hardware data 310 and encrypted digest 340.
  • the storage component 300 may include any type of storage medium, such as, but not limited to optical storage medium, magnetic storage medium, digital storage medium, or any other medium capable of storing the encrypted digest 340, hardware data 310, and optional private hardware key 350.
  • the storage component 300 is encapsulated within a tamperproof material, such as a ceramic or potting material, so that any attempt to remove the storage component 300 from the hardware device will result in fracturing or rendering inoperable the storage component 300 or any essential component of the hardware device.
  • a tamperproof material such as a ceramic or potting material
  • This process may also be extended to include the electronic distribution of hardware certificates to enable the hardware device manufacturer to store the hardware certificates, created by the trusted certificate authority, within their own storage devices. This may be done, for example, by the trusted certificate authority placing a device or computing system on the premises of the hardware device manufacturer for the purpose of securing transmitting, receiving and accounting of T U 03/04411
  • the hardware device 130 can be authenticated by another device or system, such as hardware authenticating device 110. Authentication of the hardware device 130 may occur when the hardware device 130 communicably engages, or is otherwise placed in communication with, the hardware authenticating device 110, act 252, such as through a direct communication link 150 or a network connection 160, as shown and described above in reference to Figure 1.
  • the hardware device 130 may initiate a request of the hardware authenticating device 110, act 254.
  • the request may include a request to perform a desired operation or a request to enable the functionality of any one of the hardware devices 130, the hardware authenticating device 110, and any third party device or system. It will be appreciated, however, that initiating a request is not a necessary act to be performed by the hardware device 130 according to the invention.
  • the hardware authenticating device 110 can be configured to execute or initiate a desired operation or enable another device to perform a desired operation sua sponte, solely upon authenticating the hardware device 130 and without ever receiving a request from the hardware device 130.
  • the hardware device 130 provides access to the hardware data and encrypted digest that are stored by the hardware device 130, act 256.
  • the hardware authenticating device 110 accesses the hardware data and encrypted digest, act 258, via a direct communication link or network connection, as described above.
  • the hardware authenticating device 110 may also utilize a direct communication link or network connection to receive or access the public certification key of the trusted certificate authority 130, act 260. It will be appreciated, however, that the hardware authenticating device 110 can also receive or access the public certification key through other means, such as during 03 04411
  • manufacture of the hardware authenticating device 110 or through uploading data from a computer-readable medium at any time.
  • the hardware authenticating device 110 has access to the public certification key because that public certification key is used to decipher the encrypted digest.
  • a decrypted digest is generated, act 262.
  • a comparison digest which is generated by applying a hash algorithm to the hardware data, act 264, is then compared to the decrypted digest, act 266. If the decrypted digest and the comparison digest are the same then the hardware device 130 is finally authenticated, act 268.
  • the hardware authenticating device 110 can perform an operation or enable an operation to be performed, either sua sponte, or alternatively, by honoring a request initiated by the hardware device 130, act 270.
  • act 272 If the hardware device is not authenticated, any request initiated by the hardware device is denied, act 272.
  • act 264 involving the generation of a comparison digest may be performed prior to the hardware authenticating device 110 receiving the public certification key and generating the decrypted digest, as specified according to acts 260 and 262.
  • the acts of authenticating the hardware device 130 can generally be construed as acts for determining whether the hardware device 130 comprises a valid digital certificate.
  • the hardware authenticating device 110 authorizes the hardware device 130 to operate, but when the hardware device 130 does not comprise a valid digital certificate, the hardware authenticating device 110 does not authorize the hardware device 130 to operate.
  • the term "operate" is broadly defined herein to include the enabling of the hardware device to perform any desired function, and which may include enabling another device, even the authenticating device 110, to perform a desired function in response to communications or operations performed by the hardware device 130, as described below.
  • authorizing the hardware device 130 to operate can include transmitting and receiving data from the hardware device, whereas not authorizing the hardware device 130 to operate can involve the termination of any communication between the hardware authenticating device 110 and the hardware device 130, when that communication is necessary for the hardware device 130 to perform a desired function.
  • Figure 4 illustrates one embodiment that includes a biometric device 420 that is generally used to verify the identity of an authorized user seeking to use computer 410 to access a remote third party system or server, such as remote server 430.
  • the biometric device 420 and computer 410 may be collectively considered a hardware device used to initiate requests and verify the identity of a user.
  • the biometric device 420 may also individually be considered a hardware device to be authenticated according to the invention.
  • Figure 4 also illustrates a remote server 430 that may include any type of server or system that is capable of communicating with computer 420.
  • Remote server 430 may be, for example, a banking network server in direct communication with computer 410 through an Internet connection and in indirect communication with biometric device 420 through computer 410.
  • remote server 430 is capable of performing a desired operation, such as executing a financial transaction, only upon verifying the identity of the user requesting the operation be performed.
  • the remote server may require that the identity of an authorized user be verified by biometric device 420 before access to the remote server is granted to the user.
  • Some identification devices such as biometric device 420, generate "match” / "no match” signals that can be intercepted and spoofed by a hacker. Accordingly, although the remote server may receive a signal that supposedly verifies the identity of an authorized user, it is possible that the signal is not an authentic signal submitted by biometric device 420, but is rather a spoofed "match" signal that is submitted fraudulently by a hacker or unauthorized user using computer 410 or another device.
  • the biometric device 420 includes a storage medium 440 that is used to store hardware data and an encrypted digest of the hardware data that are associated with the biometric device 420, and which are generally described above.
  • the hardware data generally includes identification information associated with the biometric device 440 that can be used to authenticate the biometric device 420.
  • the remote server accesses the hardware data and the encrypted digest, which are stored in the storage medium of the biometric device 420 and generates a decrypted digest and comparison digest, as generally described above with reference to acts 258-264 of Figure 2.
  • the remote server compares the decrypted digest and comparison digest to determine whether the biometric device is authentic, acts 264-266. If the decrypted digest and the comparison digest are the same, the biometric device is authentic and the verification signal generated by the biometric device can be trusted to be an authentic signal, rather than a spoofed signal.
  • the remote server 430 can then proceed to honor any request generated by the computer 410, act 270.
  • a hardware authenticating device can generally condition the performance of an operation on the authentication of a hardware device.
  • a remote server 510 operates as a third party system that is capable of performing a transaction upon receiving a digitally signed document from computer 520.
  • a smart card 530 operating as a hardware authenticating device, includes a personal private key that is capable of digitally signing the document stored on the computer 520.
  • the personal private key stored on the smart card 530 can only be accessed and used upon verifying, with an authentic biometric device 540, that the user of the smart card 530 is an authorized user.
  • biometric device 540 Because the signal generated by biometric device 540 may be spoofed and misused, it is necessary to authenticate the biometric device 540, otherwise, an unauthorized person with access to the smart card 530 could use a spoofed biometric device 540 signal to access the personal private key on the smart card, such as, for example, to execute an unauthorized digital signature.
  • the smart card 530 engages the biometric device 540 through computer 520 and accesses the hardware data and encrypted digest stored in the storage component 550 of the biometric device 540.
