公开(公告)号：US08761401B2

公开(公告)日：2014-06-24

申请号：US11846045

申请日：2007-08-28

申请人： Eric J. Sprunk ,  Alexander Medvinsky ,  Xin Qiu ,  Stuart Moskovics ,  Liqiang Chen

发明人： Eric J. Sprunk ,  Alexander Medvinsky ,  Xin Qiu ,  Stuart Moskovics ,  Liqiang Chen

IPC分类号： H04L9/08 ,  H04L9/00 ,  H04L9/32

CPC分类号： H04L9/0844 ,  H04L9/006 ,  H04L9/0822 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/166

摘要： A system and method for securely distributing PKI data, such as one or more private keys or other confidential digital information, from a PKI data generation facility to a product in a product personalization facility that is not connected to the PKI data generation facility and is assumed to be a non-secure product personalization facility. The system includes a PKI data loader for securely transmitting the encrypted PKI data transferred from the PKI data generator to a PKI server at the product personalization facility. The PKI server then transfers the PKI data to the product of interest, typically via a PKI station acting as a proxy between the PKI server and the product. In each communication step, PKI data being transferred is encrypted multiple times and the system is designed such that if any intermediate node is compromised with all of its keys, the overall system has not yet been compromised.

摘要翻译： 用于将PKI数据（例如一个或多个私钥或其他机密数字信息）的PKI数据安全地分发到不连接到PKI数据生成设备并被假定的产品个性化设施中的产品的系统和方法 成为不安全的产品个性化设施。 该系统包括PKI数据加载器，用于将从PKI数据发生器传送的加密的PKI数据安全地发送到产品个性化设施的PKI服务器。 PKI服务器然后将PKI数据传送到感兴趣的产品，通常通过充当PKI服务器和产品之间代理的PKI站。 在每个通信步骤中，正在传送的PKI数据被加密多次，并且系统被设计成使得如果任何中间节点与其所有密钥相冲突，则整个系统尚未被破坏。

公开(公告)号：US20080049942A1

公开(公告)日：2008-02-28

申请号：US11846045

申请日：2007-08-28

申请人： Eric Sprunk ,  Alexander Medvinsky ,  Xin Qiu ,  Stuart Moskovics ,  Liqiang Chen

发明人： Eric Sprunk ,  Alexander Medvinsky ,  Xin Qiu ,  Stuart Moskovics ,  Liqiang Chen

IPC分类号： H04L9/08

CPC分类号： H04L9/0844 ,  H04L9/006 ,  H04L9/0822 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/0823 ,  H04L63/166

摘要： A system and method for securely distributing PKI data, such as one or more private keys or other confidential digital information, from a PKI data generation facility to a product in a product personalization facility that is not connected to the PKI data generation facility and is assumed to be a non-secure product personalization facility. The system includes a PKI data loader for securely transmitting the encrypted PKI data transferred from the PKI data generator to a PKI server at the product personalization facility. The PKI server then transfers the PKI data to the product of interest, typically via a PKI station acting as a proxy between the PKI server and the product. In each communication step, PKI data being transferred is encrypted multiple times and the system is designed such that if any intermediate node is compromised with all of its keys, the overall system has not yet been compromised.

摘要翻译： 用于将PKI数据（例如一个或多个私钥或其他机密数字信息）的PKI数据安全地分发到不连接到PKI数据生成设备并被假定的产品个性化设施中的产品的系统和方法 成为不安全的产品个性化设施。 该系统包括PKI数据加载器，用于将从PKI数据发生器传送的加密的PKI数据安全地发送到产品个性化设施的PKI服务器。 PKI服务器然后将PKI数据传送到感兴趣的产品，通常通过充当PKI服务器和产品之间代理的PKI站。 在每个通信步骤中，正在传送的PKI数据被加密多次，并且系统被设计成使得如果任何中间节点与其所有密钥相冲突，则整个系统尚未被破坏。

公开(公告)号：US08387011B2

公开(公告)日：2013-02-26

申请号：US11831347

申请日：2007-07-31

申请人： Xin Qiu ,  Liqiang Chen ,  Fan Wang

发明人： Xin Qiu ,  Liqiang Chen ,  Fan Wang

IPC分类号： G06F9/44 ,  G06F15/173

CPC分类号： H04L67/34 ,  H04L67/36

摘要： A process receives a personalization request to personalize a communication device. Further, the process provides the personalization request to a message controller that composes a message having personalization information with a message composer engine according to a set of rules and configures one or more communication parameters for the message with a message flow control engine according to the set of rules. The set of rules indicates a distributed environment set of files that the message composer engine and the message flow control engine utilize in a distributed environment, and a centralized environment set of files that the message composer engine and the message flow control engine utilize in a centralized environment.

