1. Field of the Invention
The present application relates generally to managing software use, and more specifically to systems and methods to enable the monitoring and adjusting software usage under a software license.
2. Description of the Related Art
Public key infrastructure (PKI) encryption is used to secure data exchanges in digital form. It comprises a unique mathematical property that allows part of the PKI encryption subsystem to be public and part of the subsystem to remain secret, but in the process negates the need for a secret to be shared between two parties wishing to share protected data. This has been a major breakthrough in secure data exchange.
However, a major problem or shortcoming with such existing systems is that the secret part of the PKI subsystem, also called the private key, can be copied, stolen or faked. Accordingly, there is a need for an improved technique for securing communication via PKI encryption that prevents the copying or stealing of private keys, the use of fake private keys, etc.
The following presents a simplified summary of one or more embodiments in order to provide a basic understanding of such embodiments. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor delineate the scope of any or all embodiments. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later.
The present invention addresses the above-described shortcomings of existing encryption systems by using a private key that is bound to the device requesting the secure data, thereby making it harder for someone to copy, steal or fake. The present invention also adds a layer of authentication to the data exchange in that the unique device ID or identifier can also be used for forensic purposes in proving who has received or sent particular protected data.
In accordance with one or more aspects of the present invention, there are provided techniques that involve: (a) generating a requester key pair for a data requesting device, the pair comprising a requester private key and a requester public key; (b) receiving a unique device identifier from the device; (c) calculating a difference between the identifier and the requester private key; and (d) storing the difference as a filler code.
In related aspects, the techniques may also involve: (e) in response to a request for data from the device, identifying the device; (f) encrypting the data using a sender private key and the requester public key; and (g) sending the encrypted data and the filler code to the device. In further related aspects, Step (g) may further involve publishing a sender public key, such that the device is able to (i) compute the requester private key by adding the filler code to the identifier and (ii) use the computed requester private key to decrypt the encrypted data.
In accordance with one or more aspects of the present invention, there are provided techniques that involve: (a) receiving from a data sender a request for a unique device identifier of a requesting device; (b) in response to the request from the sender, compiling unique identifying information from a computing environment of the device; (c) generating the identifier based at least in part on the compiled information; and (d) providing the generated identifier to the sender.
In related aspects, the techniques may also involve: (e) receiving encrypted data and a filler code from the sender; (f) computing a requester private key by adding the filler code to the identifier; and (g) using the computed requester private key to decrypt the encrypted data. In further related aspects, step (b) may further involve compiling at least one user-configurable parameter and at least one non-user-configurable parameter of the device.
To the accomplishment of the foregoing and related ends, the one or more embodiments comprise the features hereinafter fully described and particularly pointed out in the claims. The following description and the annexed drawings set forth in detail certain illustrative aspects of the one or more embodiments. These aspects are indicative, however, of but a few of the various ways in which the principles of various embodiments may be employed and the described embodiments are intended to include all such aspects and their equivalents.
Various embodiments are now described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of one or more embodiments. It may be evident, however, that such embodiment(s) can be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing one or more embodiments.
In accordance with one or more aspects of the embodiments described herein, there is provided a system and method for sending data via secured communication in a public key infrastructure.
The requester then generates or computes unique device ID 20 (step 41), and computes its own private key 22 by adding the filler code 21 to the computed ID (step 43). This computed value is then used to decrypt 27 the data for use (step 45).
In another embodiment, the above described techniques for generating the device bound private key, as described with reference to
In yet another embodiment, the technique for generating and using keys may involve the generation and subsequent storage for use later of the unique device ID without the need to generate a unique device ID every time data is exchanged.
In related aspects, the device identity (i.e., the unique device identifier) may comprise and/or be generated from unique device identifying information, wherein the unique device identifying information may comprise at least one user-configurable parameter and/or at least one non-user-configurable parameter of the given device. The device identity may be generated by utilizing at least one irreversible transformation of the at least one user-configurable and the at least one non-user-configurable parameters of the given device. The device identity may be generated by utilizing a cryptographic hash function on the at least one user-configurable and the at least one non-user-configurable parameters of the given device.
It is noted that generating the device identity may also be described as generating a device fingerprint and may entail the sampling of physical, non-user configurable properties as well as a variety of additional parameters such as uniquely generated hashes and time sensitive values. Physical device parameters available for sampling may include, for example, unique manufacturer characteristics, carbon and silicone degradation and small device failures.
