System and method for providing key management protocol with client verification of authorization
    91.
    发明授权
    System and method for providing key management protocol with client verification of authorization 有权
    提供密钥管理协议与客户端授权验证的系统和方法

    公开(公告)号:US07231663B2

    公开(公告)日:2007-06-12

    申请号:US10067446

    申请日:2002-02-04

    摘要: A method and system for providing a client (102) with a copy of the authorization data that can be accessed and used by the client. The method is well-suited to key management protocols that utilize the concept of tickets. Two copies of the authorization data, a client copy and a server copy, are included within and forwarded to the client where the client is requesting a ticket for a specific application server (106). The client is capable of accessing the client copy of the authorization data such that the client can verify requests, and determine authorization of use for content and/or services requested.

    摘要翻译: 一种用于向客户机(102)提供可由客户端访问和使用的授权数据的副本的方法和系统。 该方法非常适合利用票证概念的密钥管理协议。 授权数据的两个副本,客户端副本和服务器副本被包括在客户端中,并且被转发到客户端请求特定应用服务器(106)的票据。 客户端能够访问授权数据的客户端副本,使得客户端可以验证请求,并确定对所请求的内容和/或服务的使用授权。

    End-to end protection of media stream encryption keys for voice-over-IP systems
    92.
    发明授权
    End-to end protection of media stream encryption keys for voice-over-IP systems 有权
    用于IP语音系统的媒体流加密密钥的端到端保护

    公开(公告)号:US06792534B2

    公开(公告)日:2004-09-14

    申请号:US10140148

    申请日:2002-05-06

    IPC分类号: H04L900

    CPC分类号: H04L63/061 H04L63/0807

    摘要: The present invention reduces the exposure of keying material to intermediary devices in a communication channel between first and second servers. In one embodiment, a second server receives a first half of media stream keys from a first server. The second server uses a Kerberos-based Application Request and tickets to communicate the second half of the media stream keys to the first server. Using this approach, the exposure of the media stream keys is reduced to only the servers.

    摘要翻译: 本发明减少了在第一和第二服务器之间的通信信道中的密钥材料对中间设备的暴露。 在一个实施例中,第二服务器从第一服务器接收媒体流密钥的前半部分。 第二个服务器使用基于Kerberos的应用程序请求和故障单将媒体流密钥的后半部分传送到第一个服务器。 使用这种方法,媒体流密钥的曝光仅减少到服务器。

    Intrusion detection for object security
    93.
    发明授权
    Intrusion detection for object security 有权
    入侵检测对象安全

    公开(公告)号:US06754908B1

    公开(公告)日:2004-06-22

    申请号:US09505336

    申请日:2000-02-16

    IPC分类号: H04N7173

    摘要: According to the invention, an apparatus and methods for detecting modifications to information within a content receiver are described. In one embodiment, a method for detecting modification to a content receiver within a conditional access system is disclosed. In this process, a content provider generates a message. The message is sent to the content receiver by way of a network. The content receiver gets the message from the network. The content provider detects any unauthorized modification to the content receiver.

    摘要翻译: 根据本发明,描述了一种用于检测对内容接收器内的信息的修改的装置和方法。 在一个实施例中,公开了一种用于检测对条件访问系统内的内容接收器的修改的方法。 在此过程中,内容提供商生成消息。 消息通过网络发送到内容接收方。 内容接收器从网络获取消息。 内容提供商检测对内容接收器的任何未经授权的修改。

    Ticket-based implementation of content leasing
    95.
    发明授权
    Ticket-based implementation of content leasing 有权
    内容租赁的基于门票的实施

    公开(公告)号:US09548859B2

    公开(公告)日:2017-01-17

    申请号:US12327326

    申请日:2008-12-03

    摘要: The present invention is a method and system for accessing digital content stored on a computing device. An agreement between a subscriber and a content provider allows the subscriber to lease the digital content from the content provider, and download the digital content from a content server operated by the content provider. The method retrieves a service ticket for the computing device, and retrieves content rights for the digital content. The service ticket includes authorization data, and a session key, where the authorization data include authorized subscription services for the computing device. The content rights include required subscription services for the digital content and are delivered authenticated with the session key. The method allows access to the digital content when the authorized subscription services included with the authorization data match the required subscription services included with the content rights.