摘要翻译： 进程接收个性化请求以个性化通信设备。 此外，该过程向消息控制器提供个性化请求，该消息控制器根据一组规则向消息组合器引擎组成具有个性化信息的消息，并且根据该集合向消息流控制引擎配置消息的一个或多个通信参数 的规则。 该组规则表示消息编剧引擎和消息流控制引擎在分布式环境中使用的分布式环境文件集，以及消息编剧引擎和消息流控制引擎在集中式中使用的集中式文件集 环境。

公开(公告)号：US20120143766A1

公开(公告)日：2012-06-07

申请号：US13238850

申请日：2011-09-21

申请人： Jinsong Zheng ,  Tat Keung Chan ,  Liqiang Chen ,  Greg N. Nakanishi ,  Jason A. Pasion ,  Xin Qiu ,  Ting Yao

发明人： Jinsong Zheng ,  Tat Keung Chan ,  Liqiang Chen ,  Greg N. Nakanishi ,  Jason A. Pasion ,  Xin Qiu ,  Ting Yao

IPC分类号： G06F21/22

CPC分类号： G06F21/105 ,  G06Q30/06 ,  G06Q2220/18

摘要： Disclosed is a manufacturing process and feature licensing system for provisioning personalized (device-unique) licenses to devices. The secure system uses a secure key wrapping mechanism to deliver the LSK to LPS. Another feature is that various network communication links are secured using standard security protocol. Application messages, license templates, licenses are digitally signed. The system is flexible, configured to allow multiple manufacturers and to allow various feature configurations via the use of License Template; scalable, as it is possible to use multiple LPS hosts to serve multiple programming stations; and available in that the delegation of license signing capability from CLS to LPS eliminates the dependency on unreliable Internet connections. Redundant LPS hosts provide high level of availability required for high volume license provisioning. The system is traceable: license and device association are replicated back to the CLS to provide full license request and generation traceability.

摘要翻译： 公开了一种用于向设备提供个性化（设备唯一）许可证的制造过程和特征许可系统。 安全系统使用安全的钥匙包装机构将LSK传送到LPS。 另一个特征是使用标准安全协议来保护各种网络通信链路。 应用程序消息，许可证模板，许可证都经过数字签名。 该系统灵活，配置为允许多个制造商通过使用许可证模板来允许各种功能配置; 可扩展的，因为可以使用多个LPS主机来服务多个编程站; 并且可用于从CLS到LPS的许可证签名能力的授权消除了对不可靠的因特网连接的依赖。 冗余LPS主机为高容量许可证配置提供了高水平的可用性。 系统是可追溯的：许可证和设备关联被复制回CLS以提供完整的许可证请求和生成可追溯性。

公开(公告)号：US20090006852A1

公开(公告)日：2009-01-01

申请号：US11768523

申请日：2007-06-26

申请人： Xin Qiu ,  Liqiang Chen ,  Stuart P. Moskovics ,  Kent D. Rager

发明人： Xin Qiu ,  Liqiang Chen ,  Stuart P. Moskovics ,  Kent D. Rager

IPC分类号： H04L9/32

CPC分类号： H04L9/3226 ,  H04L9/3247 ,  H04W12/04 ,  H04W12/08

摘要： A process may be utilized for securing unlock password generation and distribution. A first set of exclusive responsibilities, assigned to a trusted authority, includes random generation and encryption of an unlock password to compose a randomly generated encrypted unlock password. Further, a second set of exclusive responsibilities, assigned to a security agent, includes sending information associated with the unlock password and a digital signature of information associated with the unlock password to a communication device configured for a network in order to mate the unlock password to the communication device, and sending the randomly generated and encrypted unlock password along with mating data to a password processing center. In addition, a third set of exclusive responsibilities, assigned to a password processing center, includes decrypting the randomly generated and encrypted unlock password.

摘要翻译： 可以利用一个过程来确保密码生成和分发。 分配给受信任的机构的第一套独家责任包括随机生成和加密解锁密码，以组成随机生成的加密解密密码。 此外，分配给安全代理的第二组独占责任包括将与解锁密码相关联的信息和与解锁密码相关联的信息的数字签名发送到为网络配置的通信设备，以便将解锁密码与 通信设备，并将随机生成和加密的解密密码以及匹配数据发送到密码处理中心。 另外，分配给密码处理中心的第三组独占责任包括解密随机产生和加密的解锁密码。

公开(公告)号：US20110047374A1

公开(公告)日：2011-02-24

申请号：US12854922

申请日：2010-08-12

申请人： Jiajing Liu ,  Thomas J. Barbour ,  Liqiang Chen ,  Ying Chen ,  Wei Lin Chou ,  Christopher P. Gardner ,  Stuart P. Moskovics ,  Xin Qiu ,  Chia Ling Tsai ,  Ting Yao