The process of measuring carbon and silicone degradation may be accomplished by measuring a chip's ability to process complex mathematical computations, and its ability to respond to intensive time variable computations. These processes measure how fast electricity travels through the carbon. Using variable offsets to compensate for factors such as heat and additional stresses placed on a chip during the sampling process allows for each and every benchmark to reproduce the expected values. During a standard operating lifetime, the process of passing electricity through the various switches causes a computer chip to degrade. These degradations manifest as gradually slower speeds that extend the processing time required to compute various benchmarking algorithms.
In addition to the chip benchmarking and degradation measurements, the process for generating a device identity may include measuring physical, non-user-configurable characteristics of disk drives and solid state memory devices. Each data storage device has a large variety of damage and unusable data sectors that are nearly unique to each physical unit. The ability to measure and compare values for damaged sectors and data storage failures provides a method for identifying storage devices.
Device parameter sampling, damage measurement and chip benchmarking make up just a part of device fingerprinting technologies described herein. These tools may be further extended by the use of complex encryption algorithms to convolute the device identity values during transmission and comparisons. Such encryption processes may be used in conjunction with random sampling and key generations.
The device identity may be generated by utilizing machine or device parameters associated with one or more of the following: machine model; machine or hard drive serial number; machine copyright; machine ROM version; machine bus speed; machine details; machine manufacturer; machine ROM release date; machine ROM size; machine UUID; and machine service tag.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: CPU ID; CPU model; CPU details; CPU actual speed; CPU family; CPU manufacturer; CPU voltage; and CPU external clock.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: memory model; memory slots; memory total; and memory details.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: video model; video details; display model; display details; audio model; and audio details.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: network model; network address; Bluetooth address; Blackbox model (including IDE and SCSI); Blackbox serial; Blackbox details; Blackbox damage map; Blackbox volume name; NetStore details; and NetStore volume name.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: optical model; optical serial; optical details; keyboard model; keyboard details; mouse model; mouse details; printer details; and scanner details.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: baseboard manufacturer; baseboard product name; baseboard version; baseboard serial number; and baseboard asset tag.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: chassis manufacturer; chassis type; chassis version; and chassis serial number.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: IDE controller; SATA controller; RAID controller; and SCSI controller.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: port connector designator; port connector type; port connector port type; and system slot type.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: cache level; cache size; cache max size; cache SRAM type; and cache error correction type.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: fan; PCMCIA; modem; portable battery; tape drive; USB controller; and USB hub.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: device model; device model IMEI; device model IMSI; and device model LCD.
The device identity may also be generated by utilizing machine parameters associated with one or more of the following: wireless 802.11; webcam; game controller; silicone serial; and PCI controller.
In accordance with one or more aspects of the embodiments described herein, there is provided a device for sending data via secured communication in a public key infrastructure. With reference to the embodiment of
The memory 130 may include executable code for the at least one processor 120 to: (a) generate a requester key pair for the device, the pair comprising a requester private key and a requester public key; and (b) in response to receiving a unique device identifier from the device, calculate a difference between the identifier and the requester private key.
In related aspects, the at least one processor 120 may store the calculated difference as a filler code in the memory. In further related aspects, the at least one processor may be adapted to: (a) in response to a request for the data from the device, identify the device; (b) encrypt the data using a sender private key and the requester public key; and (c) send the encrypted data and the filler code to the device. In yet further related aspects, the at least one processor 120 may publish a sender public key, such that the device is able to (i) compute the requester private key by adding the filler code to the identifier and (ii) use the computed requester private key to decrypt the encrypted data.
It is noted that device 100 may optionally include: a means 150 for generating a requester key pair for a data requesting device, the pair comprising a requester private key and a requester public key; a means 152 for receiving a unique device identifier from the device; a means 154 for calculating a difference between the identifier and the requester private key; and a means 156 for storing the difference as a filler code.
With reference to
In accordance with one or more aspects of the embodiments described herein, there is provided a device for requesting data via secured communication in a public key infrastructure. With reference to the embodiment of
The memory 230 may include executable code for the at least one processor 220 to: (a) receive from a data sender a request for a unique device identifier of a requesting device; (b) in response to the request from the sender, compile unique identifying information from a computing environment of the device 200; (c) generate the identifier based at least in part on the compiled information; and (d) instruct the communication module 210 to transmit the generated identifier to the sender.