  • the biometric device 540 is authenticated upon creating a decrypted digest and a comparison digest and determining that they are the same.
  • the smart card 530 enables the personal private key stored on the smart card 530 to be accessed and to be used to digitally sign the document on the computer 520, thereby enabling the third party system comprising remote server 510 to perform the desired transaction that was at least partially conditioned on authentication of the biometric device 540, as described.
  • a biometric device is first authenticated according to the methods of the invention, as described above, then the authenticating device, which has obtained the public key of the biometric device during the authentication procedure, uses the public key of the biometric device to encrypt a symmetric block cipher key, such as a random number.
  • This encrypted block cipher key is then sent to the biometric device, whereupon the biometric device decrypts the block cipher key with its own private key.
  • the block cipher key is then used by the biometric device to encrypt all subsequent communication between the authentication device, such as, for example, when transmitting a scanned biometric image to the authentication device.
  • a hacker listening in is thereby thwarted since he cannot ascertain the block cipher key and cannot determine the original data. More particularly, the hacker cannot simply capture the data transmission and replay it later since it is 'married' to the block cipher key which is a random number that will never be used again
  • this method is both an efficient and a secure method for communicating between devices.
  • the use of block cipher keys to encrypt large amounts of data is much more efficient than encrypting large amounts of data with asymmetric key algorithms.
  • security is not compromised inasmuch as the block cipher is initially transmitted between the devices with asymmetric encryption according to the methods of the invention.
  • asymmetric encryption is used to protect and safely share the symmetric block cipher key between the devices and thereafter block cipher encryption is used to enable efficient communication between the devices.
  • Figure 5B illustrates one useful embodiment for implementing of secure communication between devices, as described above.
  • a biometric security system 560 is configured with a security door 570 that limits access to a physical location to only authorized personnel.
  • the security system 560 includes a smart card reader 575, and a biometric device comprising an iris scanner 580.
  • the security system 560 energizes a solenoid 590 within the door 590 which unlocks the door and permits access.
  • the present invention overcomes the limitations of the prior art security systems by providing a means for preventing the solenoid 590 from being activated without first receiving an authentication signal from the iris scanner 580.
  • the solenoid 590 can be configured to be activated only upon receiving a digital certificate (e.g. hardware data and an encrypted digest) from the iris scanner 580. Accordingly, the solenoid 590 can then authenticate the iris scanner 580, upon receiving the digital certificate, by creating a decrypted digest and a comparison digest and by determining that they are the same, as generally described above. Once the solenoid 590 authenticates the iris scanner 580 then the solenoid 590 awaits a 'match' signal from the iris scanner 580.
  • a digital certificate e.g. hardware data and an encrypted digest
  • the 'match' signal and any other communication can be communicated both efficiently and securely with the use of random block cipher keys.
  • the solenoid 590 activates and allows the door 570 to be opened.
  • the security system 560 may also be configured to only generate a 'match' signal only when the smart card reader 575 has also generated an appropriate authorization signal.
  • the use of steel conduit and other barriers, as used in the prior art, are not necessary to prevent an intruder from bypassing the security system 560 inasmuch as the solenoid 590 will not activate until it first authenticates the source of the activation signal, namely, the iris scanner 580.
  • the iris scanner 580 comprises a digital certificate that includes encrypted hardware data that identifies the biometric device as an authentic biometric device of the security system 560.
  • a key 610 may include a hardware device of the invention.
  • the key 610 may, for example, include a storage component 620 and a communication module 630 that are embedded within the key 610.
  • the key 610 may also be configured with well-known electronic or magnetic means for communication (not shown) to communicate with a corresponding security system, such as lock 640.
  • a corresponding security system such as lock 640.
  • the lock 640, ignition, or any such other type of security system accesses the hardware data and encrypted digest that are stored within the storage component 620 of the key 610 and, as generally described above, generate a decrypted digest and comparison digest to determine whether the key 610 is authentic.
  • only an authentic key 610 can be used to successfully operate the security system 640.
  • the manufacturer of the key 610 can maintain a database of the hardware data so that a replacement key can be made that contains the same hardware data so that it can be authenticated.
  • the security system can be reprogrammed to authenticate a new key with a new digital certificate and to not authenticate the lost/stolen key, thereby effectively revoking the digital certificate of the lost/stolen key.
  • the present invention can be used to prevent the unauthorized use of wireless telephone source signals, in which, for example, a wireless telephone source signal is spoofed and used to make unauthorized telephone calls from an unauthentic or unauthorized device.
  • a wireless telephone 710 may include a hardware device that communicates with other communications devices through a communications tower 720.
  • the communications tower 720 is configured as a hardware authenticating device, according to the invention, so that prior to enabling communications with another communications device, the telephone 710 must be authenticated as an authorized device.
  • telephone 710 is equipped with hardware data and an encrypted digest that, according to the invention, as generally described above, may be used to authenticate the telephone 710 as an authentic device.
  • the tower 720 prior to enabling a desired communication with telephone 710, accesses the hardware data and encrypted digest that are stored in a storage component 730 of the telephone 710 and generates a comparison digest and decrypted digest to determine whether the telephone 710 is an authentic and authorized telephone device.
  • the methods of the invention can generally be used to effectively prevent the use of an unauthorized telephone device or telephone source signal. Furthermore, if an authorized telephone device or telephone source signal is stolen, the digital certificate of the telephone device can be revoked and data can be supplied to the tower 720 that prevents the tower 720 from enabling communication from any telephone signal source incorporating the revoked certificate.
  • a computer circuit board 810 includes a base product that is capable of interoperating with various circuit board accessory components that may be replaced when damaged or whenever it is desired to upgrade or otherwise modify the circuit board 810.
  • One such accessory component may include, for example, a memory chip 820.
  • chip 820 is configured with a storage component 830 that stores hardware data that identifies the chip 820 and an encrypted digest certifying the authenticity of the hardware data and corresponding chip 820.
  • the circuit board 810 operates as a hardware authenticating device and the chip operates as the hardware device to be authenticated.
  • the circuit board 810 accesses the encrypted digest and hardware data from the storage component 830 of the chip 820. Then, before chip 820 can interoperate with the circuit board 810, the circuit board generates a decrypted digest and a comparison digest of the hardware data, as generally described above with reference to acts 260- 266 of Figure 2. Finally, and only upon determining that the decrypted digest and the comparison digest are the same, the circuit board 810 enables the chip 820 to be utilized with the circuit board 810. If the decrypted digest and the comparison digest are not the same then the chip 820 includes an unauthorized knockoff and cannot be used with the circuit board 810.
  • the hardware device may still be rejected according to the invention.
  • the digital certificate can be stored in a storage device encapsulated within a tamperproof material that is damaged whenever the hardware device is remanufactured or otherwise tampered with, thereby rendering the storage device and the digital certificate inaccessible and unusable for authenticating the hardware device.
  • the present invention generally enables a hardware device incorporating a digital certificate, which generally includes a digest of hardware data that is encrypted with the private certification key of a trusted certificate authority, to be authenticated by another device with access to the corresponding public certification key.
  • operation of the hardware device, the authenticating device, or any third party device or system can be made conditional on the authentication of the hardware device.

