A system for offline generation of digital assets includes: a security credential management system (SCMS) that is operable to generate and conditionally transmit digital assets; and a certificate authority communicatively connected to the SCMS by a communication network, the certificate authority being operable to receive the digital assets from the SCMS. The certificate authority is operable to securely provision a plurality of computerized devices based on the received digital assets, the certificate authority intermittently connects to the SCMS to receive the digital assets, the certificate authority is operable to securely provision the plurality of computerized devices while disconnected from the SCMS, and the provisioning by the certificate authority while disconnected from the SCMS is limited by a policy associated with the certificate authority.
A system for offline generation of digital assets includes: a security credential management system (SCMS) that is operable to generate and conditionally transmit digital assets; and a certificate authority communicatively connected to the SCMS by a communication network, the certificate authority being operable to receive the digital assets from the SCMS. The certificate authority is operable to securely provision a plurality of computerized devices based on the received digital assets, the certificate authority intermittently connects to the SCMS to receive the digital assets, the certificate authority is operable to securely provision the plurality of computerized devices while disconnected from the SCMS, and the provisioning by the certificate authority while disconnected from the SCMS is limited by a policy associated with the certificate authority.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SaaS) featuring software for cybersecurity and device lifecycle management, namely, software for defining, administering, monitoring, testing, and auditing cybersecurity requirements and security controls for devices, products, and systems from development through deployment and decommissioning; SaaS featuring software for supply chain cybersecurity risk management, asset management, vulnerability detection and remediation tracking, compliance monitoring with industry and regulatory standards, generation of compliance evidence and reports, and management of software bills of materials
4.
METHODS AND SYSTEMS FOR CREATING, VERIFYING, AND ENTERING SECURITY INFORMATION
A system for securely accessing a target computer using high entropy security information stored in a password manager including a user computer configured to execute instructions to perform operations including receiving password manager access information and a retrieval key, accessing the password manager using the password manager access information, receiving the high entropy security information provided by a generator computer, storing the high entropy security information in the password manager, in association with the retrieval key, supplying the retrieval key to retrieve the high entropy security information that was stored in the password manager, and providing the high entropy security information. The target computer receives the high entropy security information provided by the user computer, and provides access to the target computer when the high entropy security information is verified. The generator computer, the user computer, and the target computer are communicatively decoupled from each other.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, and authority management of internet-of-things devices; Computer devices for controlling access to other computing devices, namely, secure boot code signing, device identity certificate authentication, feature control and trusted commands, key generation and injection; embedded security products for protection of devices from cyber security attacks Computing services featuring online non-downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, cyber asset management and authority management of internet-of-things devices; developing security solutions for embedded devices; security services for protection of devices from cyber security attacks
6.
SYSTEMS AND METHODS FOR ESTABLISHING A CONFIDENCE LEVEL FOR DEVICE OPERATIONAL DATA
Systems, methods, and devices for establishing a confidence level for local operational data for a computerized device that is a member of a technological ecosystem, such as the V2X ecosystem. The systems, methods, and devices may perform operations that include: storing the local operational data; obtaining, e.g., using the communication interface, messages from external devices that are members of the ecosystem, wherein each of the messages comprises external operational data from each external device; determining deviations between the stored local operational data and the external operational data from each message; storing the deviations determined for each message; calculating, based on the stored deviations, a confidence level for the local operational data (e.g., 85% confidence that the local data is accurate); and executing a remedial action when the confidence level is below a threshold for the confidence level.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services, namely, hosting software for use by others for use in the field of cryptographic security services for communication between electronic devices, namely, retrieving and storing information from various systems to track all company secrets and crypto material and identifying which secrets and certificates need updates.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, cyber asset management and authority management of internet-of-things devices; Computer devices for controlling access to other computing devices, namely, secure boot code signing, device identity certificate authentication, feature control and trusted commands, key generation and injection. Computing services featuring online non-downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, cyber asset management and authority management of internet-of-things device.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, cyber asset management and authority management of internet-of-things devices; Computer devices for controlling access to other computing devices, namely, secure boot code signing, device identity certificate authentication, feature control and trusted commands, key generation and injection. Computing services featuring online non-downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, cyber asset management and authority management of internet-of-things devices.
10.
SYSTEMS, METHODS, AND DEVICES FOR MULTI-STAGE PROVISIONING AND MULTI-TENANT OPERATION FOR A SECURITY CREDENTIAL MANAGEMENT SYSTEM
A system for securely provisioning a plurality of computerized devices of a tenant. The system includes a certificate authority operable to generate digital assets for onboard units and roadside units of the tenant in response to provisioning requests from the plurality of computerized devices, where each of the provisioning requests includes a device identifier. The system includes a security credential management system (SCMS) host platform, operably connected to the certificate authority, where the SCMS host platform is configured to perform operations that may include receiving the provisioning requests for the digital assets for the plurality of computerized devices, each of the provisioning requests including the device identifier, and routing at least some of the provisioning requests to the certificate authority based on the device identifier.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 41/5041 - Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
Systems, methods, computer-readable media, and devices for accessing onboard operational data in a vehicle. The systems, methods, computer-readable media, and devices may include hardware and/or software for performing operations that include: obtaining user information and vehicle information, obtaining verification information, e.g., from a verification source, verifying that a specific user is associated with the vehicle based on the verification information, communicatively connecting to the vehicle based on the vehicle information; obtaining the onboard data from the vehicle; and providing the onboard data to the user. In embodiments, the user may be the owner of the vehicle, the registrant of the vehicle, or a repair person that is servicing the vehicle and needs access to onboard data besides OBD error codes.
G07C 5/08 - Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle, or waiting time
G07C 5/00 - Registering or indicating the working of vehicles
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services, namely, hosting software for use by others for use in the field of cryptographic security services for communication between electronic devices, specifically, for retrieving and storing information from various systems to track all company secrets and crypto material in the nature of encrypted data and identifying which encrypted secrets data and digital certificates need updates
13.
Systems and Methods for Centrally Managing and Routing Multiple Credentials
Systems, methods, and computer-readable media for managing security credentials, such as digital certificates. A routing and management server is communicatively connected to a computerized device and to a plurality of credential generators. The server performs operations that may include: optionally registering the device; receiving a request for one or more security credentials from the device; analyzing the request to determine an appropriate credential generator, from among the plurality of credential generators, for producing the one or more security credentials; optionally translating the request into a format required by the appropriate credential generator; transmitting the request to the appropriate credential generator; receiving the one or more security credentials from the appropriate credential generator; and providing the one or more security credentials to the device, either directly or indirectly.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
A first processing sends a validation request is sent, which includes a random number seed and a nonce to a second processing device. The first processing device generates a first set of random numbers using the random number seed according to an algorithm for random number generation, and maps the generated first set of random numbers to memory blocks that include a copy of software for the second processing device. A first hash is calculated from contents of the mapped memory blocks concatenated to the nonce. A second hash, calculated using information included in the validation request, the mapping model, the software for the second processing device, and the nonce is received. An action is automatically performed when the hashes do not match.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
15.