    摘要翻译: 本发明是用于访问存储在计算设备上的数字内容的方法和系统。 用户和内容提供商之间的协议允许用户从内容提供商租赁数字内容,并从内容提供商操作的内容服务器下载数字内容。 该方法检索计算设备的服务票证,并检索数字内容的内容权限。 服务票包括授权数据和会话密钥,其中授权数据包括用于计算设备的授权订阅服务。 内容权限包括数字内容所需的订阅服务,并通过会话密钥进行验证。 当授权数据所包含的授权订阅服务与内容权限所包含的所需订阅服务相匹配时,该方法允许访问数字内容。

    Methods, apparatus and system for authenticating a programmable hardware device and for authenticating commands received in the programmable hardware device from a secure processor
    96.
    发明授权
    Methods, apparatus and system for authenticating a programmable hardware device and for authenticating commands received in the programmable hardware device from a secure processor 有权
    用于认证可编程硬件设备并用于从安全处理器认证在可编程硬件设备中接收的命令的方法,装置和系统

    公开(公告)号:US09003197B2

    公开(公告)日:2015-04-07

    申请号:US12056721

    申请日:2008-03-27

    摘要: A method, device and system for authenticating a programmable hardware device, such as a programmable hardware chip, and a command received by the programmable hardware device. A secure processor or other trusted source authenticates the programmable hardware chip by verifying, with the secure processor's own verification key, a random number sent to the programmable hardware chip and encrypted using a verification key embedded within the programmable hardware chip, since the nature of the encryption is such that only the original logic function that includes the verification key can encrypt the data correctly. A command received by the programmable hardware chip is authenticated by verifying that a command authentication token received by the programmable hardware chip is generated using the correct command authentication key and consequently verifying that the command is received from the secure processor, as only the party who has the command authentication key can encrypt the data correctly.

    摘要翻译: 用于认证可编程硬件设备(诸如可编程硬件芯片)和由可编程硬件设备接收的命令的方法,设备和系统。 安全处理器或其他可信源通过使用安全处理器自己的验证密钥验证发送到可编程硬件芯片的随机数并使用嵌入在可编程硬件芯片内的验证密钥进行加密来验证可编程硬件芯片,因为 加密只有包含验证密钥的原始逻辑功能才能正确加密数据。 由可编程硬件芯片接收的命令通过验证使用正确的命令认证密钥生成由可编程硬件芯片接收到的命令认证令牌,从而验证从安全处理器接收到该命令的认证,只有具有 命令认证密钥可以正确加密数据。

    System and method for secure key distribution to manufactured products
    97.
    发明授权
    System and method for secure key distribution to manufactured products 有权
    用于产品安全密钥分配的系统和方法

    公开(公告)号:US08761401B2

    公开(公告)日:2014-06-24

    申请号:US11846045

    申请日:2007-08-28

    IPC分类号: H04L9/08 H04L9/00 H04L9/32

    摘要: A system and method for securely distributing PKI data, such as one or more private keys or other confidential digital information, from a PKI data generation facility to a product in a product personalization facility that is not connected to the PKI data generation facility and is assumed to be a non-secure product personalization facility. The system includes a PKI data loader for securely transmitting the encrypted PKI data transferred from the PKI data generator to a PKI server at the product personalization facility. The PKI server then transfers the PKI data to the product of interest, typically via a PKI station acting as a proxy between the PKI server and the product. In each communication step, PKI data being transferred is encrypted multiple times and the system is designed such that if any intermediate node is compromised with all of its keys, the overall system has not yet been compromised.

    摘要翻译: 用于将PKI数据(例如一个或多个私钥或其他机密数字信息)的PKI数据安全地分发到不连接到PKI数据生成设备并被假定的产品个性化设施中的产品的系统和方法 成为不安全的产品个性化设施。 该系统包括PKI数据加载器,用于将从PKI数据发生器传送的加密的PKI数据安全地发送到产品个性化设施的PKI服务器。 PKI服务器然后将PKI数据传送到感兴趣的产品,通常通过充当PKI服务器和产品之间代理的PKI站。 在每个通信步骤中,正在传送的PKI数据被加密多次,并且系统被设计成使得如果任何中间节点与其所有密钥相冲突,则整个系统尚未被破坏。

    Encrypting a unique cryptographic entity
    98.
    发明授权
    Encrypting a unique cryptographic entity 有权
    加密一个独特的加密实体

    公开(公告)号:US08538890B2

    公开(公告)日:2013-09-17

    申请号:US12549468

    申请日:2009-08-28

    IPC分类号: G06Q20/00 H01B3/00

    摘要: A method of encrypting a unique cryptographic entity (UCE), where a client device receives a global-key (GK-) encrypted UKD comprising a GK-encrypted UCE and a GK-encrypted unit key number (UKN). The client device verifies that the GK-encrypted UKN is the same as a pre-provisioned value and then decrypts the GK-encrypted UKD using a global key (GK). The client device then re-encrypts the decrypted UKD using a device user key (DUK) to determine a DUK-encrypted UCE and a DUK-encrypted UKN. The DUK-encrypted UKN is verified as not equal to the GK-encrypted UKN. The DUK-encrypted UKN is then appended to the DUK-encrypted UCE to form a DUK-encrypted UKD and stored in a memory.

    摘要翻译: 一种加密唯一密码实体(UCE)的方法,其中客户端设备接收包括GK加密的UCE和GK加密的单元密钥号码(UKN)的全球密钥(GK-)加密的UKD。 客户端设备验证GK加密的UKN与预先设定的值相同,然后使用全局密钥(GK)解密GK加密的UKD。 客户端设备然后使用设备用户密钥(DUK)重新加密解密的UKD,以确定DUK加密的UCE和DUK加密的UKN。 DUK加密的UKN被验证为不等于GK加密的UKN。 然后将DUK加密的UKN附加到DUK加密的UCE以形成DUK加密的UKD并存储在存储器中。

    REVOCATION LIST UPDATE FOR DEVICES
    99.
    发明申请
    REVOCATION LIST UPDATE FOR DEVICES 有权
    装置更新清单

    公开(公告)号:US20130185551A1

    公开(公告)日:2013-07-18

    申请号:US13350072

    申请日:2012-01-13

    IPC分类号: H04L29/06

    摘要: In one embodiment, a method includes receiving a revocation request for revoking a model type of a device. A first computing device determines a list of device unit identifiers (UIDs) that are associated with the model type from a database. The device UIDs are for devices of the model type manufactured by a first entity. The method adds the list of device UIDs to a device revocation list and outputs the device revocation list to revoke a validity of secure information associated with devices associated with the list of device UIDs.

    摘要翻译: 在一个实施例中,一种方法包括接收用于撤销设备的模型类型的吊销请求。 第一计算设备确定与数据库中的模型类型相关联的设备单元标识符(UID)的列表。 设备UID用于由第一实体制造的型号类型的设备。 该方法将设备UID的列表添加到设备撤销列表,并输出设备撤销列表以撤销与设备UID列表相关联的设备相关联的安全信息的有效性。

    Tokenized Resource Access
    100.
    发明申请
    Tokenized Resource Access 有权
    令牌资源访问

    公开(公告)号:US20120304311A1

    公开(公告)日:2012-11-29

    申请号:US13571279

    申请日:2012-08-09

    IPC分类号: G06F21/24

    CPC分类号: G06F21/33 G01R31/31705

    摘要: A method and system for unlocking diagnostic functions in a hardware device for a user. The method obtains a signed permission object for the hardware device, and validates the signed permission object. A memory of the hardware device stores a device identifier and a last recorded sequence number. The signed permission object includes a sequence number and is associated with an expiration counter having an initial value that indicates a lifetime for the signed permission object. When the signed permission object is valid, the method updates the expiration counter to decrease the lifetime of the signed permission object, stores the sequence number associated with the signed permission object as the last recorded sequence number in the hardware device, and unlocks the diagnostic functions for the user based on the signed permission object.

    摘要翻译: 一种用于在用户的硬件设备中解锁诊断功能的方法和系统。 该方法获取硬件设备的签名许可对象,并验证签名的权限对象。 硬件设备的存储器存储设备标识符和最后记录的序列号。 签名的权限对象包括序列号,并且与具有指示签名的许可对象的生命周期的初始值的到期计数器相关联。 当签名的权限对象有效时,该方法更新到期计数器以减少签名的权限对象的生命周期,将与签名的许可对象相关联的序列号作为最后记录的序列号存储在硬件设备中,并解锁诊断功能 为用户基于签名的权限对象。