Abstract

Des procédés d'authentification de dispositifs matériel (130) comportant des certificats d'utilisateur font intervenir un organisme de certification approuvé (230) qui attribue des données matériel (240) à un dispositif matériel (130). Un algorithme de hachage appliqué aux données matériel, lesquelles contiennent généralement des informations qui identifient le dispositif matériel (130) ou qui lui sont associées, produit un condensé (242) qui est chiffré (244) à l'aide de la clé privée de l'organisme de certification approuvé. Le condensé chiffré ainsi que les données matériel sont stockés (248) dans un composant matériel du dispositif matériel (130) ; un dispositif d'authentification (110) accède (258) à ces derniers au moyen de la clé publique de l'organisme de certification approuvé (230) pour déchiffrer et créer un condensé déchiffré (262) à partir du condensé chiffré. Le condensé déchiffré est ensuite comparé (266) à un condensé de comparaison créé (264) par application de l'algorithme de hachage aux données matériel stockées. Enfin, le dispositif matériel (130) est authentifié lorsque le condensé déchiffré et le condensé de comparaison sont identiques (268).
PCT/US2003/004411 2002-02-22 2003-02-14 Authentification de dispositifs materiel comportant des certificats d'utilisateur WO2003073688A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003213056A AU2003213056A1 (en) 2002-02-22 2003-02-14 Authenticating hardware devices incorporating digital certificates

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US35922102P 2002-02-22 2002-02-22
US60/359,221 2002-02-22
US22209002A 2002-08-15 2002-08-15
US10/222,090 2002-08-15

Publications (1)

Publication Number Publication Date
WO2003073688A1 true WO2003073688A1 (fr) 2003-09-04

Family

ID=27767482

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/004411 WO2003073688A1 (fr) 2002-02-22 2003-02-14 Authentification de dispositifs materiel comportant des certificats d'utilisateur

Country Status (2)