Methods and systems for creating, verifying, and entering security information
A system including a generator computer, a user computer, and a target computer. The generator computer generates high entropy security information. The user computer executes operations including receiving password manager access information and a retrieval key, accessing the password manager using the password manager access information, receiving the high entropy security information, storing the high entropy security information in the password manager, in association with the retrieval key, supplying the retrieval key to retrieve the high entropy security information that was stored in the password manager, and providing the high entropy security information on a user computer interface device. The target computer receives the high entropy security information provided by the user computer interface device, and provides access to the target computer when the high entropy security information is verified. The generator computer, the user computer, and the target computer are communicatively decoupled from each other.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, for digital signing, supply chain asset management, certificate authority management, over-the-air updates, cyber asset management and authority management of internet-of-things devices; Computer devices for controlling access to other computing devices, namely, computers for secure boot code signing, device identity certificate authentication, feature control and trusted commands, key generation and injection Computing services in the nature of providing online non-downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, for digital signing, supply chain asset management, certificate authority management, over-the-air updates, cyber asset management and authority management of internet-of-things devices
17.
DEVICE UPDATE TRANSMISSION USING A FILTER STRUCTURE
Systems, methods, and computer-readable media that quickly and efficiently identify the computerized devices that are part of an update campaign. The operations of the systems, methods, and computer-readable media may include: obtaining a filter data structure comprising a plurality of hash values, each hash value corresponding to a computerized device of a plurality of computerized devices in an update campaign; determining whether a requesting computerized device is in the update campaign using a hash function of the filter data structure and identifying information that identifies the requesting computerized device; in response to determining that the computerized device is in the update campaign, providing a device update to the computerized device; and in response to determining that the computerized device does not belong to the update campaign, providing, to the computerized device, an indication that there is no device update for the computerized device.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, cyber asset management and authority management of internet-of-things devices; Computer devices for controlling access to other computing devices, namely, secure boot code signing, device identity certificate authentication, feature control and trusted commands, key generation and injection Computing services featuring online non-downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, cyber asset management and authority management of internet-of-things devices
19.
VALIDATION OF SOFTWARE RESIDING ON REMOTE COMPUTING DEVICES
A computer implemented method for validating software is provided. The method includes generating a first check value, by a remote computing device, based on a unique value and software of the remote computing device, outputting the first check value and the unique value from the remote computing device to a secure data repository, obtaining, by a secure computing device, an authentic copy of the software of the remote computing device, obtaining, by the secure computing device, the unique value and the first check value from the secure data repository, computing, by the secure computing device, a second check value based on the authentic copy of the software for the remote computing device and the unique value, and determining, by the secure computing device, whether the remote computing device has authentic software based on a comparison of the obtained first check value and the second check value.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
20.
Methods and systems for securely accessing operational data
Systems, methods, computer-readable media, and devices for accessing onboard operational data in a vehicle. The systems, methods, computer-readable media, and devices may include hardware and/or software for performing operations that include: obtaining user information and vehicle information, obtaining verification information, e.g., from a verification source, verifying that a specific user is associated with the vehicle based on the verification information, communicatively connecting to the vehicle based on the vehicle information; obtaining the onboard data from the vehicle; and providing the onboard data to the user. In embodiments, the user may be the owner of the vehicle, the registrant of the vehicle, or a repair person that is servicing the vehicle and needs access to onboard data besides OBD error codes.
G07C 5/08 - Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle, or waiting time
G07C 5/00 - Registering or indicating the working of vehicles
Systems and methods for tracking usage of multiple resources by a vehicle that is associated with a contract certificate. The system includes: a first resource management operator (RMO) that tracks usage of a first resource, e.g., electricity, by the vehicle and that generates a first resource usage record that includes information from the certificate; a second RMO that tracks usage of a second resource, e.g., road usage, by the vehicle; and a multi-resource interface provider (MRIP) that provides a communication channel between the first RMO and the second RMO. The MRIP may obtain the first resource usage record; generate a revised first resource usage record from it, including certificate information; and provide the revised usage record to the second RMO. The second RMO may generate a multi-resource usage record using combined data from the revised first resource usage record and the tracked data about the usage of the second resource.
The system for provisioning computerized devices of a tenant includes an enrollment certificate authority generating enrollment certificates in response to first provisioning requests for the enrollment certificates, a second certificate authority generating digital assets for onboard units and roadside units of the tenant in response to second provisioning requests from the computerized devices. A security credential management system platform, connected to the enrollment certificate authority and to the second certificate authority, receiving the first provisioning requests for enrollment certificates for the computerized devices, routing the first provisioning requests to the enrollment certificate authority based on the tenant identification (ID), receiving the second provisioning requests for digital assets for the computerized devices, and routing the second provisioning requests to the second certificate authority based on the device identifier. Each first provisioning request includes the tenant ID, and each second provisioning request includes a device identifier.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 41/5041 - Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run a certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the certificate authority. It may also include one or more load balancers communicatively connected to the one or more compute engines, the one or more load balancers to perform operations comprising distributing at least one request to the one or more compute engines.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04W 12/0431 - Key distribution or pre-distributionKey agreement
H04W 12/30 - Security of mobile devicesSecurity of mobile applications
H04W 12/42 - Security arrangements using identity modules using virtual identity modules
Systems, methods, and devices for establishing a confidence level for local operational data for a device within a technological ecosystem, such as the V2X ecosystem. The systems, methods, and devices may perform operations that include: obtaining local operational data for the device; obtaining messages from multiple external devices participating in the ecosystem, wherein each of the messages includes external operational data for the transmitting external device; determining, based on the local operational data and the external operational data from the messages, a confidence level for the local operational data; and executing a remedial action when the confidence level falls below a threshold for the confidence level. The systems and devices may include a local data source that stores the local operational data and a communication interface.
A system can include a certificate application programming interface (API) device that is operable to receive, via an application programming interface (API), an enrollment request for the at least one computerized device. The certificate API device can also generate, via the API, an enrollment package and an end entity certificate package for the at least one computerized device by obtaining the enrollment package and the end entity certificate package from a certificate management service (CMS). The certificate API device can also transmit, via the API, the enrollment package and the end entity certificate package to the at least one computerized device. The system can also include the CMS that is operable to provide the enrollment package and the end entity certificate package to the certificate API device.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04W 4/40 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
26.