In related aspects, the at least one processor 220 may be adapted to: (a) in response to receiving encrypted data and a filler code from the sender, compute a requester private key by adding the filler code to the identifier; and (b) use the computed requester private key to decrypt the encrypted data.
In further related aspects, the at least one processor 220 may compile the unique identifying information by compiling at least one user-configurable parameter and at least one non-user-configurable parameter of the device 200. The at least one non-user-configurable parameter may include at least one of hard drive serial number, CPU ID, CPU model, CPU manufacturer, and CPU voltage for the device 200. The at least one non-user-configurable parameter may be based on a carbon degradation characteristic of a computer chip of the device 200. The at least one non-user-configurable parameter may be based on a silicone degradation characteristic of a computer chip of the device 200. The at least one user-configurable may include at least one of hard disk volume name, user name, device name, user password, and hard disk initialization date for the device 200.
It is noted that device 200 may optionally include: a means 250 for receiving from a data sender a request for a unique device identifier of a requesting device; a means 252 for in response to the request from the sender, compiling unique identifying information from a computing environment of the device; a means 254 for generating the identifier based at least in part on the compiled information; and a means 256 for providing the generated identifier to the sender.
With reference to
In accordance with one or more aspects of the embodiments described herein, there is provided a method for sending data via secured communication in a public key infrastructure. With reference to the embodiment of
In related aspects, with reference to
In accordance with one or more aspects of the embodiments described herein, there is provided a method for requesting data via secured communication in a public key infrastructure. With reference to the embodiment of
In related aspects, with reference to
While the present invention has been illustrated and described with particularity in terms of preferred embodiments, it should be understood that no limitation of the scope of the invention is intended thereby. Features of any of the foregoing methods and devices may be substituted or added into the others, as will be apparent to those of skill in the art. It should also be understood that variations of the particular embodiments described herein incorporating the principles of the present invention will occur to those of ordinary skill in the art and yet be within the scope of the invention.
As used in this application, the terms “component,” “module,” “system,” and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, software, or software in execution. For example, a component can be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component can be localized on one computer and/or distributed between two or more computers. In addition, these components can execute from various computer readable media having various data structures stored thereon. The components can communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the Internet with other systems by way of the signal).
It is understood that the specific order or hierarchy of steps in the processes disclosed herein in an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged while remaining within the scope of the present disclosure. The accompanying method claims present elements of the various steps in sample order, and are not meant to be limited to the specific order or hierarchy presented.
Those skilled in the art will further appreciate that the various illustrative logical blocks, modules, circuits, methods and algorithms described in connection with the examples disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, methods and algorithms have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
This application claims priority pursuant to 35 U.S.C. §119(e) to U.S. Provisional Application No. 60/992,704, entitled “SYSTEM FOR DEVICE BOUND PUBLIC KEY INFRASTRUCTURE,” filed Dec. 5, 2007, and to U.S. Provisional Application No. 61/055,129, entitled “DEVICE AND METHOD FOR SECURED COMMUNICATION,” filed May 21, 2008, both of which are specifically incorporated herein, in their entirety, by reference.
