WO2001082035A2 - Method and apparatus verifying parts and parts lists in an assembly - Google Patents
Method and apparatus verifying parts and parts lists in an assembly Download PDFInfo
- Publication number
- WO2001082035A2 WO2001082035A2 PCT/US2001/012942 US0112942W WO0182035A2 WO 2001082035 A2 WO2001082035 A2 WO 2001082035A2 US 0112942 W US0112942 W US 0112942W WO 0182035 A2 WO0182035 A2 WO 0182035A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- cryptographic
- components
- keys
- cryptographic key
- assembly
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000012795 verification Methods 0.000 claims abstract description 119
- 230000004044 response Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 description 22
- 238000010586 diagram Methods 0.000 description 12
- 230000008439 repair process Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 8
- 238000004519 manufacturing process Methods 0.000 description 8
- 230000000712 assembly Effects 0.000 description 5
- 238000000429 assembly Methods 0.000 description 5
- 238000001514 detection method Methods 0.000 description 5
- 239000003795 chemical substances by application Substances 0.000 description 4
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 208000013641 Cerebrofacial arteriovenous metameric syndrome Diseases 0.000 description 1
- 239000004593 Epoxy Substances 0.000 description 1
- 239000000853 adhesive Substances 0.000 description 1
- 230000001070 adhesive effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000023077 detection of light stimulus Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000003292 glue Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000005855 radiation Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K17/00—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
- G06K17/0022—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisions for transferring data to distant stations, e.g. from a sensing device
- G06K17/0029—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisions for transferring data to distant stations, e.g. from a sensing device the arrangement being specially adapted for wireless interrogation of grouped or bundled articles tagged with wireless record carriers
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B62—LAND VEHICLES FOR TRAVELLING OTHERWISE THAN ON RAILS
- B62D—MOTOR VEHICLES; TRAILERS
- B62D65/00—Designing, manufacturing, e.g. assembling, facilitating disassembly, or structurally modifying motor vehicles or trailers, not otherwise provided for
Definitions
- the present invention relates to methods and apparatus for verifying parts and parts lists in an assembly and more particularly to the identification of parts in the assembly via the use of cryptographic techniques.
- Modern day assemblies such as automobiles, airplanes, space vehicles and power plants contain numerous expensive and/or critical components. During the useful lifetime of the assembly it is normal for repairs and replacements of some components to be made. In many assemblies the quality of a replacement component may be essential to the proper operation or fit of the assembly or the resale value of the assembly. For example, reports of the replacement of Original Equipment Manufacturer (OEM) parts in automobiles with cheap and inferior substitute components from stolen or used vehicles have been published. Additionally, car owners who do their own repairs may substitute parts considered by the manufacturer to be unauthorized or unapproved parts for use in a vehicle due to concerns over the quality of the components and related concerns pertaining to operation, safety or vehicle appearance. In some circumstances, such substitutions may affect the warranty obligations of the manufacturer. Similar types of substitutions may be made in numerous types of assemblies including but not limited to computers, home appliances, industrial equipment and electronic equipment.
- a method and system for verifying that a plurality of component parts of an assembly comprise components approved for use in said assembly.
- an integrated circuit that is subject to cryptographic verification and herein referred to as a cryptographic authentication module (CAM) is embedded within or securely affixed to at least some of the component parts of the assembly.
- the CAM is capable of securely holding a private or secret cryptographic key and of proving possession of that key to a cooperative verification controller which may be communicably coupled to the respective CAMs via one or more hard-wired communication links or via wireless communication links.
- the CAM may be packaged and/or secured to the respective component parts in a tamper resistant manner so that the CAMs are disabled if dislodged from the part to which the respective CAM was affixed.
- the respective CAM may erase its private or secret key, as applicable, upon the detection that the device is being dislodged from the part to which it was mounted, upon the detection of stress, or in response to other predetermined conditions.
- each CAM retains a private key of a public/private key pair.
- the verification controller stores in a memory a manifest that contains the public keys corresponding to the respective private keys held by the approved components of the assembly.
- the CAMs from time to time transmit a message to the verification controller proving possession of their respective private key by signing a message with their respective key or alternatively, transmit such messages in response to requests issued by the verification controller.
- the verification controller attempts to verify the identity of the respective CAMs using the public keys maintained in the manifest. If, for each public key stored within the manifest, a message is received which is signed with the corresponding private key, such is indicative of the fact that all components within the assembly comprise approved components and an indication of such event may be provided.
- the manifest may be stored in the verification controller upon manufacture of the assembly and the controller and updated via the use of a manifest server.
- the verification controller may comprise a portable device and the manifest may be downloaded from the manifest server to the verification controller to permit a single verification controller to be used to verify components of a number of assemblies.
- the manifest server may be administered by a trusted party, such as the manufacturer of the assembly.
- the trusted party may maintain as a manifest, the valid public keys associated with each of the relevant component parts in the assembly and, in response to a request, generate a certificate that includes the public keys associated with the relevant components of the assembly.
- This certificate may be signed by the trusted party and time-stamped to permit the verification controller to verify that a received manifest is the appropriate manifest to be used.
- information pertaining to the respective part may be included within the manifest.
- Fig. 1 is pictorial exploded view of an assembly of automotive components having cryptographic authentication modules affixed to selected components and a verification controller operative in a manner consistent with the present invention
- Fig. 2 is a block diagram of a cryptographic authentication module (CAM) of the type depicted in Fig. 1
- Fig. 3 is a block diagram of the verification controller (VC) of Fig. 1;
- Fig. 4 is a block diagram of the manifest server of Fig. 1;
- Fig. 5 is a diagram illustrating a manifest data structure for use in the system depicted in Fig. 1;
- Fig. 6 is a block diagram illustrating a verification controller coupled to a plurality of CAMs and a manifest server via a local area network and a wide area network respectively;
- Fig. 7 is a flow diagram illustrating a method of operation of a component verification system in a manner consistent with the present invention.
- Fig. 8 is a flow diagram illustrating a method for updating a manifest in the event a component is replaced with an approved replacement component .
- a method and system for verifying that a plurality of component parts comprise approved parts for use within an assembly.
- the component parts of the assembly for which verification is desired each have a cryptographic authentication module (CAM) securely affixed to the respective component.
- the CAMs transmit signed messages that are received by a verification controller.
- the verification controller determines whether the identity of the respective components, as indicated by the signed message, corresponds to an expected identity indicated via an entry in a manifest stored within the verification controller.
- a cryptographic authentication module (CAM) 10 is securely affixed to selected components of the automotive assembly.
- the components to which the CAMs are affixed will vary in different applications. Typically, however, the CAMs are affixed to components of substantial value or components having functions critical to the operation or safe use of the assembly.
- the CAMs which are identified in Fig. 1 as CAMs 10a through lOh, and generally referred to herein as CAMs 10, comprise devices which, in one embodiment, are capable of privately and securely holding at least one key of a cryptographic key pair.
- the system is illustrated as using cryptographic key pairs that comprise public/private key pairs, although it should be appreciated that either asymmetric or symmetric keys may be employed.
- the illustrated CAMs 10 are capable of storing a private key of a public/private key pair and of transmitting a message signed by the CAM using the respective private key held by the respective CAM.
- the CAMs may be embodied in different forms and may include the functionality associated with such devices generally known as smart cards which are commercially available from a number of companies and IBUTTONS which are available from Dallas Semiconductor, 4401 South Beltwood Parkway, Dallas, Texas 75244. The CAMs are discussed in greater detail below.
- the CAMs are securely affixed to the respective components to assure that once a CAM is affixed to the component, it may not be disassociated from that component and attached to another component.
- the technique employed for mounting a particular CAM to a corapone ⁇ - may vary based upon the nature of the CAM and the component. In typical applications, however, the CAMs may be affixed to the respective components by embedding the CAM within the component, via epoxy or any other suitable glue or adhesive or use of a mechanical fastening technique.
- CAM 10a is affixed to the rear bumper 11a
- CAM 10b is affixed to a rear fender lib
- CAM 10c is affixed to a rear wheel lie
- CAM lOd is affixed to a rear door lid
- CAM lOe is affixed to a front door lie
- CAM lOf is affixed to a front fender llf
- CAM lOg is affixed to a front wheel llg
- CAM lOh is affixed to a front bumper llh.
- the CAMs 10 are capable of communicating with a verification controller 12 over respective communication links.
- the communication links between the CAMs 10 and the verification controller 12 may comprise hardwired links, a network, such as a local area network, or wireless communication links.