APPLICATION PROGRAMMING INTERFACE FOR CERTIFICATE MANAGEMENT SYSTEMS
A system can include a certificate application programming interface (API) device that is operable to receive, via an application programming interface (API), an enrollment request for the at least one computerized device. The certificate API device can also generate, via the API, an enrollment package and an end entity certificate package for the at least one computerized device by obtaining the enrollment package and the end entity certificate package from a certificate management service (CMS). The certificate API device can also transmit, via the API, the enrollment package and the end entity certificate package to the at least one computerized device. The system can also include the CMS that is operable to provide the enrollment package and the end entity certificate package to the certificate API device.
Systems, methods, and devices for establishing a confidence level for local operational data for a device within a technological ecosystem, such as the V2X ecosystem. The systems, methods, and devices may perform operations that include: obtaining local operational data for the device; obtaining messages from multiple external devices participating in the ecosystem, wherein each of the messages includes external operational data for the transmitting external device; determining, based on the local operational data and the external operational data from the messages, a confidence level for the local operational data; and executing a remedial action when the confidence level falls below a threshold for the confidence level. The systems and devices may include a local data source that stores the local operational data and a communication interface.
A first processing device obtains a first copy of software from a repository, the first copy including first computer instructions and first data for indicating a running state of a device. A validation request is sent, which includes a seed, an algorithm identifier, a number of random numbers to generate, and a nonce. The first processing device generates the number of first random numbers using the seed and an algorithm corresponding to the algorithm identifier, and maps the first random numbers to memory blocks, each of which includes a respective first computer instruction of the first copy or the first data. A first hash is calculated from contents of the mapped memory blocks and the nonce. A second hash, calculated using information included in the validation request and a software copy on a second processing device, is received. An action is automatically performed when the hashes do not match.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
29.
Validation of software residing on remote computing devices
A computer implemented method for validating software is provided. The method includes generating a first check value, by a remote computing device, based on a unique value and software of the remote computing device, outputting the first check value and the unique value from the remote computing device to a secure data repository, obtaining, by a secure computing device, an authentic copy of the software of the remote computing device, obtaining, by the secure computing device, the unique value and the first check value from the secure data repository, computing, by the secure computing device, a second check value based on the authentic copy of the software for the remote computing device and the unique value, and determining, by the secure computing device, whether the remote computing device has authentic software based on a comparison of the obtained first check value and the second check value.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
30.
Methods and systems for securely accessing operational data
Systems, methods, computer-readable media, and devices for accessing onboard operational data in a vehicle. The systems, methods, computer-readable media, and devices may include hardware and/or software for performing operations that include: obtaining user information and vehicle information, obtaining verification information, e.g., from a verification source, verifying that a specific user is associated with the vehicle based on the verification information, communicatively connecting to the vehicle based on the vehicle information; obtaining the onboard data from the vehicle; and providing the onboard data to the user. In embodiments, the user may be the owner of the vehicle, the registrant of the vehicle, or a repair person that is servicing the vehicle and needs access to onboard data besides OBD error codes.
G07C 5/08 - Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle, or waiting time
G07C 5/00 - Registering or indicating the working of vehicles
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
31.
Systems and methods for centrally managing and routing multiple credentials
Systems, methods, and computer-readable media for managing digital certificates and other security credentials. A routing and management server is communicatively connected to a certificate user device and to a plurality of certificate generators. The server performs operations that may include: optionally registering the certificate user device; receiving a request for one or more digital certificates from the certificate user device; analyzing the request to determine an appropriate certificate generator, from among the plurality of certificate generators, for producing the one or more digital certificates; optionally translating the request into a format required by the appropriate certificate generator; transmitting the request to the appropriate certificate generator; receiving the one or more digital certificates from the appropriate certificate generator; and providing the one or more digital certificates to the certificate user device.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
32.
METHODS AND SYSTEMS FOR SECURELY ACCESSING OPERATIONAL DATA
Systems, methods, computer-readable media, and devices for accessing onboard operational data in a vehicle. The systems, methods, computer-readable media, and devices may include hardware and/or software for performing operations that include: obtaining user information and vehicle information, obtaining verification information, e.g., from a verification source, verifying that a specific user is associated with the vehicle based on the verification information, communicatively connecting to the vehicle based on the vehicle information; obtaining the onboard data from the vehicle; and providing the onboard data to the user. In embodiments, the user may be the owner of the vehicle, the registrant of the vehicle, or a repair person that is servicing the vehicle and needs access to onboard data besides OBD error codes.
B60R 16/023 - Electric or fluid circuits specially adapted for vehicles and not otherwise provided forArrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric for transmission of signals between vehicle parts or subsystems
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
33.
Systems and methods for establishing a confidence level for device operational data
Systems, methods, and devices for establishing a confidence level for local operational data for a device within a technological ecosystem, such as the V2X ecosystem. The systems, methods, and devices may perform operations that include: obtaining local operational data for the device; obtaining messages from multiple external devices participating in the ecosystem, wherein each of the messages includes external operational data for the transmitting external device; determining, based on the local operational data and the external operational data from the messages, a confidence level for the local operational data; and executing a remedial action when the confidence level falls below a threshold for the confidence level. The systems and devices may include a local data source that stores the local operational data and a communication interface.
A system for securely provisioning a plurality of computerized devices of a tenant, is provided. The system includes a processor, and a computer storage medium including instructions that when executed by the processor cause the processor to perform operations. The operations include receiving provisioning requests from the plurality of computerized devices needing certificates, each provisioning request indicating a tenant identifier identifying the tenant, and transmitting the provisioning requests to a set of security credential management system backend components based on the tenant identifier. The set of SCMS backend components includes enrollment certificate authorities operable to generate enrollment certificates, each provisioning request being transmitted to one of the one or more enrollment certificate authorities based on the tenant identifier of each provisioning request, and a pseudonym certificate authority operable to generate digital assets in response to receiving a provisioning request.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 41/5041 - Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
Systems, methods, and computer-readable media for managing digital certificates and other security credentials. A routing and management server is communicatively connected to a certificate user device and to a plurality of certificate generators. The server performs operations that may include: optionally registering the certificate user device; receiving a request for one or more digital certificates from the certificate user device; analyzing the request to determine an appropriate certificate generator, from among the plurality of certificate generators, for producing the one or more digital certificates; optionally translating the request into a format required by the appropriate certificate generator; transmitting the request to the appropriate certificate generator; receiving the one or more digital certificates from the appropriate certificate generator; and providing the one or more digital certificates to the certificate user device.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
36.