Country Link
AU (1) AU2003213056A1 (fr)
WO (1) WO2003073688A1 (fr)

Cited By (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005069101A2 (fr) * 2004-01-08 2005-07-28 International Business Machines Corporation Procede et systeme d'etablissement d'une structure de confiance sur la base d'appareils a cles intelligentes
WO2006063935A1 (fr) * 2004-12-16 2006-06-22 International Business Machines Corporation Procede et systeme permettant d'utiliser un disque compact en tant que systeme de cle intelligente
WO2006073702A1 (fr) 2005-01-07 2006-07-13 Apple Inc. Authentification d'accessoires associes a des dispositifs electroniques
EP1762956A2 (fr) * 2005-09-09 2007-03-14 Fujitsu Siemens Computers GmbH Ordinateur avec au moins un connecteur pour un support d'information amovible et procédé de démarrer et d'utilisation d'un ordinateur avec un support d'information amovible
WO2007060016A2 (fr) * 2005-11-28 2007-05-31 Koninklijke Kpn N.V. Jeton auto approvisionne
WO2007067638A1 (fr) * 2005-12-08 2007-06-14 Kyocera Wireless Corp. Procede et appareil permettant d'authentifier un accessoire de telephone mobile
FR2898424A1 (fr) * 2006-03-10 2007-09-14 Gisele Ep Pardo Simonpietri Systeme de securisation des transactions par internet.
US7363366B2 (en) 2004-07-13 2008-04-22 Teneros Inc. Network traffic routing
US7363365B2 (en) 2004-07-13 2008-04-22 Teneros Inc. Autonomous service backup and migration
EP2026530A1 (fr) * 2007-07-12 2009-02-18 Wayport, Inc. Autorisation spécifique d'un dispositif à des emplacements distribués
US7541776B2 (en) 2004-12-10 2009-06-02 Apple Inc. Method and system for operating a portable electronic device in a power-limited manner
US7573159B1 (en) 2001-10-22 2009-08-11 Apple Inc. Power adapters for powering and/or charging peripheral devices
US7581119B2 (en) 2004-07-18 2009-08-25 Apple Inc. Method and system for discovering a power source on a peripheral bus
US7770036B2 (en) 2006-02-27 2010-08-03 Apple Inc. Power management in a portable media delivery system
US8001400B2 (en) 2006-12-01 2011-08-16 Apple Inc. Power consumption management for functional preservation in a battery-powered electronic device
US8047966B2 (en) 2008-02-29 2011-11-01 Apple Inc. Interfacing portable media devices and sports equipment
US8074287B2 (en) 2004-04-30 2011-12-06 Microsoft Corporation Renewable and individualizable elements of a protected environment
CN101479737B (zh) * 2006-06-27 2012-06-13 苹果公司 用于验证附件的方法和系统
US8208853B2 (en) 2008-09-08 2012-06-26 Apple Inc. Accessory device authentication
US8238811B2 (en) 2008-09-08 2012-08-07 Apple Inc. Cross-transport authentication
WO2012107200A1 (fr) * 2011-02-08 2012-08-16 Giesecke & Devrient Gmbh Procédé de programmation d'une puce pour terminal mobile
US8370555B2 (en) 2006-06-27 2013-02-05 Apple Inc. Method and system for allowing a media player to determine if it supports the capabilities of an accessory
US8386680B2 (en) 2004-04-27 2013-02-26 Apple Inc. Communication between an accessory and a media player with multiple protocol versions and extended interface lingo
US8402187B2 (en) 2004-04-27 2013-03-19 Apple Inc. Method and system for transferring button status information between a media player and an accessory
US8443096B2 (en) 2009-03-16 2013-05-14 Apple Inc. Accessory identification for mobile computing devices
US8452903B2 (en) 2009-03-16 2013-05-28 Apple Inc. Mobile computing device capabilities for accessories
US8700893B2 (en) 2009-10-28 2014-04-15 Microsoft Corporation Key certification in one round trip
US9189605B2 (en) 2005-04-22 2015-11-17 Microsoft Technology Licensing, Llc Protected computing environment
US9224168B2 (en) 2004-11-15 2015-12-29 Microsoft Technology Licensing, Llc Tuning product policy using observed evidence of customer behavior
US9306879B2 (en) 2012-06-08 2016-04-05 Apple Inc. Message-based identification of an electronic device
US9336359B2 (en) 2004-10-18 2016-05-10 Microsoft Technology Licensing, Llc Device certificate individualization
US9363481B2 (en) 2005-04-22 2016-06-07 Microsoft Technology Licensing, Llc Protected media pipeline
US9397836B2 (en) 2014-08-11 2016-07-19 Fisher-Rosemount Systems, Inc. Securing devices to process control systems
US9436804B2 (en) 2005-04-22 2016-09-06 Microsoft Technology Licensing, Llc Establishing a unique session key using a hardware functionality scan
WO2016144455A1 (fr) * 2015-03-06 2016-09-15 Qualcomm Incorporated Appareil et procédé pour fournir une clé publique pour authentifier un circuit intégré
US9541905B2 (en) 2013-03-15 2017-01-10 Fisher-Rosemount Systems, Inc. Context sensitive mobile control in a process plant
US9558220B2 (en) 2013-03-04 2017-01-31 Fisher-Rosemount Systems, Inc. Big data in process control systems
US9665088B2 (en) 2014-01-31 2017-05-30 Fisher-Rosemount Systems, Inc. Managing big data in process control systems
US9697170B2 (en) 2013-03-14 2017-07-04 Fisher-Rosemount Systems, Inc. Collecting and delivering data to a big data machine in a process control system
US9740802B2 (en) 2013-03-15 2017-08-22 Fisher-Rosemount Systems, Inc. Data modeling studio
US9804588B2 (en) 2014-03-14 2017-10-31 Fisher-Rosemount Systems, Inc. Determining associations and alignments of process elements and measurements in a process
US9823626B2 (en) 2014-10-06 2017-11-21 Fisher-Rosemount Systems, Inc. Regional big data in process control systems
US10168691B2 (en) 2014-10-06 2019-01-01 Fisher-Rosemount Systems, Inc. Data pipeline for process control system analytics
US10282676B2 (en) 2014-10-06 2019-05-07 Fisher-Rosemount Systems, Inc. Automatic signal processing-based learning in a process plant
US10291417B2 (en) 2004-05-21 2019-05-14 Wayport, Inc. System, method and program product for delivery of digital content offerings at a retail establishment
US10386827B2 (en) 2013-03-04 2019-08-20 Fisher-Rosemount Systems, Inc. Distributed industrial performance monitoring and analytics platform
US10503483B2 (en) 2016-02-12 2019-12-10 Fisher-Rosemount Systems, Inc. Rule builder in a process control network
US10649424B2 (en) 2013-03-04 2020-05-12 Fisher-Rosemount Systems, Inc. Distributed industrial performance monitoring and analytics
US10649449B2 (en) 2013-03-04 2020-05-12 Fisher-Rosemount Systems, Inc. Distributed industrial performance monitoring and analytics
US10678225B2 (en) 2013-03-04 2020-06-09 Fisher-Rosemount Systems, Inc. Data analytic services for distributed industrial performance monitoring
US10866952B2 (en) 2013-03-04 2020-12-15 Fisher-Rosemount Systems, Inc. Source-independent queries in distributed industrial system
US10909137B2 (en) 2014-10-06 2021-02-02 Fisher-Rosemount Systems, Inc. Streaming data for analytics in process control systems
CN116418541A (zh) * 2021-12-31 2023-07-11 龙芯中科(金华)技术有限公司 通信方法、装置和设备
US11785005B2 (en) 2020-09-23 2023-10-10 Apple Inc. Secure tunneling with implicit device identification