- the verification controller 12 may be constructed as a part of the assembly or alternatively, may be a mobile unit or separable from the assembly. Different embodiments of the verification controller 12 are discussed subsequently.
- the verification controller 12 maintains a manifest that, in a preferred embodiment, includes public keys associated with private keys held by CAMs 10 affixed to the respective components of the relevant assembly. In the situation in which the verification controller 12 is constructed as a part of the assembly, the manifest may be stored within the verification controller 12 at the time
- the manifest may be transmitted or delivered to the verification controller 12 from a manifest server 14 over a network or a suitable communication link at the time of assembly, or thereafter, provided that a manifest server public key is accessible to the verification controller 12 to allow for authentication of the manifest.
- the manufacturer of the assembly affixes the respective CAMs to the components
- the manufacturer of the assembly may generate the public/private key pairs and store the public keys in the manifest.
- such other party or parties may maintain one or more source servers 15, which communicate to the manifest server 14 an identification of a particular component along with the public key associated with the CAM securely affixed to that component.
- a cryptographic authentication module (CAM) 10 that is securely affixed to a component is depicted in Fig. 2.
- the CAM 10 includes a processor 16 that is coupled to a memory 20 and an arithmetic accelerator 18. While the processor 16 and arithmetic accelerator 18 are depicted as separate blocks in Fig. 2 it should be appreciated that the processor 16 may include the functions of the arithmetic accelerator 18 as an integral part of the processor 16. At least a portion of the memory 20 is non-volatile and stores the private key of the public/private key pair for the respective CAM 10.
- the processor 16 is also coupled to a communication interface 22 that is appropriate for the particular type of communication link being employed between the CAM 10 and the verification controller 12.
- the communication interface 22 includes the data link and MAC interface logic for an Ethernet link.
- the communication interface 22 in addition to the necessary protocol support, includes an RF receiver and transmitter. It should be noted that any suitable communication link may be employed, including but not limited to a hard-wired link, an RF link or an infrared link.
- the CAMs 10 may have different levels of security but are typically designed so as to erase the private key held in the memory of the respective CAM in the event that tampering with the CAM is detected. For example, the private key stored within the CAM may be erased from the
- each CAM 10 securely stores the private key of its respective public/private key pair and the public key is stored in the manifest as is subsequently described in greater detail.
- the private key may be provided to the CAM
- the CAMs 10 as input from a secure private key source and the corresponding public key stored within the manifest.
- the CAMs 10 generates a public/private key pair, securely store the respective private key within the CAM 10 in a manner that precludes access to the private key, and provides access to the respective public key of the public/private key pair.
- FIG. 3 A block diagram of an illustrative verification controller 12 operative in a manner consistent with the present invention is depicted in Fig. 3.
- the verification controller 12 may comprise a computer, a personal digital assistant (PDA) , an intelligent network appliance, a controller, or any other device capable of receiving messages from the CAMs 10, and in some embodiment transmitting messages to the CAMs as herein described.
- the verification controller 12 includes a processor 12a and a communication interface 12d for receiving messages from the CAMs and optionally transmitting messages to the CAMS.
- the processor 12a is operative to execute a software program out of instruction/data memory 12b and the verification controller, optionally, may include secondary storage 12c.
- the memory 12b which may comprise RAM, ROM or a combination of both, stores an operating system 12e and application code 12f which is operative to perform the presently described verification functions.
- the application code 12f includes messaging software for receiving the messages from the CAMs 10 and optionally transmitting requests to the CAMs 10.
- the manifest server 14 may comprise a computer, a personal digital assistant (PDA) , an intelligent network appliance, a controller, or any other device capable of generating manifests of the type herein described and communicating such manifests to a verification controller 12.
- the manifest server 14 includes a processor 14a and a communication interface 14d.
- the communication interface 14d in a preferred embodiment, is coupled to a network to allow the manifest server 14 to forward manifests to verification controllers 12, to receive certificates from source servers 15 (See Fig.
- the processor 14a is operative to execute a software program out of instruction/data memory 14b.
- the manifest server 14 may optionally include secondary storage 14c.
- the memory 14b which may comprise RAM, ROM or a combination of both, stores an operating system 14e and application code 14f that is operative to perform the functions attributed to the manifest server 14.
- the application code 14f includes messaging software for receiving the messages from source servers 15 and authorized repair agents (not shown) and for generating and forwarding manifests as well as updated manifests .
- a manufacturer is assembling an automobile.
- Selected components have CAMs 10 securely affixed to the respective components and a public/private key pair is generated either by or for the respective CAMs 10.
- Each CAM 10 stores a private key that is employed by the respective CAM to sign messages that are forwarded by that CAM.
- the private key may be generated within the CAM as one key of a public/private key pair generated by the respective CAM or alternatively, the public/private key pair may be generated external to the CAM and the private key may be stored within the CAM.
- the public keys are collected and stored within a manifest as illustrated in Fig. 5. More particularly, referring to Fig.
- the manifest includes a public key associated with a private key held in a CAM for each component illustrated in Fig. 1.
- the manifest is preferably cryptographically authenticated such as via a digital signature.
- the minimal manifest includes the public keys associated with the respective CAMs.
- the manifest may contain additional information such as the Vehicle Identification Number (VIN) number of the vehicle, the name of the manufacturer of the component (Issuer) , an identification of the part (Part No.), a serial number for the part, a manufacturing lot number for the part, the manufacturing location, the manufacturing date and any other information relevant to the part that may be useful during the useful life of the component.
- VIN Vehicle Identification Number
- Issuer an identification of the part
- Part No. an identification of the part
- serial number for the part a manufacturing lot number for the part
- the manufacturing location the manufacturing date and any other information relevant to the part that may be useful during the useful life of the component.
- the information may be provided to the manufacturer of the automobile by the subcontractor in the form of a certificate issued by the respective subcontractor.
- the information provided to the automobile manufacturer from the subcontractor is in the form of a certificate signed by the subcontractor.
- the certificates from the subcontractors, or possibly from the manufacturers' remote manufacturing sites are communicated from source servers 15a - 15n to the manifest server 14 via a network 22 as depicted in Fig. 6.
- the network 22 may comprise a local area network, a wide area network, a wireless network, the Internet or any other network for communicably coupling the source servers 15 to the manifest server 14 and for communicably coupling the manifest server 14 to the verification controller (s) 12.
- the manifest server 14 assembles the manifest and transmits the completed manifest to the verification controller 12.
- the communication link between the manifest 14 and the verification controller 12 is illustrated as a network 22, however, the communication link between the manifest server 14 and the verification controller may comprise a hard wired link such as a serial or parallel link, an infra red link, or any other communications link suitable for forwarding the manifest to the verification controller 12.
- the verification controller 12 In order for the verification controller 12 to verify the authenticity of manifests forwarded to it by the manifest server 14, the verification controller 12 is provided with the public key of the manifest server 1 .
- the public key of the manifest server 14 may be loaded into the verification controller 12 upon manufacture or initialization of the verification controller 12 or otherwise made available to the verification controller 12 via a secure communications link.
- the verification controller 12 may determine whether all of the components that correspond to components associated with the public keys within the manifest are present within the vehicle. This determination may be made in response to a request initiated by a verification controller 12 user or alternatively, may be performed from time to time or periodically.
- the verification controller 12 engages in a challenge response dialog with each of the CAMs. More specifically, the verification controller may transmit random information or a time stamped message to each of the CAMs 10. In response to receipt of the message from the verification controller 12, each CAM transmits a response message to the verification controller 12 that is cryptographically authenticated by the respective CAM.
- the cryptographic authentication may comprise a digital signature that is generated using the private key of the respective CAM. In the example in which the authentication is via a digital signature that is generated using the CAM private key, for each received message, the verification controller 12 attempts to verify that the message received from the respective CAM was signed with a private key having a corresponding public key contained within the manifest.
- the verification controller 12 attempts verify the signature of the respective CAM using each of the public keys within the manifest until the proper public key is identified, or alternatively, it is determined that the signed message received from a CAM 10 by the verification controller 12 cannot be verified using any of the public keys within the manifest. If the verification controller verifies all of the signed messages, an indication of such event may be provided to a user. In the event one of the received messages includes a digital signature that cannot be verified using the public keys contained within the manifest or, in the event a digital signature is not received that corresponds to one of the public keys within the manifest, an indication of this circumstance may be provided and an identification of the part may be output via a display such as warning indicator 24 (See Fig. 6). Alternatively, such information may be output audibly or via a link to an external readout device that is linked to the verification controller 12.