Systems and methods for centrally managing and routing multiple credentials
Systems, methods, and computer-readable media for managing digital certificates and other security credentials. A routing and management server is communicatively connected to a certificate user device and to a plurality of certificate generators. The server performs operations that may include: optionally registering the certificate user device; receiving a request for one or more digital certificates from the certificate user device; analyzing the request to determine an appropriate certificate generator, from among the plurality of certificate generators, for producing the one or more digital certificates; optionally translating the request into a format required by the appropriate certificate generator; transmitting the request to the appropriate certificate generator; receiving the one or more digital certificates from the appropriate certificate generator; and providing the one or more digital certificates to the certificate user device.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
37.
Systems and methods for virtual multiplexed connections
A system for facilitating a plurality of virtual transmission control protocol connections between a target application and a source application is provided. The system includes a server proxy, a client proxy, and a network protection interposed between the server proxy and the client proxy. The server proxy is configured to receive an open request from the client proxy via a stateless protocol, including a target identifier, the open request originating from the source application, open a connection between the server proxy and the target application based on the target identifier, provide a response to the client proxy indicating a status of the open request, the response including at least one of a session identifier or a sequence identifier, receive, a data request from the client proxy, including the session identifier and an incremented sequence identifier, and provide the data request to the target application.
Systems, devices, and methods for updating computerized devices. Functions and operations can include: obtaining a filter data structure (e.g., a bloom filter data structure) that may include hash values corresponding to each of the computerized devices to be updated; determining whether a computerized device is to obtain a device update based on a hash value associated with the computerized device matching a hash value of the filter data structure; and providing the device update to the computerized device when there is a match. The provided device update may modify the operation of the computerized device that receives it.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
A system can include a certificate application programming interface (API) device that is operable to receive, via an application programming interface (API), an enrollment request for the at least one computerized device. The certificate API device can also generate, via the API, an enrollment package and an end entity certificate package for the at least one computerized device by obtaining the enrollment package and the end entity certificate package from a certificate management service (CMS). The certificate API device can also transmit, via the API, the enrollment package and the end entity certificate package to the at least one computerized device. The system can also include the CMS that is operable to provide the enrollment package and the end entity certificate package to the certificate API device.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for microcontrollers, namely, software that provides cryptographic memory protection, security application program interface libraries, hardware security integration, secure key and certificate storage, root of trust and secure boot processes, and secure execution environments Software as a service (SAAS) services, namely, hosting software for use by others for use in the field of cryptographic security for microcontrollers, namely, software services that provide cryptographic memory protection, security application program interface libraries, hardware security integration, security key and certificate storage, root of trust and secure boot processes, and secure execution environments
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for microcontrollers, namely, software that provides cryptographic memory protection, security application program interface libraries, hardware security integration, secure key and certificate storage, root of trust and secure boot processes, and secure execution environments Software as a service (SAAS) services, namely, hosting software for use by others for use in the field of cryptographic security for microcontrollers, namely, software services that provide cryptographic memory protection, security application program interface libraries, hardware security integration, security key and certificate storage, root of trust and secure boot processes, and secure execution environments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Providing an online website featuring technology to enable authentication, issuance validation, and administering of digital certificate trust authority to provide vehicle-to everything trust in the generation and delivery of digital certificates of all forms, namely, using digital certificates to authenticate and validate the safety of land vehicles using the services in relation to other land vehicles and infrastructure, namely, traffic control devices to enhance collision avoidance by using system credentials to validate users and user locations
43.
Systems and methods for virtual multiplexed connections
A system for facilitating a plurality of virtual transmission control protocol connections between a target application and a source application is provided. The system includes a server proxy, a client proxy, and a network protection interposed between the server proxy and the client proxy. The server proxy is configured to receive an open request from the client proxy via a stateless protocol, including a target identifier, the open request originating from the source application, open a connection between the server proxy and the target application based on the target identifier, provide a response to the client proxy indicating a status of the open request, the response including at least one of a session identifier or a sequence identifier, receive, a data request from the client proxy, including the session identifier and an incremented sequence identifier, and provide the data request to the target application.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Providing online non-downloadable software for identity management covering both users and organizations; Providing online non-downloadable software for collection and distribution of funds for shared services; Providing online non-downloadable software for settlement policies and procedures for shared services that cross boundaries with other organizations
45.
Providing quality of service for certificate management systems
A system for providing quality of service (QoS) levels to clients requesting credentials from a credential management service is provided. The system includes an application programming interface (API) operable to receive credential requests from each of a plurality of clients, each credential request including a client identifier, and a QoS manager operable to: distribute the credential requests to a corresponding client queue of a plurality of client queues based on the client identifier, select a credential request distributed to the plurality of client queues based on a selection scheme, and transmit the selected credential request to a QoS queue of the credential management service for processing.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
A computer implemented method for validating software is provided. The method includes generating a first check value, by a remote computing device, based on a unique value and software of the remote computing device, outputting the first check value and the unique value from the remote computing device to a secure data repository, obtaining, by a secure computing device, an authentic copy of the software of the remote computing device, obtaining, by the secure computing device, the unique value and the first check value from the secure data repository, computing, by the secure computing device, a second check value based on the authentic copy of the software for the remote computing device and the unique value, and determining, by the secure computing device, whether the remote computing device has authentic software based on a comparison of the obtained first check value and the second check value.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
47.
Scalable certificate management system architectures
An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority. It may also include one or more load balancers communicatively connected to the one or more compute engines, the one or more load balancers to perform operations comprising distributing at least one request to the one or more compute engines.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04W 12/0431 - Key distribution or pre-distributionKey agreement
H04W 12/30 - Security of mobile devicesSecurity of mobile applications
H04W 12/42 - Security arrangements using identity modules using virtual identity modules
A system for securely provisioning a plurality of computerized devices of a tenant, is provided. The system includes a processor, and a computer storage medium including instructions that when executed by the processor cause the processor to perform operations. The operations include receiving provisioning requests from r the plurality of computerized devices needing certificates, each provisioning request indicating a tenant identifier identifying the tenant, and transmitting the provisioning requests to a set of security credential management system backend components based on the tenant identifier. The set of SCMS backend components includes enrollment certificate authorities operable to generate enrollment certificates, each provisioning request being transmitted to one of the one or more enrollment certificate authorities based on the tenant identifier of each provisioning request, and a pseudonym certificate authority operable to generate digital assets in response to receiving a provisioning request.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 41/5041 - Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
H04W 12/30 - Security of mobile devicesSecurity of mobile applications
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
49.