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5568552A (en) * 1994-09-07 1996-10-22 Intel Corporation Method for providing a roving software license from one node to another node
US6233685B1 (en) * 1997-08-29 2001-05-15 Sean William Smith Establishing and employing the provable untampered state of a device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5568552A (en) * 1994-09-07 1996-10-22 Intel Corporation Method for providing a roving software license from one node to another node
US6233685B1 (en) * 1997-08-29 2001-05-15 Sean William Smith Establishing and employing the provable untampered state of a device

Cited By (118)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8232672B2 (en) 2001-10-22 2012-07-31 Apple Inc. Power adapters for powering and/or charging peripheral devices
US7573159B1 (en) 2001-10-22 2009-08-11 Apple Inc. Power adapters for powering and/or charging peripheral devices
US7766698B1 (en) 2001-10-22 2010-08-03 Apple Inc. Power adapters for powering and/or charging peripheral devices
US8222773B2 (en) 2001-10-22 2012-07-17 Apple Inc. Power adapters for powering and/or charging peripheral devices
US10312704B2 (en) 2001-10-22 2019-06-04 Apple Inc. Power adapters for powering and/or charging peripheral devices
WO2005069101A3 (fr) * 2004-01-08 2005-11-24 Ibm Procede et systeme d'etablissement d'une structure de confiance sur la base d'appareils a cles intelligentes
WO2005069101A2 (fr) * 2004-01-08 2005-07-28 International Business Machines Corporation Procede et systeme d'etablissement d'une structure de confiance sur la base d'appareils a cles intelligentes
US8386680B2 (en) 2004-04-27 2013-02-26 Apple Inc. Communication between an accessory and a media player with multiple protocol versions and extended interface lingo
US8402187B2 (en) 2004-04-27 2013-03-19 Apple Inc. Method and system for transferring button status information between a media player and an accessory
US8074287B2 (en) 2004-04-30 2011-12-06 Microsoft Corporation Renewable and individualizable elements of a protected environment
US10291417B2 (en) 2004-05-21 2019-05-14 Wayport, Inc. System, method and program product for delivery of digital content offerings at a retail establishment
US7363366B2 (en) 2004-07-13 2008-04-22 Teneros Inc. Network traffic routing
US7363365B2 (en) 2004-07-13 2008-04-22 Teneros Inc. Autonomous service backup and migration
US8332668B2 (en) 2004-07-18 2012-12-11 Apple Inc. Method and system for discovering a power source on a peripheral bus
US7890783B2 (en) 2004-07-18 2011-02-15 Apple Inc. Method and system for discovering a power source on a peripheral bus
US7581119B2 (en) 2004-07-18 2009-08-25 Apple Inc. Method and system for discovering a power source on a peripheral bus
US9336359B2 (en) 2004-10-18 2016-05-10 Microsoft Technology Licensing, Llc Device certificate individualization
US9224168B2 (en) 2004-11-15 2015-12-29 Microsoft Technology Licensing, Llc Tuning product policy using observed evidence of customer behavior
US7541776B2 (en) 2004-12-10 2009-06-02 Apple Inc. Method and system for operating a portable electronic device in a power-limited manner
US8633679B2 (en) 2004-12-10 2014-01-21 Apple Inc. Method and system for operating a portable electronic device in a power-limited manner
US7746032B2 (en) 2004-12-10 2010-06-29 Apple Inc. Method and system for operating a portable electronic device in a power-limited manner
US8106630B2 (en) 2004-12-10 2012-01-31 Apple Inc. Method and system for operating a portable electronic device in a power-limited manner
US7908492B2 (en) 2004-12-16 2011-03-15 International Business Machines Corporation Method for using a compact disk as a smart key device
WO2006063935A1 (fr) * 2004-12-16 2006-06-22 International Business Machines Corporation Procede et systeme permettant d'utiliser un disque compact en tant que systeme de cle intelligente
JP4841563B2 (ja) * 2004-12-16 2011-12-21 インターナショナル・ビジネス・マシーンズ・コーポレーション 暗号機能を実行するためのデータ処理システム、方法、およびコンピュータ・プログラム
US8161567B2 (en) 2005-01-07 2012-04-17 Apple Inc. Accessory authentication for electronic devices
AU2009100547A6 (en) * 2005-01-07 2009-09-24 Apple Inc. Accessory authentication for electronic devices
AU2005323229B2 (en) * 2005-01-07 2011-06-23 Apple Inc. Accessory authentication for electronic devices
AU2009100547B4 (en) * 2005-01-07 2010-03-18 Apple Inc. Accessory authentication for electronic devices
US10049206B2 (en) 2005-01-07 2018-08-14 Apple Inc. Accessory authentication for electronic devices
AU2008101150B4 (en) * 2005-01-07 2009-07-23 Apple Inc. Accessory authentication for electronic devices
AU2009100750B4 (en) * 2005-01-07 2010-04-01 Apple Inc. Accessory authentication for electronic devices
US9223958B2 (en) 2005-01-07 2015-12-29 Apple Inc. Accessory authentication for electronic devices
US9754099B2 (en) 2005-01-07 2017-09-05 Apple Inc. Accessory authentication for electronic devices
AU2008101148B4 (en) * 2005-01-07 2009-08-20 Apple Inc. Accessory authentication for electronic devices
AU2009100547A8 (en) * 2005-01-07 2009-10-01 Apple Inc. Accessory authentication for electronic devices