- the verification controller 12 may, upon verification of one of the digitally signed messages, check the time stamp to assure that it corresponds to the time stamp within the challenge response dialog that resulted in the forwarding of the respective message and additionally, to assure that the time stamp corresponds to the transmitted time stamp within a specified time interval . Such a check will avoid the possibility that the verification controller would indicate the presence of a component as a result of the malicious replay of a message previously transmitted by a CAM.
- a pseudo random number or any other secret value may be included within the request issued by the verification controller 12.
- the processing time associated with the trial and error approach of attempting to verify a received message with each public key in the manifest until the message is successfully verified or the attempt to verify the message with all public keys has proved unsuccessful may be shortened by including a part number both in the manifest and in the return message from the CAM.
- the verification controller 12 may then attempt to verify each message with only the public key or keys in the manifest associated with the same part number that was conveyed to the verification controller 12 in the signed message from the respective CAM 10. For example, there may be five public keys in the manifest associated with wheels (four wheels mounted on the automobile and one spare) . All of these components may have the same part number but will be associated with different public/private key pairs.
- the CAMs 10 transmit messages to the verification controller 12 in response to requests received from the verification controller 12.
- the CAMs 10 can transmit messages to the verification controller 12 periodically or in response to predetermined events.
- a CAM 10 may periodically transmit the date and time of day digitally signed by the respective CAM. Assuming that the CAMs and the verification controller 12 have relatively closely synchronized clocks, the verification controller 12 will receive the signed message containing the date and time of day close to the time the message was generated. The verification controller 12 can then verify the signature using one of the public keys in the manifest. In this manner, the CAMs need not respond to a request issued by the verification controller 12 to initiate their respective transmissions.
- a manifest containing a least the public keys associated with a plurality of components within an assembly is stored on the verification controller 12 as illustrated in step 100.
- the verification controller 12 sends a request to the CAMs to prove their respective identities. Since the CAMs are securely affixed to specific components of the assembly, if one or more of the components either has a non-functioning CAM, no CAM, or a CAM that possesses the wrong private key, the CAM (if any) associated with the respective component will be unable to respond to the request issued by the verification controller in a manner that will verify the component expected to be present in the assembly.
- the verification controller 12 receives the signed responses from the CAMs 10 as illustrated in step 104.
- the verification controller 12 attempts to verify the identify of the respective CAMs affixed to the components via use of the public keys within the manifest stored in the verification controller 12.
- inquiry step 108 inquiry is made whether any messages were received from a CAM 10 that could not be verified using a public key within the manifest.
- an indication of the same is provided via a readout, warning indication, control signal or other suitable output indicative of the verification failure as shown in step 112.
- control passes to inquiry step 110.
- public keys that correspond to a private key that was not used in the signing of one of the received CAM messages such is indicative that the CAM associated with the component is not responding for any one of a number of reasons.
- the CAM may have been tampered with and ceased to function.
- the component may have been replaced with another component that includes a CAM, but the component was not registered with the manifest server, as subsequently described, and accordingly, is not reflected in the manifest.
- the component may have been replaced with an unapproved component that does not possess the CAM functionality.
- the manifest is initially stored on the verification controller and additionally, at the request of a user.
- the manifest may be updated from time to time to account for authorized replacements of components of the assembly. More specifically, referring to the flow diagram of Fig. 8, when a component within the assembly needs to be replaced, such replacement is performed by an authorized agent using approved components.
- the replacement component having a new CAM securely affixed thereto is substituted within the assembly for the old component as depicted in step 200.
- the repair center that replaced the component transmits a certificate to the manifest server that identifies the component that was replaced, the vehicle VIN Number (or assembly identification, as applicable) along with the public key associated with the CAM affixed to the substituted component. Additionally, other information pertaining to the substituted component may be included within the certificate as outlined above with respect to Fig. 5.
- the certificate forwarded to the manifest server 14 from the repair center is preferably signed by the repair center.
- the manifest server 14 verifies the signature of the repair center using the repair center public key.
- the manifest server 14 updates the manifest to reflect the public key associated with the replacement part.
- the manifest may maintain information on the old components that were removed from the assembly for historical purposes; however, the public key associated with the substituted component is used for verification purposes in place of the public key associated with the component that was removed from the assembly.
- the updated manifest is communicated to the verification controller 12 and is signed by a trusted party, such as the vehicle manufacturer.
- the updated manifest is signed using the private key of a public/private key pair held by the manifest server.
- the verification controller 12 verifies the authenticity of the updated manifest using the public key of the manifest server 14 public/private key pair.
- the verification controller 12 then utilizes the updated manifest for verification of the components of the assembly as described in connection with Fig. 7 hereinabove .
- the verification controller 12 may comprise a unit integral with the assembly, such as the automobile, or may be a mobile unit that may be communicably coupled to the CAMs via a connector or via a RF or other communications link.
- the use of a portable verification controller 12 allows law enforcement, or other oversight officials to download manifests for specific vehicles or assemblies and request component verification for the particular vehicle or assembly should there be a concern regarding the components employed within any given vehicle or other assembly.
- cryptographic authentication of the identify of the CAMs and associated components, verification controller 12, manifest server and other components discussed herein is described in the preferred embodiment using signed messages for cryptographic authentication, cryptographic authentication may be performed using any suitable cryptographic authentication technique including but not limited to a keyed hash, a cryptographic hash incorporated in an encrypted message or any other suitable authentication technique.
- the presently described methods may be implemented in software executing out of a memory on respective CAMs, the verification controller, the manifest server and the source servers.
- the presently described functions may be embodied in whole or in part using hardware components such as Application Specific Integrated Circuits (ASICs) , state machines, controllers or other hardware components or devices, or a combination of hardware components and software processes without departing from the inventive concepts herein described.
- ASICs Application Specific Integrated Circuits
Landscapes
- Engineering & Computer Science (AREA)
- Manufacturing & Machinery (AREA)
- Chemical & Material Sciences (AREA)
- Combustion & Propulsion (AREA)
- Transportation (AREA)
- Mechanical Engineering (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Lock And Its Accessories (AREA)
Abstract
A method and apparatus for verifying the presence of approved components within an assembly. A cryptographic key pair comprising first and second cryptographic keys is generated for each of a selected plurality of components of the assembly and one pair is associated with a cryptographic authentication module (CAM) affixed to each of the selected plurality of components. The CAMs store the respective first cryptographic key. The second cryptographic keys corresponding to each of the first cryptographic keys of the cryptographic key pairs are stored within a manifest within a verification controller. Upon request, or from time to time, each one of the CAMs transmits a message to the verification controller that is cryptographically authenticated with the first cryptographic key of the respective module. The verification controller uses the second cryptographic keys to attempt to verify the identity of the CAMs. If the verification controller is able to verify a message using each of the second cryptographic keys stored within the manifest, such is indicative of the presence of the selected plurality of components of the assembly. If the verification controller is not able to verify a message using one of the second cryptographic keys stored within the manifest, such indicates that one of the approved components has been replaced with a component that either does not possess a CAM or alternatively, has been replaced with a CAM that has a cryptographic key pair, however, the second cryptographic key of such key pair has not been registered within the manifest.
Description
TITLE OF THE INVENTION Method and Apparatus Verifying Parts and Parts Lists in an
Assembly
CROSS REFERENCE TO RELATED APPLICATIONS
N/A
STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
N/A
BACKGROUND OF THE INVENTION The present invention relates to methods and apparatus for verifying parts and parts lists in an assembly and more particularly to the identification of parts in the assembly via the use of cryptographic techniques.
Modern day assemblies such as automobiles, airplanes, space vehicles and power plants contain numerous expensive and/or critical components. During the useful lifetime of the assembly it is normal for repairs and replacements of some components to be made. In many assemblies the quality of a replacement component may be essential to the proper operation or fit of the assembly or the resale value of the assembly. For example, reports of the replacement of Original Equipment Manufacturer (OEM) parts in automobiles with cheap and inferior substitute components from stolen or used vehicles have been published. Additionally, car owners who do their own repairs may substitute parts considered by the manufacturer to be unauthorized or unapproved parts for use in a vehicle due to concerns over the quality of the components and related concerns pertaining to operation,
safety or vehicle appearance. In some circumstances, such substitutions may affect the warranty obligations of the manufacturer. Similar types of substitutions may be made in numerous types of assemblies including but not limited to computers, home appliances, industrial equipment and electronic equipment.
It is currently very difficult to detect the presence of unauthorized components within an assembly. It would therefore be desirable to be able to identify substituted components within an assembly that are not approved for use in the assembly by the manufacturer or some other organization having oversight responsibility for determining whether components constitute approved replacement components .