Systems and methods for virtual multiplexed connections
A system for facilitating a plurality of virtual transmission control protocol connections between a target application and a source application is provided. The system includes a server proxy, a client proxy, and a network protection interposed between the server proxy and the client proxy. The server proxy is configured to receive an open request from the client proxy via a stateless protocol, including a target identifier, the open request originating from the source application, open a connection between the server proxy and the target application based on the target identifier, provide a response to the client proxy indicating a status of the open request, the response including at least one of a session identifier and a sequence identifier, receive, a data request from the client proxy, including the session identifier and an incremented sequence identifier, and provide the data request to the target application.
A server including a processor and a non-transitory computer readable medium is provided. The medium includes computer-executable instructions cause the processor to perform operations including obtaining a filter data structure comprising a plurality of hash values, each hash value corresponding to a computer device of a plurality of computer devices in an update campaign, determining that a requesting computerized device is in the update campaign, in response to determining, sending a request to confirm that the computerized device is a member of the campaign, in response to confirming that the computerized device is a member of the campaign, providing the device update to the computerized device, and in response to determining that the computerized device does not belong to the campaign, providing an indication that there is no device update for the computerized device.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
Systems, methods and devices are provided for provisioning a computerized device. The system may include a distributor computer that is connected to the computerized device and is operable to receive a first digital asset and transmit it to the computerized device, and a server that is connected to the distributor computer, and that transmits the first digital asset to the distributor computer when a first authorizing condition is met, the first digital asset being configured to cause the computerized device to become partially provisioned, wherein the server transmits a second digital asset to the computerized device, and the computerized device is functional after the second digital asset is transmitted to the computerized device.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 9/00 - Arrangements for secret or secure communicationsNetwork security protocols
H04W 4/70 - Services for machine-to-machine communication [M2M] or machine type communication [MTC]
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
A system for securely producing and using high-entropy security information, such as a password. The system includes a printer, a display device, and a generator computer that is connected to the printer and the display device. The generator computer generates the high-entropy set of characters, (e.g., password), and also generates a machine-readable representation of the high-entropy set of characters, (e.g., a barcode). The generator computer causes the printer to print the high-entropy set of characters and the machine-readable representation on paper, and then deletes the high-entropy set of characters and the machine-readable representation from the system. The high-entropy set of characters, (e.g., password), may be entered into a target computer by scanning the barcode on the paper using a barcode scanner connected to the target computer, which is significantly faster than, and eliminates the human error associated with, typing in a high-entropy set of characters.
A system includes a campaign management service to detect a campaign initiation request indicating a number of computerized devices to be updated for a campaign and store data corresponding to the computerized devices to be updated. The campaign management service can generate a bloom filter data structure comprising hash values based on the data for each of the computerized devices to be updated and transmit the bloom filter data structure to a network edge. The system can include the network edge that can use the bloom filter data structure from the campaign management service to determine whether a computerized device is to obtain a device update from the campaign management service. The network edge can retrieve the device update and modify the computerized device by transmitting the device update to the computerized device, which then installs it.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
A remote computing device is provided including one or more processors, and a memory device including one or more computer-readable instructions. When executed by the one or more processors, the instructions cause the system to perform operations including receiving a validation request comprising a random data string from a secure computing device, in response to the validation request, generating a first check value based on the random data string and software installed on the remote computing device, and transmitting the first check value to the secure computing device. The secure computing device is configured to compare the first check value to a second check value that is generated using the random data string and an authentic copy of the software.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
55.
Validation of software residing on remote computing devices
A system can include a processor that can execute computer-readable instructions that include operations that include obtaining an authentic copy of the software of the remote computing device and sending a validation request comprising a random data string to the remote computing device. The operations can also include receiving a remote check value from the remote computing device, wherein the remote check value is generated by the remote computing device based on the random data string and the software on the remote computing device. Furthermore, the operations include computing a local check value based on the authentic copy of the software for the remote computing device and the random data string and determining whether the remote computing device has authentic software based on a comparison of the received remote check value and the local check value.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
Systems, methods and devices are provided for provisioning a computerized device. The system may include a distributor computer that is connected to the computerized device and is operable to receive a first digital asset and transmit it to the computerized device, a server that is connected to the distributor computer, and that transmits the first digital asset to the distributor computer when a first authorizing condition is met, the first digital asset being configured to cause the computerized device to become partially provisioned, and a provisioning controller that is connected to the distributor computer and that determines whether the first authorizing condition is met, the server transmits a second digital asset to the computerized device, and the computerized device is functional after the second digital asset is transmitted to the computerized device.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 9/00 - Arrangements for secret or secure communicationsNetwork security protocols
H04W 4/70 - Services for machine-to-machine communication [M2M] or machine type communication [MTC]
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
A system includes a campaign management service to detect a campaign initiation request indicating a number of computerized devices to be updated for a campaign and store data corresponding to the computerized devices to be updated. The campaign management service can generate a filter data structure comprising hash values based on the data for each of the computerized devices to be updated and transmit the filter data structure to a network edge. The system can include the network edge that can use the filter data structure from the campaign management service to determine whether a computerized device is to obtain a device update from the campaign management service. The network edge can retrieve the device update and modify the computerized device by transmitting the device update to the computerized device, which then installs it.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
A system for providing quality of service (QoS) levels to clients requesting certificates from a certificate management service is provided. The system includes an application programming interface (API) operable to receive certificate requests from each of a plurality of clients, each certificate request including a client identifier, a QoS manager operable to distribute the certificate requests to a corresponding client queue of a plurality of client queues based on the client identifier, select, based on at least one of a workflow and a client priority level, one or more of the certificate requests distributed to the plurality of client queues, and transmit the selected one or more certificate requests to a QoS queue of the certificate management service for processing.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
A system for securely producing and using high-entropy security information, such as a password. The system includes a printer, a display device, and a generator computer that is connected to the printer and the display device. The generator computer generates the high-entropy set of characters, (e.g., password), and also generates a machine-readable representation of the high-entropy set of characters, (e.g., a barcode). The generator computer causes the printer to print the high-entropy set of characters and the machine-readable representation on paper, and then deletes the high-entropy set of characters and the machine-readable representation from the system. The high-entropy set of characters, (e.g., password), may be entered into a target computer by scanning the barcode on the paper using a barcode scanner connected to the target computer, which is significantly faster than, and eliminates the human error associated with, typing in a high-entropy set of characters.