WO2006073702A1 (fr) 2005-01-07 2006-07-13 Apple Inc. Authentification d'accessoires associes a des dispositifs electroniques
US9436804B2 (en) 2005-04-22 2016-09-06 Microsoft Technology Licensing, Llc Establishing a unique session key using a hardware functionality scan
US9189605B2 (en) 2005-04-22 2015-11-17 Microsoft Technology Licensing, Llc Protected computing environment
US9363481B2 (en) 2005-04-22 2016-06-07 Microsoft Technology Licensing, Llc Protected media pipeline
EP1762956A2 (fr) * 2005-09-09 2007-03-14 Fujitsu Siemens Computers GmbH Ordinateur avec au moins un connecteur pour un support d'information amovible et procédé de démarrer et d'utilisation d'un ordinateur avec un support d'information amovible
WO2007060016A2 (fr) * 2005-11-28 2007-05-31 Koninklijke Kpn N.V. Jeton auto approvisionne
WO2007060016A3 (fr) * 2005-11-28 2007-09-27 Koninkl Kpn Nv Jeton auto approvisionne
WO2007067638A1 (fr) * 2005-12-08 2007-06-14 Kyocera Wireless Corp. Procede et appareil permettant d'authentifier un accessoire de telephone mobile
KR101109935B1 (ko) 2005-12-08 2012-02-24 키오세라 와이어리스 코포레이션 휴대폰 액세서리를 인증하는 방법 및 장치
US7770036B2 (en) 2006-02-27 2010-08-03 Apple Inc. Power management in a portable media delivery system
FR2898424A1 (fr) * 2006-03-10 2007-09-14 Gisele Ep Pardo Simonpietri Systeme de securisation des transactions par internet.
US8370555B2 (en) 2006-06-27 2013-02-05 Apple Inc. Method and system for allowing a media player to determine if it supports the capabilities of an accessory
US8590036B2 (en) 2006-06-27 2013-11-19 Apple Inc. Method and system for authenticating an accessory
CN101479737B (zh) * 2006-06-27 2012-06-13 苹果公司 用于验证附件的方法和系统
US9160541B2 (en) 2006-06-27 2015-10-13 Apple Inc. Method and system for authenticating an accessory
US8001400B2 (en) 2006-12-01 2011-08-16 Apple Inc. Power consumption management for functional preservation in a battery-powered electronic device
US8925047B2 (en) 2007-07-12 2014-12-30 Wayport, Inc. Device-specific authorization at distributed locations
US8261327B2 (en) 2007-07-12 2012-09-04 Wayport, Inc. Device-specific authorization at distributed locations
EP2026529A1 (fr) * 2007-07-12 2009-02-18 Wayport, Inc. Autorisation spécifique d'un dispositif à des emplacements distribués
EP2026530A1 (fr) * 2007-07-12 2009-02-18 Wayport, Inc. Autorisation spécifique d'un dispositif à des emplacements distribués
US10320806B2 (en) 2007-07-12 2019-06-11 Wayport, Inc. Device-specific authorization at distributed locations
US8627416B2 (en) 2007-07-12 2014-01-07 Wayport, Inc. Device-specific authorization at distributed locations
US20120028761A1 (en) * 2008-02-29 2012-02-02 Apple Inc. Interfacing portable media devices and sports equipment
US8317658B2 (en) * 2008-02-29 2012-11-27 Apple Inc. Interfacing portable media devices and sports equipment
US8047966B2 (en) 2008-02-29 2011-11-01 Apple Inc. Interfacing portable media devices and sports equipment
US8208853B2 (en) 2008-09-08 2012-06-26 Apple Inc. Accessory device authentication
US8509691B2 (en) 2008-09-08 2013-08-13 Apple Inc. Accessory device authentication
US8238811B2 (en) 2008-09-08 2012-08-07 Apple Inc. Cross-transport authentication
US8634761B2 (en) 2008-09-08 2014-01-21 Apple Inc. Cross-transport authentication
US8443096B2 (en) 2009-03-16 2013-05-14 Apple Inc. Accessory identification for mobile computing devices
US8909803B2 (en) 2009-03-16 2014-12-09 Apple Inc. Accessory identification for mobile computing devices
US8452903B2 (en) 2009-03-16 2013-05-28 Apple Inc. Mobile computing device capabilities for accessories
US9654293B2 (en) 2009-03-16 2017-05-16 Apple Inc. Accessory identification for mobile computing devices
US8700893B2 (en) 2009-10-28 2014-04-15 Microsoft Corporation Key certification in one round trip
US9298949B2 (en) 2011-02-08 2016-03-29 Giesecke & Devrient Gmbh Method for programming a mobile end device chip
WO2012107200A1 (fr) * 2011-02-08 2012-08-16 Giesecke & Devrient Gmbh Procédé de programmation d'une puce pour terminal mobile
CN103370713A (zh) * 2011-02-08 2013-10-23 德国捷德有限公司 用于编程移动终端设备芯片的方法
US9306879B2 (en) 2012-06-08 2016-04-05 Apple Inc. Message-based identification of an electronic device
US9558220B2 (en) 2013-03-04 2017-01-31 Fisher-Rosemount Systems, Inc. Big data in process control systems
US10649424B2 (en) 2013-03-04 2020-05-12 Fisher-Rosemount Systems, Inc. Distributed industrial performance monitoring and analytics
US10386827B2 (en) 2013-03-04 2019-08-20 Fisher-Rosemount Systems, Inc. Distributed industrial performance monitoring and analytics platform
US10649449B2 (en) 2013-03-04 2020-05-12 Fisher-Rosemount Systems, Inc. Distributed industrial performance monitoring and analytics
US10678225B2 (en) 2013-03-04 2020-06-09 Fisher-Rosemount Systems, Inc. Data analytic services for distributed industrial performance monitoring
US10866952B2 (en) 2013-03-04 2020-12-15 Fisher-Rosemount Systems, Inc. Source-independent queries in distributed industrial system
US11385608B2 (en) 2013-03-04 2022-07-12 Fisher-Rosemount Systems, Inc. Big data in process control systems