BRIEF SUMMARY OF THE INVENTION
A method and system is disclosed for verifying that a plurality of component parts of an assembly comprise components approved for use in said assembly. Consistent with the present invention, an integrated circuit that is subject to cryptographic verification and herein referred to as a cryptographic authentication module (CAM) is embedded within or securely affixed to at least some of the component parts of the assembly. The CAM is capable of securely holding a private or secret cryptographic key and of proving possession of that key to a cooperative verification controller which may be communicably coupled to the respective CAMs via one or more hard-wired communication links or via wireless communication links. The CAM may be packaged and/or secured to the respective component parts in a tamper resistant manner so that the CAMs are disabled if dislodged from the part to which the respective CAM was
affixed. Alternatively, the respective CAM may erase its private or secret key, as applicable, upon the detection that the device is being dislodged from the part to which it was mounted, upon the detection of stress, or in response to other predetermined conditions.
In a first embodiment each CAM retains a private key of a public/private key pair. The verification controller stores in a memory a manifest that contains the public keys corresponding to the respective private keys held by the approved components of the assembly. The CAMs from time to time transmit a message to the verification controller proving possession of their respective private key by signing a message with their respective key or alternatively, transmit such messages in response to requests issued by the verification controller. The verification controller attempts to verify the identity of the respective CAMs using the public keys maintained in the manifest. If, for each public key stored within the manifest, a message is received which is signed with the corresponding private key, such is indicative of the fact that all components within the assembly comprise approved components and an indication of such event may be provided.
In the event that no message is received that is signed with a private key that corresponds to one or more of the public keys within the manifest, such is indicative of the presence of unauthorized components within the assembly or the absence of authorized components, and an indication of such occurrence may be provided.
The manifest may be stored in the verification controller upon manufacture of the assembly and the controller and updated via the use of a manifest server.
Moreover, the verification controller may comprise a
portable device and the manifest may be downloaded from the manifest server to the verification controller to permit a single verification controller to be used to verify components of a number of assemblies. The manifest server may be administered by a trusted party, such as the manufacturer of the assembly. The trusted party may maintain as a manifest, the valid public keys associated with each of the relevant component parts in the assembly and, in response to a request, generate a certificate that includes the public keys associated with the relevant components of the assembly. This certificate may be signed by the trusted party and time-stamped to permit the verification controller to verify that a received manifest is the appropriate manifest to be used. Along with each public key, information pertaining to the respective part may be included within the manifest.
Other forms, features and aspects of the above- described method and apparatus for verifying components of an assembly are described with particularity below.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING The invention will be more fully understood by reference to the following Detailed Description of the Invention in conjunction with the Drawing of which: Fig. 1 is pictorial exploded view of an assembly of automotive components having cryptographic authentication modules affixed to selected components and a verification controller operative in a manner consistent with the present invention; Fig. 2 is a block diagram of a cryptographic authentication module (CAM) of the type depicted in Fig. 1;
Fig. 3 is a block diagram of the verification controller (VC) of Fig. 1;
Fig. 4 is a block diagram of the manifest server of Fig. 1; Fig. 5 is a diagram illustrating a manifest data structure for use in the system depicted in Fig. 1;
Fig. 6 is a block diagram illustrating a verification controller coupled to a plurality of CAMs and a manifest server via a local area network and a wide area network respectively;
Fig. 7 is a flow diagram illustrating a method of operation of a component verification system in a manner consistent with the present invention; and
Fig. 8 is a flow diagram illustrating a method for updating a manifest in the event a component is replaced with an approved replacement component .
DETAILED DESCRIPTION OF THE INVENTION Consistent with the present invention, a method and system is disclosed for verifying that a plurality of component parts comprise approved parts for use within an assembly. The component parts of the assembly for which verification is desired each have a cryptographic authentication module (CAM) securely affixed to the respective component. The CAMs transmit signed messages that are received by a verification controller. The verification controller determines whether the identity of the respective components, as indicated by the signed message, corresponds to an expected identity indicated via an entry in a manifest stored within the verification controller.
Referring to Fig 1, an exemplary assembly is illustrated as including a number of components of an automobile. Only a few components are depicted for ease of illustration. A cryptographic authentication module (CAM) 10 is securely affixed to selected components of the automotive assembly. The components to which the CAMs are affixed will vary in different applications. Typically, however, the CAMs are affixed to components of substantial value or components having functions critical to the operation or safe use of the assembly. The CAMs, which are identified in Fig. 1 as CAMs 10a through lOh, and generally referred to herein as CAMs 10, comprise devices which, in one embodiment, are capable of privately and securely holding at least one key of a cryptographic key pair. In the present embodiment, the system is illustrated as using cryptographic key pairs that comprise public/private key pairs, although it should be appreciated that either asymmetric or symmetric keys may be employed. The illustrated CAMs 10 are capable of storing a private key of a public/private key pair and of transmitting a message signed by the CAM using the respective private key held by the respective CAM. The CAMs may be embodied in different forms and may include the functionality associated with such devices generally known as smart cards which are commercially available from a number of companies and IBUTTONS which are available from Dallas Semiconductor, 4401 South Beltwood Parkway, Dallas, Texas 75244. The CAMs are discussed in greater detail below. The CAMs are securely affixed to the respective components to assure that once a CAM is affixed to the component, it may not be disassociated from that component
and attached to another component. The technique employed for mounting a particular CAM to a coraponeπ- may vary based upon the nature of the CAM and the component. In typical applications, however, the CAMs may be affixed to the respective components by embedding the CAM within the component, via epoxy or any other suitable glue or adhesive or use of a mechanical fastening technique. In the illustrated example, CAM 10a is affixed to the rear bumper 11a, CAM 10b is affixed to a rear fender lib, CAM 10c is affixed to a rear wheel lie, CAM lOd is affixed to a rear door lid, CAM lOe is affixed to a front door lie, CAM lOf is affixed to a front fender llf, CAM lOg is affixed to a front wheel llg, and CAM lOh is affixed to a front bumper llh. The CAMs 10 are capable of communicating with a verification controller 12 over respective communication links. The communication links between the CAMs 10 and the verification controller 12 may comprise hardwired links, a network, such as a local area network, or wireless communication links.
The verification controller 12 may be constructed as a part of the assembly or alternatively, may be a mobile unit or separable from the assembly. Different embodiments of the verification controller 12 are discussed subsequently.
The verification controller 12 maintains a manifest that, in a preferred embodiment, includes public keys associated with private keys held by CAMs 10 affixed to the respective components of the relevant assembly. In the situation in which the verification controller 12 is constructed as a part of the assembly, the manifest may be stored within the verification controller 12 at the time
-1-
of manufacture. Additionally, the manifest may be transmitted or delivered to the verification controller 12 from a manifest server 14 over a network or a suitable communication link at the time of assembly, or thereafter, provided that a manifest server public key is accessible to the verification controller 12 to allow for authentication of the manifest. In the event the manufacturer of the assembly affixes the respective CAMs to the components, the manufacturer of the assembly may generate the public/private key pairs and store the public keys in the manifest. Alternatively, in the circumstance in which subcontractors or others provide components for inclusion in the assembly, such other party or parties may maintain one or more source servers 15, which communicate to the manifest server 14 an identification of a particular component along with the public key associated with the CAM securely affixed to that component.
As illustrative block diagram of a cryptographic authentication module (CAM) 10 that is securely affixed to a component is depicted in Fig. 2. The CAM 10 includes a processor 16 that is coupled to a memory 20 and an arithmetic accelerator 18. While the processor 16 and arithmetic accelerator 18 are depicted as separate blocks in Fig. 2 it should be appreciated that the processor 16 may include the functions of the arithmetic accelerator 18 as an integral part of the processor 16. At least a portion of the memory 20 is non-volatile and stores the private key of the public/private key pair for the respective CAM 10. The processor 16 is also coupled to a communication interface 22 that is appropriate for the particular type of communication link being employed between the CAM 10 and the verification controller 12. For example, in the
event the communication link between the CAMs 10 and the verification controller 12 comprises an Ethernet link, the communication interface 22 includes the data link and MAC interface logic for an Ethernet link. In the event the communication link between the CAMs 10 and the verification controller 12 comprises a wireless RF link, the communication interface 22, in addition to the necessary protocol support, includes an RF receiver and transmitter. It should be noted that any suitable communication link may be employed, including but not limited to a hard-wired link, an RF link or an infrared link.