A system for securely producing and using high-entropy security information, such as a password. The system includes a printer, a display device, and a generator computer that is connected to the printer and the display device. The generator computer generates the high-entropy set of characters, (e.g., password), and also generates a machine -readable representation of the high-entropy set of characters, (e.g., a barcode). The generator computer causes the printer to print the high-entropy set of characters and the machine-readable representation on paper, and then deletes the high-entropy set of characters and the machine-readable representation from the system. The high-entropy set of characters, (e.g., password), may be entered into a target computer by scanning the barcode on the paper using a barcode scanner connected to the target computer, which is significantly faster than, and eliminates the human error associated with, typing in a high-entropy set of characters.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
09 - Scientific and electric apparatus and instruments
Goods & Services
Downloadable computer software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, and authority management of internet-of-things devices; Computer devices for controlling access to other computing devices, namely, secure boot code signing, device identity certificate authentication, feature control and trusted commands, key generation and injection
62.
Systems, methods, and devices for multi-stage provisioning and multi-tenant operation for a security credential management system
A system for provisioning computerized devices of a plurality of tenants is provided. The system includes a security credential management system (SCMS) host connected to the devices and that is operable to receive provisioning requests from respective ones of the devices needing certificates, each provisioning request indicating a tenant identifier uniquely identifying a tenant, at least one registration authority that is communicatively connected to the SCMS host and transmits the provisioning requests to SCMS backend components based on the tenant identifier of each provisioning request. The SCMS backend components includes a plurality of enrollment certificate authorities operable to generate the enrollment certificates in response to the provisioning requests, each provisioning request being transmitted to one of the plurality of enrollment certificate authorities based on the tenant identifier of each provisioning request, and a pseudonym certificate authority operable to generate pseudonym certificates in response to provisioning requests for pseudonym certificates.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
63.
Systems, methods, and devices for provisioning and processing geolocation information for computerized devices
Systems, methods, and devices for securely provisioning a roadside unit (RSU) that includes an application certificate, wherein the RSU is geographically restricted according to the application certificate. An enhanced SCMS system may receive a request for an application certificate for the RSU; determine, in response to the request, an operating geolocation for the RSU; verify that the operating geolocation is within the allowed geo-region for the RSU; generate an application certificate that includes the operating geolocation; and provide the application certificate to the RSU device. Also provided is an application certificate that includes precise operating geolocation information, an improved application certificate provisioning request that allows the requestor to specify a precise operating geolocation, new processes for generating and providing improved application certificates having geographic-restriction information, an enhanced SCMS that performs the processes, and improved computerized devices, such as RSUs, that employ the precise, operating geolocation information from the application certificates.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
H04W 4/029 - Location-based management or tracking services
Systems, methods and devices for provisioning a computerized device(s). The system may include a distributor computer that is connected to the computerized device, and is operable to receive a digital asset and transmit it to the device. The system may include a digital asset management server that is connected to the distributor computer, and is operable to transmit the digital asset to the distributor computer, and a provisioning controller that is connected to the distributor computer and the digital asset management server, and is operable to cause transmission of the digital asset to the distributor computer. The system can include a second distributor computer that is connected to the digital asset management server and the device (e.g., at a later time), and that receives a second digital asset and transmits it to the device, wherein the second digital asset causes the device to become partially or fully functional.
H04W 12/00 - Security arrangementsAuthenticationProtecting privacy or anonymity
H04L 9/00 - Arrangements for secret or secure communicationsNetwork security protocols
H04W 4/70 - Services for machine-to-machine communication [M2M] or machine type communication [MTC]
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A system includes a campaign management service to detect a campaign initiation request indicating a number of computerized devices to be updated for a campaign and store data corresponding to the computerized devices to be updated. The campaign management service can generate a bloom filter data structure comprising hash values based on the data for each of the computerized devices to be updated and transmit the bloom filter data structure to a network edge. The system can include the network edge that can use the bloom filter data structure from the campaign management service to determine whether a computerized device is to obtain a device update from the campaign management service. The network edge can retrieve the device update and modify the computerized device by transmitting the device update to the computerized device, which then installs it.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
An example system receives certificate requests from clients. Each request can indicate a number of computerized devices needing certificates; a timestamp indicating when the request was transmitted; and a client identifier. The system includes a Quality of Service (QoS) manager that: distributes the requests from the clients across client queues, each of the client queues corresponding to a particular client; and divides requests into smaller subgroups of entries corresponding to a subset of the computerized devices needing certificates. The system can also transmit retrieved entries from the client queues to a certificate management service.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
Systems, methods, and devices for securely provisioning a roadside unit (RSU) that includes an application certificate, wherein the RSU is geographically restricted according to the application certificate. An enhanced SCMS system may receive a request for an application certificate for the RSU; determine, in response to the request, an operating geolocation for the RSU; verify that the operating geolocation is within the allowed geo-region for the RSU; generate an application certificate that includes the operating geolocation; and provide the application certificate to the RSU device. Also provided is an application certificate that includes precise operating geolocation information, an improved application certificate provisioning request that allows the requestor to specify a precise operating geolocation, new processes for generating and providing improved application certificates having geographic-restriction information, an enhanced SCMS that performs the processes, and improved computerized devices, such as RSUs, that employ the precise, operating geolocation information from the application certificates.
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
Systems, methods and devices for provisioning a computerized device(s). The system may include a distributor computer that is connected to the computerized device, and is operable to receive a digital asset and transmit it to the device. The system may include a digital asset management server that is connected to the distributor computer, and is operable to transmit the digital asset to the distributor computer, and a provisioning controller that is connected to the distributor computer and the digital asset management server, and is operable to cause transmission of the digital asset to the distributor computer. The system can include a second distributor computer that is connected to the digital asset management server and the device (e.g., at a later time), and that receives a second digital asset and transmits it to the device, wherein the second digital asset causes the device to become partially or fully functional.
H04W 12/00 - Security arrangementsAuthenticationProtecting privacy or anonymity
H04L 9/00 - Arrangements for secret or secure communicationsNetwork security protocols
H04W 4/70 - Services for machine-to-machine communication [M2M] or machine type communication [MTC]
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
69.
Scalable certificate management system architectures
An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority. It may also include one or more load balancers communicatively connected to the one or more compute engines, the one or more load balancers to perform operations comprising distributing at least one request to the one or more compute engines.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04W 12/30 - Security of mobile devicesSecurity of mobile applications
H04W 12/42 - Security arrangements using identity modules using virtual identity modules
Disclosed herein are systems, methods and devices system for identifying a misbehaving computerized device. In some implementations, the system includes a processor to perform operations including receiving, by the system, a report about a computerized device, wherein the report comprises a pseudonym certificate from the computerized device, and wherein the pseudonym certificate comprises a linkage value. The operations also include transmitting, by the system and to a cloaking authority device, a request for a cloak index, wherein the request for the cloak index comprises the linkage value from the pseudonym certificate from the computerized device. The operations also include receiving, by the system, the cloak index from the cloaking authority device, and determining, by the system and using the cloak index, that the computerized device is the misbehaving computerized device.