US9697170B2 (en) 2013-03-14 2017-07-04 Fisher-Rosemount Systems, Inc. Collecting and delivering data to a big data machine in a process control system
US10037303B2 (en) 2013-03-14 2018-07-31 Fisher-Rosemount Systems, Inc. Collecting and delivering data to a big data machine in a process control system
US10311015B2 (en) 2013-03-14 2019-06-04 Fisher-Rosemount Systems, Inc. Distributed big data in a process control system
US10223327B2 (en) 2013-03-14 2019-03-05 Fisher-Rosemount Systems, Inc. Collecting and delivering data to a big data machine in a process control system
US9541905B2 (en) 2013-03-15 2017-01-10 Fisher-Rosemount Systems, Inc. Context sensitive mobile control in a process plant
US10649413B2 (en) 2013-03-15 2020-05-12 Fisher-Rosemount Systems, Inc. Method for initiating or resuming a mobile control session in a process plant
US10133243B2 (en) 2013-03-15 2018-11-20 Fisher-Rosemount Systems, Inc. Method and apparatus for seamless state transfer between user interface devices in a mobile control room
US10152031B2 (en) 2013-03-15 2018-12-11 Fisher-Rosemount Systems, Inc. Generating checklists in a process control environment
US11573672B2 (en) 2013-03-15 2023-02-07 Fisher-Rosemount Systems, Inc. Method for initiating or resuming a mobile control session in a process plant
US10031489B2 (en) 2013-03-15 2018-07-24 Fisher-Rosemount Systems, Inc. Method and apparatus for seamless state transfer between user interface devices in a mobile control room
US10671028B2 (en) 2013-03-15 2020-06-02 Fisher-Rosemount Systems, Inc. Method and apparatus for managing a work flow in a process plant
US11169651B2 (en) 2013-03-15 2021-11-09 Fisher-Rosemount Systems, Inc. Method and apparatus for controlling a process plant with location aware mobile devices
US10296668B2 (en) 2013-03-15 2019-05-21 Fisher-Rosemount Systems, Inc. Data modeling studio
US11112925B2 (en) 2013-03-15 2021-09-07 Fisher-Rosemount Systems, Inc. Supervisor engine for process control
US9678484B2 (en) 2013-03-15 2017-06-13 Fisher-Rosemount Systems, Inc. Method and apparatus for seamless state transfer between user interface devices in a mobile control room
US9778626B2 (en) 2013-03-15 2017-10-03 Fisher-Rosemount Systems, Inc. Mobile control room with real-time environment awareness
US10324423B2 (en) 2013-03-15 2019-06-18 Fisher-Rosemount Systems, Inc. Method and apparatus for controlling a process plant with location aware mobile control devices
US10649412B2 (en) 2013-03-15 2020-05-12 Fisher-Rosemount Systems, Inc. Method and apparatus for seamless state transfer between user interface devices in a mobile control room
US10031490B2 (en) 2013-03-15 2018-07-24 Fisher-Rosemount Systems, Inc. Mobile analysis of physical phenomena in a process plant
US10551799B2 (en) 2013-03-15 2020-02-04 Fisher-Rosemount Systems, Inc. Method and apparatus for determining the position of a mobile control device in a process plant
US10691281B2 (en) 2013-03-15 2020-06-23 Fisher-Rosemount Systems, Inc. Method and apparatus for controlling a process plant with location aware mobile control devices
US9740802B2 (en) 2013-03-15 2017-08-22 Fisher-Rosemount Systems, Inc. Data modeling studio
US10656627B2 (en) 2014-01-31 2020-05-19 Fisher-Rosemount Systems, Inc. Managing big data in process control systems
US9665088B2 (en) 2014-01-31 2017-05-30 Fisher-Rosemount Systems, Inc. Managing big data in process control systems
US9804588B2 (en) 2014-03-14 2017-10-31 Fisher-Rosemount Systems, Inc. Determining associations and alignments of process elements and measurements in a process
US9772623B2 (en) 2014-08-11 2017-09-26 Fisher-Rosemount Systems, Inc. Securing devices to process control systems
US9397836B2 (en) 2014-08-11 2016-07-19 Fisher-Rosemount Systems, Inc. Securing devices to process control systems
US10909137B2 (en) 2014-10-06 2021-02-02 Fisher-Rosemount Systems, Inc. Streaming data for analytics in process control systems
US9823626B2 (en) 2014-10-06 2017-11-21 Fisher-Rosemount Systems, Inc. Regional big data in process control systems
US10282676B2 (en) 2014-10-06 2019-05-07 Fisher-Rosemount Systems, Inc. Automatic signal processing-based learning in a process plant
US10168691B2 (en) 2014-10-06 2019-01-01 Fisher-Rosemount Systems, Inc. Data pipeline for process control system analytics
WO2016144455A1 (fr) * 2015-03-06 2016-09-15 Qualcomm Incorporated Appareil et procédé pour fournir une clé publique pour authentifier un circuit intégré
US9813392B2 (en) 2015-03-06 2017-11-07 Qualcomm Incorporated Apparatus and method for providing a public key for authenticating an integrated circuit
US11886155B2 (en) 2015-10-09 2024-01-30 Fisher-Rosemount Systems, Inc. Distributed industrial performance monitoring and analytics
US10503483B2 (en) 2016-02-12 2019-12-10 Fisher-Rosemount Systems, Inc. Rule builder in a process control network
US11785005B2 (en) 2020-09-23 2023-10-10 Apple Inc. Secure tunneling with implicit device identification
CN116418541A (zh) * 2021-12-31 2023-07-11 龙芯中科(金华)技术有限公司 通信方法、装置和设备