The CAMs 10 may have different levels of security but are typically designed so as to erase the private key held in the memory of the respective CAM in the event that tampering with the CAM is detected. For example, the private key stored within the CAM may be erased from the
CAM memory 20 in the event of mechanical tampering with the CAM package, upon detection of an ambient temperature above or below predetermined thresholds, upon detection of radiation, upon detection of pressure applied to the CAM housing or attempted removal of a cover, or upon the detection of light in the vicinity of the CAM 10 integrated circuit die. In an embodiment of the system employing a public/private key pair for performing authentication functions, each CAM 10 securely stores the private key of its respective public/private key pair and the public key is stored in the manifest as is subsequently described in greater detail. The private key may be provided to the CAM
10 as input from a secure private key source and the corresponding public key stored within the manifest. In
another embodiment, the CAMs 10 generates a public/private key pair, securely store the respective private key within the CAM 10 in a manner that precludes access to the private key, and provides access to the respective public key of the public/private key pair.
A block diagram of an illustrative verification controller 12 operative in a manner consistent with the present invention is depicted in Fig. 3. The verification controller 12 may comprise a computer, a personal digital assistant (PDA) , an intelligent network appliance, a controller, or any other device capable of receiving messages from the CAMs 10, and in some embodiment transmitting messages to the CAMs as herein described. As depicted in Fig. 3, the verification controller 12 includes a processor 12a and a communication interface 12d for receiving messages from the CAMs and optionally transmitting messages to the CAMS. The processor 12a is operative to execute a software program out of instruction/data memory 12b and the verification controller, optionally, may include secondary storage 12c. The memory 12b, which may comprise RAM, ROM or a combination of both, stores an operating system 12e and application code 12f which is operative to perform the presently described verification functions. The application code 12f includes messaging software for receiving the messages from the CAMs 10 and optionally transmitting requests to the CAMs 10.
A block diagram of a manifest server operative in a manner consistent with the present invention is depicted in Fig. 4. The manifest server 14 may comprise a computer, a personal digital assistant (PDA) , an intelligent network appliance, a controller, or any other device capable of generating manifests of the type herein described and
communicating such manifests to a verification controller 12. As depicted in Fig. 4, The manifest server 14 includes a processor 14a and a communication interface 14d. The communication interface 14d, in a preferred embodiment, is coupled to a network to allow the manifest server 14 to forward manifests to verification controllers 12, to receive certificates from source servers 15 (See Fig. 1) containing information to be included in the manifest and to receive messages from authorized repair agents so that manifests can be updated in the event components are replaced by an authorized agent. Additionally, the processor 14a is operative to execute a software program out of instruction/data memory 14b. The manifest server 14 may optionally include secondary storage 14c. The memory 14b, which may comprise RAM, ROM or a combination of both, stores an operating system 14e and application code 14f that is operative to perform the functions attributed to the manifest server 14. The application code 14f includes messaging software for receiving the messages from source servers 15 and authorized repair agents (not shown) and for generating and forwarding manifests as well as updated manifests .
The operation of the presently described system will be further understood by reference to Figs. 1 and 5 - 7. Assume that a manufacturer is assembling an automobile. Selected components have CAMs 10 securely affixed to the respective components and a public/private key pair is generated either by or for the respective CAMs 10. Each CAM 10 stores a private key that is employed by the respective CAM to sign messages that are forwarded by that CAM. The private key may be generated within the CAM as one key of a public/private key pair generated by the
respective CAM or alternatively, the public/private key pair may be generated external to the CAM and the private key may be stored within the CAM. The public keys are collected and stored within a manifest as illustrated in Fig. 5. More particularly, referring to Fig. 5, the manifest includes a public key associated with a private key held in a CAM for each component illustrated in Fig. 1. The manifest is preferably cryptographically authenticated such as via a digital signature. The minimal manifest includes the public keys associated with the respective CAMs. As illustrated, however, the manifest may contain additional information such as the Vehicle Identification Number (VIN) number of the vehicle, the name of the manufacturer of the component (Issuer) , an identification of the part (Part No.), a serial number for the part, a manufacturing lot number for the part, the manufacturing location, the manufacturing date and any other information relevant to the part that may be useful during the useful life of the component. Since subcontractors may manufacture some components within the automobile, the information may be provided to the manufacturer of the automobile by the subcontractor in the form of a certificate issued by the respective subcontractor. Preferably, the information provided to the automobile manufacturer from the subcontractor is in the form of a certificate signed by the subcontractor. The certificates from the subcontractors, or possibly from the manufacturers' remote manufacturing sites are communicated from source servers 15a - 15n to the manifest server 14 via a network 22 as depicted in Fig. 6. The network 22 may comprise a local area network, a wide area network, a wireless network, the Internet or any other
network for communicably coupling the source servers 15 to the manifest server 14 and for communicably coupling the manifest server 14 to the verification controller (s) 12. The manifest server 14 assembles the manifest and transmits the completed manifest to the verification controller 12. The communication link between the manifest 14 and the verification controller 12 is illustrated as a network 22, however, the communication link between the manifest server 14 and the verification controller may comprise a hard wired link such as a serial or parallel link, an infra red link, or any other communications link suitable for forwarding the manifest to the verification controller 12.
In order for the verification controller 12 to verify the authenticity of manifests forwarded to it by the manifest server 14, the verification controller 12 is provided with the public key of the manifest server 1 . The public key of the manifest server 14 may be loaded into the verification controller 12 upon manufacture or initialization of the verification controller 12 or otherwise made available to the verification controller 12 via a secure communications link.
Once the automobile is assembled, the verification controller 12 may determine whether all of the components that correspond to components associated with the public keys within the manifest are present within the vehicle. This determination may be made in response to a request initiated by a verification controller 12 user or alternatively, may be performed from time to time or periodically.
In one embodiment, the verification controller 12 engages in a challenge response dialog with each of the
CAMs. More specifically, the verification controller may transmit random information or a time stamped message to each of the CAMs 10. In response to receipt of the message from the verification controller 12, each CAM transmits a response message to the verification controller 12 that is cryptographically authenticated by the respective CAM. The cryptographic authentication may comprise a digital signature that is generated using the private key of the respective CAM. In the example in which the authentication is via a digital signature that is generated using the CAM private key, for each received message, the verification controller 12 attempts to verify that the message received from the respective CAM was signed with a private key having a corresponding public key contained within the manifest. More specifically, the verification controller 12 attempts verify the signature of the respective CAM using each of the public keys within the manifest until the proper public key is identified, or alternatively, it is determined that the signed message received from a CAM 10 by the verification controller 12 cannot be verified using any of the public keys within the manifest. If the verification controller verifies all of the signed messages, an indication of such event may be provided to a user. In the event one of the received messages includes a digital signature that cannot be verified using the public keys contained within the manifest or, in the event a digital signature is not received that corresponds to one of the public keys within the manifest, an indication of this circumstance may be provided and an identification of the part may be output via a display such as warning indicator 24 (See Fig. 6). Alternatively, such information may be output audibly or
via a link to an external readout device that is linked to the verification controller 12.
The verification controller 12 may, upon verification of one of the digitally signed messages, check the time stamp to assure that it corresponds to the time stamp within the challenge response dialog that resulted in the forwarding of the respective message and additionally, to assure that the time stamp corresponds to the transmitted time stamp within a specified time interval . Such a check will avoid the possibility that the verification controller would indicate the presence of a component as a result of the malicious replay of a message previously transmitted by a CAM.
In the challenge response dialog, it should be noted that in addition to or instead of the use of a time stamp, or time and date stamp, a pseudo random number or any other secret value may be included within the request issued by the verification controller 12.
The processing time associated with the trial and error approach of attempting to verify a received message with each public key in the manifest until the message is successfully verified or the attempt to verify the message with all public keys has proved unsuccessful may be shortened by including a part number both in the manifest and in the return message from the CAM. The verification controller 12 may then attempt to verify each message with only the public key or keys in the manifest associated with the same part number that was conveyed to the verification controller 12 in the signed message from the respective CAM 10. For example, there may be five public keys in the manifest associated with wheels (four wheels mounted on the automobile and one spare) . All of these
components may have the same part number but will be associated with different public/private key pairs.
In a preferred embodiment, the CAMs 10 transmit messages to the verification controller 12 in response to requests received from the verification controller 12. Alternatively, the CAMs 10 can transmit messages to the verification controller 12 periodically or in response to predetermined events. For example, a CAM 10 may periodically transmit the date and time of day digitally signed by the respective CAM. Assuming that the CAMs and the verification controller 12 have relatively closely synchronized clocks, the verification controller 12 will receive the signed message containing the date and time of day close to the time the message was generated. The verification controller 12 can then verify the signature using one of the public keys in the manifest. In this manner, the CAMs need not respond to a request issued by the verification controller 12 to initiate their respective transmissions. The method of operation of the presently disclosed system is further depicted in the flow diagram of Fig. 7. Referring to Fig. 7, a manifest containing a least the public keys associated with a plurality of components within an assembly is stored on the verification controller 12 as illustrated in step 100. As depicted in step 102, the verification controller 12 sends a request to the CAMs to prove their respective identities. Since the CAMs are securely affixed to specific components of the assembly, if one or more of the components either has a non-functioning CAM, no CAM, or a CAM that possesses the wrong private key, the CAM (if any) associated with the respective component will be unable to respond to the
request issued by the verification controller in a manner that will verify the component expected to be present in the assembly. The verification controller 12 receives the signed responses from the CAMs 10 as illustrated in step 104. The verification controller 12 attempts to verify the identify of the respective CAMs affixed to the components via use of the public keys within the manifest stored in the verification controller 12. As indicated in inquiry step 108, inquiry is made whether any messages were received from a CAM 10 that could not be verified using a public key within the manifest. In the event messages were received from one or more CAMs 10 which could not be verified using the public keys within the manifest, an indication of the same is provided via a readout, warning indication, control signal or other suitable output indicative of the verification failure as shown in step 112. In the event all CAM messages could be verified via use of the manifest public keys, control passes to inquiry step 110. In inquiry step 110, a determination is made whether there are any public keys within the manifest that are associated with a CAM private key that was not employed in the signing of a CAM message in response to the request issued by the verification controller 12. In the event there are public keys that correspond to a private key that was not used in the signing of one of the received CAM messages, such is indicative that the CAM associated with the component is not responding for any one of a number of reasons. The CAM may have been tampered with and ceased to function. Alternatively, the component may have been replaced with another component that includes a CAM, but the component was not registered with the manifest server, as
subsequently described, and accordingly, is not reflected in the manifest. Furthermore, the component may have been replaced with an unapproved component that does not possess the CAM functionality. Should one or more CAMs associated with components fail to respond to the request issued by the verification controller, control passes to step 112 and an indication of the failure of a CAM to respond is presented to the user. Control then passes to step 102. The manifest is initially stored on the verification controller and additionally, at the request of a user.
The manifest may be updated from time to time to account for authorized replacements of components of the assembly. More specifically, referring to the flow diagram of Fig. 8, when a component within the assembly needs to be replaced, such replacement is performed by an authorized agent using approved components. The replacement component having a new CAM securely affixed thereto is substituted within the assembly for the old component as depicted in step 200. The repair center that replaced the component transmits a certificate to the manifest server that identifies the component that was replaced, the vehicle VIN Number (or assembly identification, as applicable) along with the public key associated with the CAM affixed to the substituted component. Additionally, other information pertaining to the substituted component may be included within the certificate as outlined above with respect to Fig. 5. The certificate forwarded to the manifest server 14 from the repair center is preferably signed by the repair center. Upon receipt of the certificate from the repair center, the manifest server 14 verifies the signature of the
repair center using the repair center public key. After verifying the authenticity of the certificate, the manifest server 14 updates the manifest to reflect the public key associated with the replacement part. The manifest may maintain information on the old components that were removed from the assembly for historical purposes; however, the public key associated with the substituted component is used for verification purposes in place of the public key associated with the component that was removed from the assembly. As indicated in step 206, the updated manifest is communicated to the verification controller 12 and is signed by a trusted party, such as the vehicle manufacturer. The updated manifest is signed using the private key of a public/private key pair held by the manifest server. The verification controller 12 verifies the authenticity of the updated manifest using the public key of the manifest server 14 public/private key pair. The verification controller 12 then utilizes the updated manifest for verification of the components of the assembly as described in connection with Fig. 7 hereinabove .
The verification controller 12 may comprise a unit integral with the assembly, such as the automobile, or may be a mobile unit that may be communicably coupled to the CAMs via a connector or via a RF or other communications link. The use of a portable verification controller 12 allows law enforcement, or other oversight officials to download manifests for specific vehicles or assemblies and request component verification for the particular vehicle or assembly should there be a concern regarding the components employed within any given vehicle or other assembly.
Although cryptographic authentication of the identify of the CAMs and associated components, verification controller 12, manifest server and other components discussed herein is described in the preferred embodiment using signed messages for cryptographic authentication, cryptographic authentication may be performed using any suitable cryptographic authentication technique including but not limited to a keyed hash, a cryptographic hash incorporated in an encrypted message or any other suitable authentication technique.
Those skilled in the art should readily appreciate that computer programs operative to perform the functions herein described can be delivered to the CAMs, the verification controller, the manifest server or the source servers in many forms; including, but not limited to: (a) information permanently stored in a non-writable storage media (e.g. read-only memory devices within a computer such as ROM or CD-ROM disks readable by a computer I/O attachment; (b) information alterably stored on writable storage media (e.g. floppy disks, tapes, read/write optical media and hard drives) ; or (c) information conveyed to a computer through a communication media, for example, using baseband or broadband signaling techniques, such as over computer or telephone networks via a modem. In addition, it should be appreciated that the presently described methods may be implemented in software executing out of a memory on respective CAMs, the verification controller, the manifest server and the source servers. Alternatively, the presently described functions may be embodied in whole or in part using hardware components such as Application Specific Integrated Circuits (ASICs) , state machines, controllers or other hardware components
or devices, or a combination of hardware components and software processes without departing from the inventive concepts herein described.
Those of ordinary skill in the art should further appreciate that variations to and modifications of the above-described methods and systems for granting access to a computer resource may be made without departing from the inventive concepts disclosed herein. Accordingly, the invention should be viewed as limited solely by the scope and spirit of the appended claims.
Claims
1. A method for verifying the presence of a plurality of components within an assembly, said method comprising: storing in a memory within a verification controller a plurality of first cryptographic keys, wherein each of said first cryptographic keys comprises one cryptographic key of a cryptographic key pair comprising said first cryptographic key and a second cryptographic key; receiving a plurality of signed messages, wherein each one of said messages is associated with a cryptographic authentication module affixed to one of said components of said assembly and wherein each of said messages is cryptographically authenticated with one of said second cryptographic keys in the event the respective component comprises an approved component within said assembly; determining for each one of said first cryptographic keys stored in said memory, whether one of said plurality of received messages was cryptographically authenticated using the corresponding second cryptographic key; and generating a signal indicative of the results of said determining step.
2. The method of claim 1 wherein said generating step includes the step of generating a signal that indicates that all components within said assembly comprise approved components in the event for each one of said stored first cryptographic keys, one of said plurality of received messages was cryptographically authenticated using the corresponding second cryptographic key.
3. The method of claim 1 wherein said cryptographic key pairs comprise public/private key pairs, wherein said first cryptographic keys comprise public keys of said public/private key pairs and said second cryptographic keys comprise private keys of said public/private key pairs.
4. The method of claim 1 further including the step of transmitting to said cryptographic authentication modules from said verification controller a request to transmit one of said plurality of received messages and wherein said receiving step occurs in response to said transmitting step.
5. The method of claim 3 wherein said request to transmit includes a value specified by said verification controller and the message received from the respective cryptographic authentication module includes said value cryptographically authenticated by the respective cryptographic authentication module.
6. The method of claim 5 wherein said value comprises a time stamp.
7. The method of claim 5 wherein said value comprises a time and date stamp.
8. The method of claim 5 wherein said value comprises a pseudo-random number.
9. The method of claim 4 wherein said transmitting step comprises the step of transmitting said requests as a broadcast message to said cryptographic authentication modules .
10. The method of claim 4 wherein said transmitting step comprises the step of transmitting said requests as a plurality of unicast requests to the respective cryptographic authentication modules.
11. The method of claim 1 wherein said storing step includes the step of receiving a manifest server message at said verification controller that includes said first cryptographic keys.
12. The method of claim 11 wherein said manifest server message comprises a certificate cryptographically authenticated by a manifest server using a first cryptographic key of a manifest server cryptographic key pair and said method further includes the step of verifying said manifest message received at said verification controller using a second cryptographic key of said manifest server cryptographic key pair.
13. The method of claim 1 wherein said cryptographic key pairs comprising first and second cryptographic keys comprise symmetric keys.