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
A system includes a campaign management service to detect a campaign initiation request indicating a number of computerized devices to be updated for a campaign and store data corresponding to the computerized devices to be updated. The campaign management service can generate a bloom filter data structure comprising hash values based on the data for each of the computerized devices to be updated and transmit the bloom filter data structure to a network edge. The system can include the network edge that can use the bloom filter data structure from the campaign management service to determine whether a computerized device is to obtain a device update from the campaign management service. The network edge can retrieve the device update and modify the computerized device by transmitting the device update to the computerized device, which then installs it.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
An example system receives certificate requests from clients. Each request can indicate a number of computerized devices needing certificates; a timestamp indicating when the request was transmitted; and a client identifier. The system includes a Quality of Service (QoS) manager that: distributes the requests from the clients across client queues, each of the client queues corresponding to a particular client; and divides requests into smaller subgroups of entries corresponding to a subset of the computerized devices needing certificates. The system can also transmit retrieved entries from the client queues to a certificate management service.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
42 - Scientific, technological and industrial services, research and design
Goods & Services
Evaluating organizations to determine whether the organizations conform to an established accreditation standard; Technological planning and consulting services in the field of developing of interoperability profiles, policies, procedures, and guidelines for vehicle-to- everything (V2X) environment, namely, vehicle to vehicle, vehicle to infrastructure, vehicle to device, and vehicle to cloud; Perform product research and development to support V2X environment; Technological planning and consulting services in relation to managing activities with external standard bodies and test bodies; Technical verification and management of compliance with policies, procedures, and guidelines for V2X environment
74.
Systems, methods, and devices for multi-stage provisioning and multi-tenant operation for a security credential management system
An example system for securely provisioning computerized devices of a plurality of tenants includes a Security Credential Management System (SCMS) host that is communicatively connected to the devices and is operable to receive provisioning requests from computerized devices needing certificates. Each provisioning request indicates a tenant identifier (ID) uniquely identifying a tenant of the plurality of tenants. The system also includes a registration authority communicatively connected to the SCMS host and operable to transmit requests to SCMS backend components. The backend components include a set of independent enrollment certificate authorities operable to generate enrollment certificates in response to receiving requests for enrollment certificates from the devices, each provisioning request being transmitted to one of the enrollment certificate authorities based on the tenant identifier of each provisioning request; and a pseudonym certificate authority operable to generate pseudonym certificates responsive to receiving requests for pseudonym certificates from the virtual registration authority.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 12/24 - Arrangements for maintenance or administration
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
75.
SCALABLE CERTIFICATE MANAGEMENT SYSTEM ARCHITECTURES
Scalable certificate management system architectures. An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority. It may also include one or more application platforms that run first and second linkage authorities and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the linkage authorities.
Systems and methods for secure provisioning and management of computerized devices. The system may include a distributor appliance that is communicatively connected to the computerized device, and that is operable to receive a digital asset and to load the digital asset into the computerized device. It may include an optional digital asset management system that is connected via a secure communication channel to the distributor appliance, and that is operable to transmit the digital asset to the distributor appliance; and a provisioning controller that is connected via a secure communication channel to the distributor appliance and is connected via another secure communication channel to the optional digital asset management system, and that is operable to directly or indirectly transmit the digital asset to the distributor appliance. The computerized device is not fully functional before the digital asset is loaded into it.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04W 12/04 - Key management, e.g. using generic bootstrapping architecture [GBA]
A cloaking authority system that securely and anonymously identifies a misbehaving device based on its digital certificate. The system may include a cloaking authority server that is communicatively connected to a misbehavior authority server, a pseudonym certificate authority device, and a registration authority device. In response to a request from the misbehavior authority server to identify a misbehaving device using the device's pseudonym certificate, the cloaking authority server interacts with the pseudonym certificate authority device and the registration authority device to securely obtain a representation of the linkage chain identifier that is associated with the misbehaving device, while maintaining the anonymity of the real-world identifying information for the misbehaving device. The cloaking authority server creates a cloak index that corresponds to the linkage chain identifier and that identifies the misbehaving device, and provides the cloak index to the misbehavior authority server.
Disclosed herein are systems, methods and devices system for identifying a misbehaving computerized device. In some implementations, the system includes a cloaking authority device for identifying a misbehaving computerized device, wherein the cloaking authority device includes a processor that can receive a request for a cloak index, wherein the request for the cloak index comprises a linkage value retrieved from a pseudonym certificate. In some examples, the processor can also request, from a pseudonym certificate authority device, first information that is used to produce the cloak index, wherein the first information is associated with the linkage value. Additionally, the processor can process, by the cloaking authority device, the linkage value to produce the cloak index based in part on the first information, wherein the cloak index identifies a misbehaving computerized device. Furthermore, the processor can transmit, by the cloaking authority device, the cloak index to a misbehavior authority device.
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
79.
Providing quality of service for certificate management systems
An example system receives certificate requests from clients. Each request indicates: a number of computerized devices needing certificates; a timestamp indicating when the request was transmitted; and a client. The system includes a Quality of Service (QoS) manager that: distributes the requests from the clients across client queues, each of the client queues corresponding to a particular client; and divides requests into smaller subgroups of entries corresponding to a subset of the computerized devices needing certificates. It also includes a QoS arbiter that selects a sequence of entries from the client queues to be placed onto a QoS queue based on a number of entries in the QoS queue, a latency level of a certificate management service, and timestamps indicating when requests were transmitted, where the QoS manager retrieves entries from the QoS queue in the sequence selected by the QoS arbiter and transmits them to the certificate management service.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
Systems, methods, and devices for securely provisioning a roadside unit (RSU) that includes an application certificate, wherein the RSU is geographically restricted according to the application certificate. An enhanced SCMS system may receive a request for an application certificate for the RSU; determine, in response to the request, an operating geolocation for the RSU; verify that the operating geolocation is within the allowed geo-region for the RSU; generate an application certificate that includes the operating geolocation; and provide the application certificate to the RSU device. Also provided is an application certificate that includes precise operating geolocation information, an improved application certificate provisioning request that allows the requestor to specify a precise operating geolocation, new processes for generating and providing improved application certificates having geographic-restriction information, an enhanced SCMS that performs the processes, and improved computerized devices, such as RSUs, that employ the precise, operating geolocation information from the application certificates.
H04W 48/04 - Access restriction performed under specific conditions based on user or terminal location or mobility data, e.g. moving direction or speed
H04W 48/18 - Selecting a network or a communication service
H04W 88/04 - Terminal devices adapted for relaying to or from another terminal or user
Systems, methods, and devices for securely provisioning a roadside unit (RSU) that includes an application certificate, wherein the RSU is geographically restricted according to the application certificate. An enhanced SCMS system may receive a request for an application certificate for the RSU; determine, in response to the request, an operating geolocation for the RSU; verify that the operating geolocation is within the allowed geo-region for the RSU; generate an application certificate that includes the operating geolocation; and provide the application certificate to the RSU device. Also provided is an application certificate that includes precise operating geolocation information, an improved application certificate provisioning request that allows the requestor to specify a precise operating geolocation, new processes for generating and providing improved application certificates having geographic-restriction information, an enhanced SCMS that performs the processes, and improved computerized devices, such as RSUs, that employ the precise, operating geolocation information from the application certificates.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04W 4/44 - Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
H04W 4/029 - Location-based management or tracking services
An example system for securely provisioning computerized devices of a plurality of tenants includes a Security Credential Management System (SCMS) host that is communicatively connected to the devices and is operable to receive provisioning requests from computerized devices needing certificates. Each provisioning request indicates a tenant identifier (ID) uniquely identifying a tenant of the plurality of tenants. The system also includes a virtual registration authority communicatively connected to the SCMS host and operable to transmit requests to SCMS backend components. The backend components include an enrollment certificate authority operable to generate enrollment certificates in response to receiving requests for enrollment certificates from the virtual registration authority; first and second linkage authorities operable to generate linkage values responsive to receiving requests for linkage values from the virtual registration authority; and a pseudonym certificate authority operable to generate pseudonym certificates responsive to receiving requests for pseudonym certificates from the virtual registration authority.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 12/24 - Arrangements for maintenance or administration
H04L 29/08 - Transmission control procedure, e.g. data link level control procedure
A cloaking authority system that securely and anonymously identifies a misbehaving device based on its digital certificate. The system may include a cloaking authority server or device that is communicatively connected to a misbehavior authority server, and may also include a pseudonym certificate authority device, and a registration authority device. The cloaking authority device receives, from the misbehavior authority server, a request for a cloak index, wherein the request for the cloak index includes the linkage value from a PC of a misbehaving computerized device. The cloaking authority device processes the linkage value to produce a cloak index, which identifies the misbehaving computerized device and which is unique and anonymous, and transmits it to the requesting misbehavior authority server. The misbehavior authority server uses the cloak index to identify the specific computerized device that has misbehaved, usually repeatedly.
A cloaking authority system that securely and anonymously identifies a misbehaving device based on its digital certificate. The system may include a cloaking authority server that is communicatively connected to a misbehavior authority server, a pseudonym certificate authority device, and a registration authority device. In response to a request from the misbehavior authority server to identify a misbehaving device using the device's pseudonym certificate, the cloaking authority server interacts with the pseudonym certificate authority device and the registration authority device to securely obtain a representation of the linkage chain identifier that is associated with the misbehaving device, while maintaining the anonymity of the real-world identifying information for the misbehaving device. The cloaking authority server creates a cloak index that corresponds to the linkage chain identifier and that identifies the misbehaving device, and provides the cloak index to the misbehavior authority server.
Scalable certificate management system architectures. An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority. It may also include one or more application platforms that run first and second linkage authorities and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the linkage authorities.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, and authority management of internet-of-things devices; Computer devices for controlling access to other computing devices, namely, secure boot code signing, device identity certificate authentication, feature control and trusted commands, key generation and injection Software as a service (SAAS) services, namely, hosting software for use by others for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the air updates, and authority management of internet-of-things devices
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computing services featuring online non-downloadable software for use in the field of cryptographic security services, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, authority management of internet-of-things devices, design and implementation of software and technology for the purpose of product authentication, and brand monitoring and protection, to protect against counterfeiting, tampering, and diversion, and to ensure the integrity of genuine products and documents
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computing services featuring online non-downloadable software for use in the field of cryptographic security services, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, authority management of internet-of-things devices, design and implementation of software and technology for the purpose of product authentication, and brand monitoring and protection, to protect against counterfeiting, tampering, and diversion, and to ensure the integrity of genuine products and documents
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, and authority management of internet-of-things devices; Computer devices for controlling access to other computing devices, namely, secure boot code signing, device identity certificate authentication, feature control and trusted commands, key generation and injection [ Computing services featuring online non-downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, and authority management of internet-of-things devices ]
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
[ Downloadable software for use in the field of cryptographic security services for microcontrollers, namely, software that provides security application program interface libraries, hardware security integration, secure key and certificate storage, root of trust and secure boot processes, and secure execution environments ] Computing services featuring online non-downloadable software for use in the field of cryptographic security services for microcontrollers, namely, software services that provide security application program interface libraries, hardware security integration, secure key and certificate storage, root of trust and secure boot processes, and secure execution environments
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, and authority management of internet-of-things devices; Computer devices for controlling access to other computing devices, namely, secure boot code signing, device identity certificate authentication, feature control and trusted commands, key generation and injection Computing services featuring online non-downloadable software for use in the field of cryptographic security services for communication between electronic devices, namely, digital signing, supply chain asset management, certificate authority management, over-the-air updates, and authority management of internet-of-things devices
Systems for secure provisioning and management of computerized devices. The system may include a distributor appliance that is communicatively connected to the computerized device, and that is operable to receive a digital asset and to load the digital asset into the computerized device. It may also include a digital asset management system that is connected via a first secure communication channel to the distributor appliance, and that is operable to generate and conditionally transmit the digital asset to the distributor appliance; and a provisioning controller that is connected via a second secure communication channel to the distributor appliance and is connected via a third secure communication channel to the digital asset management system, and that is operable to direct the digital asset management system to transmit the digital asset to the distributor appliance. The computerized device is not fully functional before the digital asset is loaded into it.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04W 12/04 - Key management, e.g. using generic bootstrapping architecture [GBA]
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Systems for secure provisioning and management of computerized devices. The system may include a distributor appliance that is communicatively connected to the computerized device, and that is operable to receive a digital asset and to load the digital asset into the computerized device. It may also include a digital asset management system that is connected via a first secure communication channel to the distributor appliance, and that is operable to generate and conditionally transmit the digital asset to the distributor appliance; and a provisioning controller that is connected via a second secure communication channel to the distributor appliance and is connected via a third secure communication channel to the digital asset management system, and that is operable to direct the digital asset management system to transmit the digital asset to the distributor appliance. The computerized device is not fully functional before the digital asset is loaded into it.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04W 12/04 - Key management, e.g. using generic bootstrapping architecture [GBA]