发明人： Jiajing Liu ,  Thomas J. Barbour ,  Liqiang Chen ,  Ying Chen ,  Wei Lin Chou ,  Christopher P. Gardner ,  Stuart P. Moskovics ,  Xin Qiu ,  Chia Ling Tsai ,  Ting Yao

IPC分类号： H04L9/00

CPC分类号： H04L9/3265 ,  H04L9/007

摘要： A method and apparatus are provided for generating identity data to be provisioned in product devices that are a part of a project. The method includes establishing a template associated with each CA in a hierarchical chain of CAs having a root CA at a highest level in the chain and a signing CA at a lowest level in the chain. The template associated with the signing CA inherits mandatory attribute fields specified in the root CA and any intermediate CA in the hierarchical chain. The mandatory attribute fields are user-specifiable fields to be populated with PKI data. A configuration file is generated upon receipt of an order for digital certificates using PKI data provided by a user to populate the mandatory attribute fields of the template associated with the signing CA. The digital certificates requested in the order are generated using the PKI data in the configuration file.

摘要翻译： 提供了一种用于生成作为项目的一部分的产品设备中提供的身份数据的方法和装置。 该方法包括在具有链中最高级别的根CA的CA的分级链中建立与每个CA相关联的模板以及链中最低级的签名CA。 与签名CA相关联的模板继承根CA中指定的强制属性字段和层级链中的任何中间CA。 强制属性字段是要填充PKI数据的用户指定字段。 使用由用户提供的PKI数据接收到数字证书的订单时，生成配置文件来填充与签名CA相关联的模板的强制属性字段。 使用配置文件中的PKI数据生成订单中请求的数字证书。

公开(公告)号：US08392702B2

公开(公告)日：2013-03-05

申请号：US12175444

申请日：2008-07-17

申请人： Xin Qiu ,  Eric Sprunk ,  Liqiang Chen ,  Jason Pasion

发明人： Xin Qiu ,  Eric Sprunk ,  Liqiang Chen ,  Jason Pasion

IPC分类号： H04L29/06

CPC分类号： H04L9/006 ,  H04L9/3234 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/0823 ,  H04L63/0853 ,  H04L63/101 ,  H04L63/123 ,  H04L63/166 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/80

摘要： A system for token-based management of a PKI (public key infrastructure) personalization process includes a token request and management system (TRMS) configured to gather request information from a requestor; and a token personalization system (TPS) configured to personalize a hardware token such that usage of the hardware token is constrained by the request information. A method for token-based management of a PKI personalization process includes: requesting a hardware token; personalizing a hardware token such that the hardware token is confined to operation within limiting parameters; binding the hardware token to a workstation which is configured receive the hardware token and use credentials within the hardware token to request and download PKI data from a PKI server, the workstation being further configured to personalize an end user product by loading the PKI data into internal memory contained within the end user product; and monitoring usage of the hardware token and the PKI data.

摘要翻译： 用于PKI（公共密钥基础设施）个性化过程的基于令牌的管理的系统包括被配置为从请求者收集请求信息的令牌请求和管理系统（TRMS） 以及被配置为个性化硬件令牌的令牌个性化系统（TPS），使得所述硬件令牌的使用被所述请求信息约束。 用于PKI个性化处理的基于令牌的管理的方法包括：请求硬件令牌; 个性化硬件令牌，使得硬件令牌限制在限制参数内的操作; 将硬件令牌绑定到配置的接收硬件令牌并使用硬件令牌内的凭证的工作站，以从PKI服务器请求和下载PKI数据，该工作站进一步配置为通过将PKI数据加载到内部来个性化最终用户产品 包含在最终用户产品中的内存; 并监视硬件令牌和PKI数据的使用情况。

公开(公告)号：US08370626B2

公开(公告)日：2013-02-05

申请号：US12854922

申请日：2010-08-12

申请人： Jiajing Liu ,  Thomas J. Barbour ,  Liqiang Chen ,  Ying Chen ,  Wei Lin Chou ,  Christopher P. Gardner ,  Stuart P. Moskovics ,  Xin Qiu ,  Chia Ling Tsai ,  Ting Yao

发明人： Jiajing Liu ,  Thomas J. Barbour ,  Liqiang Chen ,  Ying Chen ,  Wei Lin Chou ,  Christopher P. Gardner ,  Stuart P. Moskovics ,  Xin Qiu ,  Chia Ling Tsai ,  Ting Yao

IPC分类号： H04L9/00

CPC分类号： H04L9/3265 ,  H04L9/007

摘要： A method and apparatus are provided for generating identity data to be provisioned in product devices that are a part of a project. The method includes establishing a template associated with each CA in a hierarchical chain of CAs having a root CA at a highest level in the chain and a signing CA at a lowest level in the chain. The template associated with the signing CA inherits mandatory attribute fields specified in the root CA and any intermediate CA in the hierarchical chain. The mandatory attribute fields are user-specifiable fields to be populated with PKI data. A configuration file is generated upon receipt of an order for digital certificates using PKI data provided by a user to populate the mandatory attribute fields of the template associated with the signing CA. The digital certificates requested in the order are generated using the PKI data in the configuration file.

摘要翻译： 提供了一种用于生成作为项目的一部分的产品设备中提供的身份数据的方法和装置。 该方法包括在具有链中最高级别的根CA的CA的分级链中建立与每个CA相关联的模板以及链中最低级的签名CA。 与签名CA相关联的模板继承根CA中指定的强制属性字段和层级链中的任何中间CA。 强制属性字段是要填充PKI数据的用户指定字段。 使用由用户提供的PKI数据接收到数字证书的订单时，生成配置文件来填充与签名CA相关联的模板的强制属性字段。 使用配置文件中的PKI数据生成订单中请求的数字证书。

公开(公告)号：US08171527B2

公开(公告)日：2012-05-01

申请号：US11768523

申请日：2007-06-26

申请人： Xin Qiu ,  Liqiang Chen ,  Stuart P. Moskovics ,  Kent D. Rager

发明人： Xin Qiu ,  Liqiang Chen ,  Stuart P. Moskovics ,  Kent D. Rager

IPC分类号： H04L29/06

CPC分类号： H04L9/3226 ,  H04L9/3247 ,  H04W12/04 ,  H04W12/08

摘要： A process may be utilized for securing unlock password generation and distribution. A first set of exclusive responsibilities, assigned to a trusted authority, includes random generation and encryption of an unlock password to compose a randomly generated encrypted unlock password. Further, a second set of exclusive responsibilities, assigned to a security agent, includes sending information associated with the unlock password and a digital signature of information associated with the unlock password to a communication device configured for a network in order to mate the unlock password to the communication device, and sending the randomly generated and encrypted unlock password along with mating data to a password processing center. In addition, a third set of exclusive responsibilities, assigned to a password processing center, includes decrypting the randomly generated and encrypted unlock password.

摘要翻译： 可以利用一个过程来确保密码生成和分发。 分配给受信任的机构的第一套独家责任包括随机生成和加密解锁密码，以组成随机生成的加密解密密码。 此外，分配给安全代理的第二组独占责任包括将与解锁密码相关联的信息和与解锁密码相关联的信息的数字签名发送到为网络配置的通信设备，以便将解锁密码与 通信设备，并将随机生成和加密的解密密码以及匹配数据发送到密码处理中心。 另外，分配给密码处理中心的第三组独占责任包括解密随机产生和加密的解锁密码。

公开(公告)号：US20110197061A1

公开(公告)日：2011-08-11

申请号：US12854920

申请日：2010-08-12

申请人： Wei Lin Chou ,  Thomas J. Barbour ,  Liqiang Chen ,  Ying Chen ,  Christopher P. Gardner ,  Jiajing Liu ,  Oscar Jiang ,  Xin Qiu ,  Kyle W. Stewart ,  Chia Ling Tsai ,  Fan Wang ,  Ting Yao

发明人： Wei Lin Chou ,  Thomas J. Barbour ,  Liqiang Chen ,  Ying Chen ,  Christopher P. Gardner ,  Jiajing Liu ,  Oscar Jiang ,  Xin Qiu ,  Kyle W. Stewart ,  Chia Ling Tsai ,  Fan Wang ,  Ting Yao

IPC分类号： H04L29/06

CPC分类号： H04L9/006 ,  H04L9/3265

摘要： A method and apparatus is provided for establishing a process for provisioning a digital certificate service delivered by a PKI system. The method includes receiving a request for a digital certificate service and receiving data specifying a project that includes at least one product to be provisioned with a digital certificate. Data specifying an identification of an owner organization of the project and at least one participant organization participating in the project is also received. Attributes with which PKI data to be included in the digital certificates is to comply is received from the owner organization. Based on the received data and attributes, an account is established for each of the organizations associated with the project through which users associated with each of the organizations can respectively request digital certificates for the at least one product in accordance with the attributes received from the owner organization.

摘要翻译： 提供了一种用于建立用于提供由PKI系统提供的数字证书服务的过程的方法和装置。 该方法包括接收对数字证书服务的请求，并且接收指定项目的数据，所述项目包括至少一个要被提供数字证书的产品。 还收到了指定项目所有者组织的标识和参与该项目的至少一个参与组织的数据。 从所有者组织收到要包含在数字证书中的PKI数据符合的属性。 根据接收到的数据和属性，为与项目相关联的每个组织建立一个帐户，通过该帐户，与每个组织相关联的用户可以根据从所有者接收的属性分别为至少一个产品请求数字证书 组织。