Number | Name | Date | Kind |
---|---|---|---|
4351982 | Miller et al. | Sep 1982 | A |
4658093 | Hellman | Apr 1987 | A |
4704610 | Smith et al. | Nov 1987 | A |
4796220 | Wolfe | Jan 1989 | A |
5210795 | Lipner et al. | May 1993 | A |
5291598 | Grundy | Mar 1994 | A |
5414269 | Takahashi | May 1995 | A |
5418854 | Kaufman et al. | May 1995 | A |
5440635 | Bellovin et al. | Aug 1995 | A |
5490216 | Richardson, III | Feb 1996 | A |
5666415 | Kaufman | Sep 1997 | A |
5745879 | Wyman | Apr 1998 | A |
5754763 | Bereiter | May 1998 | A |
5790664 | Coley et al. | Aug 1998 | A |
5925127 | Ahmad | Jul 1999 | A |
5974150 | Kaish et al. | Oct 1999 | A |
5991402 | Jia et al. | Nov 1999 | A |
6009401 | Horstmann | Dec 1999 | A |
6044471 | Colvin | Mar 2000 | A |
6158005 | Bharathan et al. | Dec 2000 | A |
6230199 | Revashetti et al. | May 2001 | B1 |
6233567 | Cohen | May 2001 | B1 |
6243468 | Pearce et al. | Jun 2001 | B1 |
6243469 | Kataoka et al. | Jun 2001 | B1 |
6243811 | Patel | Jun 2001 | B1 |
6294793 | Brunfeld et al. | Sep 2001 | B1 |
6330670 | England et al. | Dec 2001 | B1 |
6343361 | Nendell et al. | Jan 2002 | B1 |
6449645 | Nash | Sep 2002 | B1 |
6536005 | Augarten | Mar 2003 | B1 |
6785825 | Colvin | Aug 2004 | B2 |
6804257 | Benayoun et al. | Oct 2004 | B1 |
6859793 | Lambiase | Feb 2005 | B1 |
6920567 | Doherty et al. | Jul 2005 | B1 |
6940422 | Bachelder et al. | Sep 2005 | B1 |
6976009 | Tadayon et al. | Dec 2005 | B2 |
7032110 | Su et al. | Apr 2006 | B1 |
7069440 | Aull | Jun 2006 | B2 |
7069595 | Cognigni et al. | Jun 2006 | B2 |
7085741 | Lao et al. | Aug 2006 | B2 |
7107462 | Fransdonk | Sep 2006 | B2 |
7117526 | Short | Oct 2006 | B1 |
7188241 | Cronce et al. | Mar 2007 | B2 |
7203966 | Abburi et al. | Apr 2007 | B2 |
7206765 | Gilliam et al. | Apr 2007 | B2 |
7213149 | Mache | May 2007 | B2 |
7272728 | Pierson et al. | Sep 2007 | B2 |
7310813 | Lin et al. | Dec 2007 | B2 |
7319987 | Hoffman et al. | Jan 2008 | B1 |
7327280 | Bachelder et al. | Feb 2008 | B2 |
7337147 | Chen et al. | Feb 2008 | B2 |
7343297 | Bergler et al. | Mar 2008 | B2 |
7463945 | Kiesel et al. | Dec 2008 | B2 |
7653899 | Lindahl et al. | Jan 2010 | B1 |
7698416 | Potti et al. | Apr 2010 | B2 |
7716482 | Jung et al. | May 2010 | B2 |
7739401 | Goyal | Jun 2010 | B2 |
7908662 | Richardson | Mar 2011 | B2 |
20010034712 | Colvin | Oct 2001 | A1 |
20010044782 | Hughes et al. | Nov 2001 | A1 |
20020019814 | Ganesan | Feb 2002 | A1 |
20020082997 | Kobata et al. | Jun 2002 | A1 |
20020161718 | Coley et al. | Oct 2002 | A1 |
20030033541 | Edmark et al. | Feb 2003 | A1 |
20030065918 | Willey | Apr 2003 | A1 |
20030172035 | Cronce et al. | Sep 2003 | A1 |
20030204726 | Kefford et al. | Oct 2003 | A1 |
20030217263 | Sakai | Nov 2003 | A1 |
20040024860 | Sato et al. | Feb 2004 | A1 |
20040030912 | Merkle et al. | Feb 2004 | A1 |
20040059929 | Rodgers et al. | Mar 2004 | A1 |
20040143746 | Ligeti et al. | Jul 2004 | A1 |
20040172558 | Callahan et al. | Sep 2004 | A1 |
20040187018 | Owen et al. | Sep 2004 | A1 |
20040196162 | Brooke | Oct 2004 | A1 |
20040215661 | Zhang et al. | Oct 2004 | A1 |
20050010786 | Michener et al. | Jan 2005 | A1 |
20050050531 | Lee | Mar 2005 | A1 |
20050097204 | Horowitz et al. | May 2005 | A1 |
20050108173 | Stefik et al. | May 2005 | A1 |
20050138155 | Lewis | Jun 2005 | A1 |
20050172280 | Ziegler et al. | Aug 2005 | A1 |
20050264431 | Bachelder | Dec 2005 | A1 |
20060026442 | Ittogi | Feb 2006 | A1 |
20060072444 | Engel et al. | Apr 2006 | A1 |
20060095454 | Shankar et al. | May 2006 | A1 |
20060130135 | Krstulich et al. | Jun 2006 | A1 |
20060161914 | Morrison et al. | Jul 2006 | A1 |
20060230317 | Anderson | Oct 2006 | A1 |
20060233361 | Hasegawa et al. | Oct 2006 | A1 |
20060265337 | Wesinger, Jr. | Nov 2006 | A1 |
20060265758 | Khandelwai et al. | Nov 2006 | A1 |
20060282511 | Takano et al. | Dec 2006 | A1 |
20070136726 | Freeland et al. | Jun 2007 | A1 |
20070168288 | Bozeman | Jul 2007 | A1 |
20070198422 | Prahlad et al. | Aug 2007 | A1 |
20070203846 | Kavuri et al. | Aug 2007 | A1 |
20070219917 | Liu et al. | Sep 2007 | A1 |
20070253549 | Celikkan et al. | Nov 2007 | A1 |
20070255947 | Choudhury et al. | Nov 2007 | A1 |
20070282615 | Hamilton et al. | Dec 2007 | A1 |
20080065552 | Elazar et al. | Mar 2008 | A1 |
20080074289 | Sauder et al. | Mar 2008 | A1 |
20080082813 | Chow et al. | Apr 2008 | A1 |
20080086423 | Waites | Apr 2008 | A1 |
20080147556 | Smith et al. | Jun 2008 | A1 |
20080183622 | Dixon et al. | Jul 2008 | A1 |
20080228578 | Mashinsky | Sep 2008 | A1 |
20080320607 | Richardson | Dec 2008 | A1 |
20090051568 | Corry et al. | Feb 2009 | A1 |
20090083730 | Richardson | Mar 2009 | A1 |
20090138975 | Richardson | May 2009 | A1 |
Number | Date | Country |
---|---|---|
678985 | Jun 1997 | AU |
1 637 958 | Mar 2006 | EP |
1 637 961 | Mar 2006 | EP |
1 670 188 | Jun 2006 | EP |
1 912 413 | Apr 2008 | EP |
9220022 | Nov 1992 | WO |
9301550 | Jan 1993 | WO |
9535533 | Dec 1995 | WO |
9535533 | Dec 1995 | WO |
WO 9535533 | Dec 1995 | WO |
0067095 | Nov 2000 | WO |
WO 2004086672 | Oct 2004 | WO |
WO 2005094544 | Oct 2005 | WO |
2005104686 | Nov 2005 | WO |
WO 2006138393 | Dec 2006 | WO |
2007060516 | May 2007 | WO |
WO 2007022134 | Jul 2007 | WO |
WO 2008013504 | Jan 2008 | WO |
WO 2008118074 | Oct 2008 | WO |
2008157639 | Dec 2008 | WO |
2009039504 | Mar 2009 | WO |
2009065135 | May 2009 | WO |
Entry |
---|
“Canon User Manual—Nikon Coolpix S52/S52c,” Apr. 21, 2008, entire manual. |
Jensen et al., “Assigning and Enforcing Security Policies on Handheld Devices,” 2002, 8 pages. |
International Search Report and Written Opinion for corresponding International Application No. PCT/US2008/085730 dated May 18, 2009, total 15 pages. |
Wikipedia: “Software Extension,” May 28, 2009, Internet Article retrieved on Oct. 11, 2010. XP002604710. |
Williams, R., “A Painless Guide to CRC Error Detection Algorithms,” Aug. 13, 1993, 33 pages, www.ross.net/crc/download/crc—v3.txt. |
Williams et al., “Web Database Applications with PHP & MySQL,” O'Reilly Media Chapter 1. Database Applications and the Web Mar. 2002, Internet Article retrieved on Sep. 21, 2010. XP002603488. |
Angha et al.; Securing Transportation Network Infrastructure with Patented Technology of Device Locking—Developed by Uniloc USA; http://www.dksassociates.com/admin/paperfile/ITS%20World%20Paper%20Submission—Uniloc%20—2—.pdf; Oct. 24, 2006. |
Econolite; Econolite and Uniloc Partner to Bring Unmatched Infrastructure Security to Advanced Traffic Control Networks with Launch of StrongPoint; http://www.econolite.com/docs/press/20080304—Econolite—StrongPoint.pdf; Mar. 4, 2008. |
Number | Date | Country | |
---|---|---|---|
20090150674 A1 | Jun 2009 | US |
Number | Date | Country | |
---|---|---|---|
60992704 | Dec 2007 | US | |
61055129 | May 2008 | US |