14. Apparatus for determining whether a plurality of components of an assembly comprise approved components, said apparatus comprising: a verification controller containing a memory, said memory containing a plurality of first cryptographic keys; said verification controller operative to: receive a plurality of messages from a corresponding plurality of cryptographic authentication modules affixed to respective ones of said plurality of components, wherein each one of said messages is cryptographically authenticated using a second cryptographic key associated with one of said first cryptographic keys in the event said component is an approved component, determine for each one of said first cryptographic keys stored in said memory, whether one of said plurality of received messages was cryptographically authenticated using the corresponding second cryptographic key; and generate a signal that indicates that all components within said assembly comprise approved components in the event for each one of said stored first cryptographic keys, one of said plurality of received messages was cryptographically authenticated using the corresponding second cryptographic key.
15. A method for verifying that a plurality of components comprise approved components of an assembly comprising: affixing a plurality of cryptographic authentication modules to a corresponding plurality of components of an assembly, wherein each of said cryptographic authentication modules is associated with a cryptographic key pair including first and second cryptographic keys; storing the first cryptographic keys within the respective cryptographic authentication modules; storing said second cryptographic keys within a verification controller; transmitting from each of said cryptographic authentication modules a message cryptographically authenticated by the respective cryptographic module using the first cryptographic key of the respective cryptographic key pair; receiving said cryptographically authenticated messages at said verification controller; determining for each one of said second cryptographic keys stored in said verification controller whether one of said cryptographically authenticated messages was signed using said first cryptographic key corresponding to the respective second cryptographic key; and generating a signal indicative of the result of said determining step.
16. The method of claim 15 wherein said generating step includes the step of generating a signal that indicates that all components within said assembly comprise approved components in the event for each one of said stored second cryptographic keys, one of said plurality of cryptographically authenticated messages was cryptographically authenticated using the corresponding first cryptographic key.
17. The method of claim 15 wherein said cryptographic key pairs comprise public/private key pairs, wherein said first cryptographic keys comprise private keys of said public/private key pairs and said second cryptographic keys comprise public keys of said public/private key pairs.
18. The method of claim 15 further including the step of transmitting to said cryptographic authentication modules from said verification controller a request to transmit a message cryptographically authenticated by the respective cryptographic authentication modules and wherein said receiving step occurs in response to said transmitting step.
19. The method of claim 18 wherein said request to transmit includes a value specified by said verification controller and the message received from respective cryptographic authentication module includes said value cryptographically authenticated by the respective cryptographic authentication module.
20. The method of claim 19 wherein said value comprises a time stamp.
21. The method of claim 19 wherein said value comprises a time and date stamp.
22. The method of claim 19 wherein said value comprises a pseudo-random number.
23. The method of claim 18 wherein said transmitting step comprises the step of transmitting said requests as a broadcast message to said cryptographic authentication modules.
24. The method of claim 18 wherein said transmitting step comprises the step of transmitting said requests as a plurality of unicast requests to the respective cryptographic authentication modules.
25. The method of claim 15 wherein said storing step includes the step of receiving a manifest server message at said verification controller that includes said second cryptographic keys.
26. The method of claim 25 wherein said manifest server message comprises a certificate cryptographically authenticated by a manifest server using a first cryptographic key of a manifest server cryptographic key pair and said method further includes the step of verifying said manifest server message received at said verification controller using a second cryptographic key of said manifest server cryptographic key pair.
27. The method of claim 15 wherein said cryptographic key pairs comprising first and second cryptographic keys comprise symmetric keys.
28. A system for verifying that a plurality of components within an assembly comprise approved components, said system comprising; a plurality of cryptographic authentication modules, said modules each being affixed to one of said plurality of components of said assembly, wherein each of said cryptographic authentication modules is associated with a cryptographic key pair including first and second cryptographic keys and wherein the respective first cryptographic key is stored within a memory within the associated cryptographic authentication module; a verification controller, said verification controller containing a memory in which said second cryptographic keys are stored; said cryptographic authentication modules being operative to transmit a message for receipt by the verification controller cryptographically authenticated by the respective cryptographic module using the first cryptographic key of the respective cryptographic key pair; and said verification controller being operative to: receive said cryptographally authenticated messages at said verification controller; determine whether a message was received from one of said cryptographic authentication modules that was cryptographically authenticated using a first cryptographic key for each one of said second cryptographic keys stored in said memory; and generating a signal indicative of the result of said determinatio .
29. A computer program product including a computer readable medium, said computer readable medium having a computer program stored thereon for verifying components of an assembly, said computer program for execution in an computer and comprising: program code for storing a plurality of first cryptographic keys in a memory, wherein each of said first cryptographic keys comprises one cryptographic key of a cryptographic key pair comprising said first cryptographic key and a second cryptographic key; program code for receiving a plurality of cryptographically authenticated messages, wherein each one of said messages is associated with a cryptographic authentication module affixed to one of said components of said assembly and wherein each of said messages is cryptographically authenticated with one of said second cryptographic keys in the event the respective component comprises an approved component within said assembly; program code for determining for each one of said first cryptographic keys stored in said memory, whether one of said plurality of cryptographically authenticated messages was received was cryptoraphically authenticated using the corresponding second cryptographic key; and program code generating a signal indicative of the results of said determining step.
30. A computer data signal, said computer data signal including a computer program for use in determining whether a plurality of components comprises approved components of an assembly, said computer program comprising: program code for storing a plurality of first cryptographic keys in a memory, wherein each of said first cryptographic keys comprises one cryptographic key of a cryptographic key pair comprising said first cryptographic key and a second cryptographic key; program code for receiving a plurality of cryptographically authenticated messages, wherein each one of said messages is associated with a cryptographic authentication module affixed to one of said components of said assembly and wherein each of said messages is cryptographically authenticated with one of said second cryptographic keys in the event the respective component comprises an approved component within said assembly; program code for determining for each one of said first cryptographic keys stored in said memory, whether one of said plurality of cryptographically authenticated messages was cryptographically authenticated using the corresponding second cryptographic key; and program code generating a signal indicative of the results of said determining step.
31. Apparatus for determining whether a plurality of components of an assembly comprise approved components, said apparatus comprising: means for storing within a memory in a verification controller a plurality of first cryptographic keys, wherein each of said first cryptographic keys comprises one cryptographic key of a cryptographic key pair comprising said first cryptographic key and a second cryptographic key; means for receiving at said verification controller, a plurality of cryptographically authenticated messages, wherein each one of said messages is associated with a cryptographic authentication module affixed to one of said components of said assembly and wherein each of said messages is cryptographically authenticated with one of said second cryptographic keys in the event the respective component comprises an approved component within said assembly; means for determining for each one of said first cryptographic keys stored in said memory, whether one of said plurality of cryptographically authenticated messages was cryptographically authenticated using the corresponding second cryptographic key; and means for generating a signal indicative of the results of said determining step and whether said components comprise approved components for use in said assembly.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2001255553A AU2001255553A1 (en) | 2000-04-26 | 2001-04-20 | Method and apparatus verifying parts and parts lists in an assembly |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US55849100A | 2000-04-26 | 2000-04-26 | |
US09/558,491 | 2000-04-26 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2001082035A2 true WO2001082035A2 (en) | 2001-11-01 |
WO2001082035A3 WO2001082035A3 (en) | 2003-02-13 |
Family
ID=24229744
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2001/012942 WO2001082035A2 (en) | 2000-04-26 | 2001-04-20 | Method and apparatus verifying parts and parts lists in an assembly |
Country Status (2)
Country | Link |
---|---|
AU (1) | AU2001255553A1 (en) |
WO (1) | WO2001082035A2 (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004003812A2 (en) * | 2002-06-28 | 2004-01-08 | Motorola, Inc., A Corporation Of The State Of Delaware | Method and system for authorizing reconfiguration of a vehicle |
US7127611B2 (en) | 2002-06-28 | 2006-10-24 | Motorola, Inc. | Method and system for vehicle authentication of a component class |
US7137001B2 (en) | 2002-06-28 | 2006-11-14 | Motorola, Inc. | Authentication of vehicle components |
US7181615B2 (en) | 2002-06-28 | 2007-02-20 | Motorola, Inc. | Method and system for vehicle authentication of a remote access device |
DE10232454B4 (en) * | 2002-01-31 | 2007-08-02 | Fujitsu Ltd., Kawasaki | Access control method, storage device and information processing device |
EP1903518A1 (en) | 2006-09-15 | 2008-03-26 | NCR Corporation | Security validation of machine components |
US7549046B2 (en) * | 2002-06-28 | 2009-06-16 | Temic Automotive Of North America, Inc. | Method and system for vehicle authorization of a service technician |
DE102007044586B3 (en) * | 2007-09-19 | 2009-07-09 | Knorr-Bremse Systeme für Nutzfahrzeuge GmbH | Control unit and method for identifying spare parts of a vehicle |
DE102008032094A1 (en) * | 2008-07-08 | 2010-01-14 | Continental Automotive Gmbh | Vehicle having a device for detecting vehicle components and method for detecting components by a vehicle |
CN103268676A (en) * | 2013-04-02 | 2013-08-28 | 广州御银科技股份有限公司 | System and method for verifying authenticity of financial self-service terminal |
DE102009037193B4 (en) * | 2008-08-15 | 2016-10-13 | GM Global Technology Operations LLC (n. d. Ges. d. Staates Delaware) | A system and method for performing an asymmetric key exchange between a vehicle and a remote device |
DE102015218800A1 (en) | 2015-09-29 | 2017-03-30 | Continental Automotive Gmbh | Communication system for V2X communication |
CN112311718A (en) * | 2019-07-24 | 2021-02-02 | 华为技术有限公司 | Method, device and equipment for detecting hardware and storage medium |
CN113477679A (en) * | 2021-07-19 | 2021-10-08 | 青岛科技大学 | Interactive generation method for large-batch waste mobile phone disassembling process |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5224163A (en) * | 1990-09-28 | 1993-06-29 | Digital Equipment Corporation | Method for delegating authorization from one entity to another through the use of session encryption keys |
US5757916A (en) * | 1995-10-06 | 1998-05-26 | International Series Research, Inc. | Method and apparatus for authenticating the location of remote users of networked computing systems |
WO1999043113A1 (en) * | 1998-02-23 | 1999-08-26 | New Id, Inc. | Identification system using predetermined interval strobed signals |
US5974150A (en) * | 1997-09-30 | 1999-10-26 | Tracer Detection Technology Corp. | System and method for authentication of goods |
-
2001
- 2001-04-20 WO PCT/US2001/012942 patent/WO2001082035A2/en active Application Filing
- 2001-04-20 AU AU2001255553A patent/AU2001255553A1/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5224163A (en) * | 1990-09-28 | 1993-06-29 | Digital Equipment Corporation | Method for delegating authorization from one entity to another through the use of session encryption keys |
US5757916A (en) * | 1995-10-06 | 1998-05-26 | International Series Research, Inc. | Method and apparatus for authenticating the location of remote users of networked computing systems |
US5974150A (en) * | 1997-09-30 | 1999-10-26 | Tracer Detection Technology Corp. | System and method for authentication of goods |
WO1999043113A1 (en) * | 1998-02-23 | 1999-08-26 | New Id, Inc. | Identification system using predetermined interval strobed signals |
Non-Patent Citations (1)
Title |
---|
TEXAS INSTRUMENTS: "Digital Signature 23mm Glass Transponder" INTERNET ARTICLE, [Online] - 14 May 1997 (1997-05-14) page 1-34 XP002212652 Retrieved from the Internet: <URL:http://www.ti.com/tiris/docs/manuals/ refManuals/RI-TRP-BRHPrefGuide.pdf> [retrieved on 2002-09-02] * |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10232454B4 (en) * | 2002-01-31 | 2007-08-02 | Fujitsu Ltd., Kawasaki | Access control method, storage device and information processing device |
US7549046B2 (en) * | 2002-06-28 | 2009-06-16 | Temic Automotive Of North America, Inc. | Method and system for vehicle authorization of a service technician |
WO2004003812A3 (en) * | 2002-06-28 | 2004-04-08 | Motorola Inc | Method and system for authorizing reconfiguration of a vehicle |
US7127611B2 (en) | 2002-06-28 | 2006-10-24 | Motorola, Inc. | Method and system for vehicle authentication of a component class |
US7137001B2 (en) | 2002-06-28 | 2006-11-14 | Motorola, Inc. | Authentication of vehicle components |
US7181615B2 (en) | 2002-06-28 | 2007-02-20 | Motorola, Inc. | Method and system for vehicle authentication of a remote access device |
US7325135B2 (en) | 2002-06-28 | 2008-01-29 | Temic Automotive Of North America, Inc. | Method and system for authorizing reconfiguration of a vehicle |
WO2004003812A2 (en) * | 2002-06-28 | 2004-01-08 | Motorola, Inc., A Corporation Of The State Of Delaware | Method and system for authorizing reconfiguration of a vehicle |
US7575160B2 (en) | 2006-09-15 | 2009-08-18 | Ncr Corporation | Security validation of machine components |
EP1903518A1 (en) | 2006-09-15 | 2008-03-26 | NCR Corporation | Security validation of machine components |
DE102007044586B3 (en) * | 2007-09-19 | 2009-07-09 | Knorr-Bremse Systeme für Nutzfahrzeuge GmbH | Control unit and method for identifying spare parts of a vehicle |
DE102008032094A1 (en) * | 2008-07-08 | 2010-01-14 | Continental Automotive Gmbh | Vehicle having a device for detecting vehicle components and method for detecting components by a vehicle |
US9800413B2 (en) | 2008-08-15 | 2017-10-24 | Gm Global Technology Operations, Inc. | System and method for performing an asymmetric key exchange between a vehicle and a remote device |
DE102009037193B4 (en) * | 2008-08-15 | 2016-10-13 | GM Global Technology Operations LLC (n. d. Ges. d. Staates Delaware) | A system and method for performing an asymmetric key exchange between a vehicle and a remote device |
CN103268676A (en) * | 2013-04-02 | 2013-08-28 | 广州御银科技股份有限公司 | System and method for verifying authenticity of financial self-service terminal |
DE102015218800A1 (en) | 2015-09-29 | 2017-03-30 | Continental Automotive Gmbh | Communication system for V2X communication |
US10623921B2 (en) | 2015-09-29 | 2020-04-14 | Continental Teves Ag & Co. Ohg | Communications system for V2X communication |
CN112311718A (en) * | 2019-07-24 | 2021-02-02 | 华为技术有限公司 | Method, device and equipment for detecting hardware and storage medium |
CN112311718B (en) * | 2019-07-24 | 2023-08-22 | 华为技术有限公司 | Method, device, equipment and storage medium for detecting hardware |
US12047388B2 (en) | 2019-07-24 | 2024-07-23 | Huawei Technologies Co., Ltd. | Hardware detection method and apparatus, device, and storage medium |
CN113477679A (en) * | 2021-07-19 | 2021-10-08 | 青岛科技大学 | Interactive generation method for large-batch waste mobile phone disassembling process |
CN113477679B (en) * | 2021-07-19 | 2022-10-14 | 青岛科技大学 | Method for disassembling mass waste mobile phones |
Also Published As
Publication number | Publication date |
---|---|
AU2001255553A1 (en) | 2001-11-07 |
WO2001082035A3 (en) | 2003-02-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6078686B2 (en) | Authentication system, in-vehicle control device | |
US7551986B2 (en) | Program distribution system, program distribution device, and in-vehicle gateway device | |
CN101416223B (en) | Method for the protection of a movable object, especially a vehicle, against unauthorized use | |
US7716486B2 (en) | Controlling group access to doors | |
US9158288B2 (en) | Logging access attempts to an area | |
US8015597B2 (en) | Disseminating additional data used for controlling access | |
US9571284B2 (en) | Controlling access to personal information stored in a vehicle using a cryptographic key | |
US7600129B2 (en) | Controlling access using additional data | |
EP1646937B1 (en) | Controlling access to an area | |
US20050055567A1 (en) | Controlling access to an area | |
WO2001082035A2 (en) | Method and apparatus verifying parts and parts lists in an assembly | |
US9449443B2 (en) | Logging access attempts to an area | |
EP0912919A1 (en) | Immobilisation protection system for electronic components | |
US9893886B2 (en) | Communication device | |
WO2004004207A1 (en) | Method and system for vehicle component authentication of another vehicle component | |
Kent et al. | Assuring vehicle update integrity using asymmetric public key infrastructure (PKI) and public key cryptography (PKC) | |
CN112887099B (en) | Data signing method, electronic device and computer readable storage medium | |
CN115989480A (en) | Method for modifying software in a motor vehicle | |
US20030074557A1 (en) | Method and system for management of properties | |
Bar-El | Intra-vehicle information security framework | |
Weimerskirch et al. | Cryptographic component identification: Enabler for secure vehicles | |
US20230237507A1 (en) | System and method for generating a digital vehicle identification number | |
JP2004276828A (en) | Vehicle specifying system and vehicle specifying method | |
Wolf | Vehicular security mechanisms | |
Kim et al. | Analysis of OBE-related SCMS security requirements and evaluation procedures in V2X environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase in: |
Ref country code: JP |