Also Published As

Publication number Publication date
AU2003213056A1 (en) 2003-09-09

Similar Documents

Publication Publication Date Title
WO2003073688A1 (fr) Authentification de dispositifs materiel comportant des certificats d'utilisateur
JP4680505B2 (ja) 簡易音声認証方法および装置
US6073237A (en) Tamper resistant method and apparatus
US6976162B1 (en) Platform and method for establishing provable identities while maintaining privacy
US6148404A (en) Authentication system using authentication information valid one-time
US5539828A (en) Apparatus and method for providing secured communications
US6230272B1 (en) System and method for protecting a multipurpose data string used for both decrypting data and for authenticating a user
US6189096B1 (en) User authentification using a virtual private key
US6185546B1 (en) Apparatus and method for providing secured communications
US20020176583A1 (en) Method and token for registering users of a public-key infrastructure and registration system
US20020056043A1 (en) Method and apparatus for securely transmitting and authenticating biometric data over a network
CN1309210C (zh) 用于内容保护的多次验证对话的方法和装置
US20070074027A1 (en) Methods of verifying, signing, encrypting, and decrypting data and file
CN101246607A (zh) 门禁系统的数字认证控制方法以及应用该方法的门禁系统
CN107733636B (zh) 认证方法以及认证系统
CN112396735B (zh) 网联汽车数字钥匙安全认证方法及装置
CN111540093A (zh) 一种门禁控制系统及其控制方法
CN111539496A (zh) 车辆信息二维码生成方法、二维码车牌、认证方法及系统
JP2002519782A (ja) 生物測定データを用いたエンドツーエンド認証の装置と方法
JP2008234143A (ja) バイオメトリクスを使用した本人限定メール開封システムおよびその方法ならびにそのためのプログラム
US20020184501A1 (en) Method and system for establishing secure data transmission in a data communications network notably using an optical media key encrypted environment (omkee)
CN112671782B (zh) 一种文件加密方法及终端
CN112712623A (zh) 门禁系统及其处理方法以及终端子系统
JP2021111925A (ja) 電子署名システム
JP2006293473A (ja) 認証システム及び認証方法、端末装置及び認証装置

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP