WO2001082035A2 - Method and apparatus verifying parts and parts lists in an assembly - Google Patents

Method and apparatus verifying parts and parts lists in an assembly Download PDF

Info

Publication number
WO2001082035A2
WO2001082035A2 PCT/US2001/012942 US0112942W WO0182035A2 WO 2001082035 A2 WO2001082035 A2 WO 2001082035A2 US 0112942 W US0112942 W US 0112942W WO 0182035 A2 WO0182035 A2 WO 0182035A2
Authority
WO
WIPO (PCT)
Prior art keywords
cryptographic
components
keys
cryptographic key
assembly
Prior art date
Application number
PCT/US2001/012942
Other languages
French (fr)
Other versions
WO2001082035A3 (en
Inventor
Stephen R. Hanna
Anne H. Anderson
Yassir K. Elley
Original Assignee
Sun Microsystems, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Microsystems, Inc. filed Critical Sun Microsystems, Inc.
Priority to AU2001255553A priority Critical patent/AU2001255553A1/en
Publication of WO2001082035A2 publication Critical patent/WO2001082035A2/en
Publication of WO2001082035A3 publication Critical patent/WO2001082035A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K17/00Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
    • G06K17/0022Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisious for transferring data to distant stations, e.g. from a sensing device
    • G06K17/0029Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisious for transferring data to distant stations, e.g. from a sensing device the arrangement being specially adapted for wireless interrogation of grouped or bundled articles tagged with wireless record carriers
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B62LAND VEHICLES FOR TRAVELLING OTHERWISE THAN ON RAILS
    • B62DMOTOR VEHICLES; TRAILERS
    • B62D65/00Designing, manufacturing, e.g. assembling, facilitating disassembly, or structurally modifying motor vehicles or trailers, not otherwise provided for

Definitions

  • the present invention relates to methods and apparatus for verifying parts and parts lists in an assembly and more particularly to the identification of parts in the assembly via the use of cryptographic techniques.
  • Modern day assemblies such as automobiles, airplanes, space vehicles and power plants contain numerous expensive and/or critical components. During the useful lifetime of the assembly it is normal for repairs and replacements of some components to be made. In many assemblies the quality of a replacement component may be essential to the proper operation or fit of the assembly or the resale value of the assembly. For example, reports of the replacement of Original Equipment Manufacturer (OEM) parts in automobiles with cheap and inferior substitute components from stolen or used vehicles have been published. Additionally, car owners who do their own repairs may substitute parts considered by the manufacturer to be unauthorized or unapproved parts for use in a vehicle due to concerns over the quality of the components and related concerns pertaining to operation, safety or vehicle appearance. In some circumstances, such substitutions may affect the warranty obligations of the manufacturer. Similar types of substitutions may be made in numerous types of assemblies including but not limited to computers, home appliances, industrial equipment and electronic equipment.
  • a method and system for verifying that a plurality of component parts of an assembly comprise components approved for use in said assembly.
  • an integrated circuit that is subject to cryptographic verification and herein referred to as a cryptographic authentication module (CAM) is embedded within or securely affixed to at least some of the component parts of the assembly.
  • the CAM is capable of securely holding a private or secret cryptographic key and of proving possession of that key to a cooperative verification controller which may be communicably coupled to the respective CAMs via one or more hard-wired communication links or via wireless communication links.
  • the CAM may be packaged and/or secured to the respective component parts in a tamper resistant manner so that the CAMs are disabled if dislodged from the part to which the respective CAM was affixed.
  • the respective CAM may erase its private or secret key, as applicable, upon the detection that the device is being dislodged from the part to which it was mounted, upon the detection of stress, or in response to other predetermined conditions.
  • each CAM retains a private key of a public/private key pair.
  • the verification controller stores in a memory a manifest that contains the public keys corresponding to the respective private keys held by the approved components of the assembly.
  • the CAMs from time to time transmit a message to the verification controller proving possession of their respective private key by signing a message with their respective key or alternatively, transmit such messages in response to requests issued by the verification controller.
  • the verification controller attempts to verify the identity of the respective CAMs using the public keys maintained in the manifest. If, for each public key stored within the manifest, a message is received which is signed with the corresponding private key, such is indicative of the fact that all components within the assembly comprise approved components and an indication of such event may be provided.
  • the manifest may be stored in the verification controller upon manufacture of the assembly and the controller and updated via the use of a manifest server.
  • the verification controller may comprise a portable device and the manifest may be downloaded from the manifest server to the verification controller to permit a single verification controller to be used to verify components of a number of assemblies.
  • the manifest server may be administered by a trusted party, such as the manufacturer of the assembly.
  • the trusted party may maintain as a manifest, the valid public keys associated with each of the relevant component parts in the assembly and, in response to a request, generate a certificate that includes the public keys associated with the relevant components of the assembly.
  • This certificate may be signed by the trusted party and time-stamped to permit the verification controller to verify that a received manifest is the appropriate manifest to be used.
  • information pertaining to the respective part may be included within the manifest.
  • Fig. 1 is pictorial exploded view of an assembly of automotive components having cryptographic authentication modules affixed to selected components and a verification controller operative in a manner consistent with the present invention
  • Fig. 2 is a block diagram of a cryptographic authentication module (CAM) of the type depicted in Fig. 1
  • Fig. 3 is a block diagram of the verification controller (VC) of Fig. 1;
  • Fig. 4 is a block diagram of the manifest server of Fig. 1;
  • Fig. 5 is a diagram illustrating a manifest data structure for use in the system depicted in Fig. 1;
  • Fig. 6 is a block diagram illustrating a verification controller coupled to a plurality of CAMs and a manifest server via a local area network and a wide area network respectively;
  • Fig. 7 is a flow diagram illustrating a method of operation of a component verification system in a manner consistent with the present invention.
  • Fig. 8 is a flow diagram illustrating a method for updating a manifest in the event a component is replaced with an approved replacement component .
  • a method and system for verifying that a plurality of component parts comprise approved parts for use within an assembly.
  • the component parts of the assembly for which verification is desired each have a cryptographic authentication module (CAM) securely affixed to the respective component.
  • the CAMs transmit signed messages that are received by a verification controller.
  • the verification controller determines whether the identity of the respective components, as indicated by the signed message, corresponds to an expected identity indicated via an entry in a manifest stored within the verification controller.
  • a cryptographic authentication module (CAM) 10 is securely affixed to selected components of the automotive assembly.
  • the components to which the CAMs are affixed will vary in different applications. Typically, however, the CAMs are affixed to components of substantial value or components having functions critical to the operation or safe use of the assembly.
  • the CAMs which are identified in Fig. 1 as CAMs 10a through lOh, and generally referred to herein as CAMs 10, comprise devices which, in one embodiment, are capable of privately and securely holding at least one key of a cryptographic key pair.
  • the system is illustrated as using cryptographic key pairs that comprise public/private key pairs, although it should be appreciated that either asymmetric or symmetric keys may be employed.
  • the illustrated CAMs 10 are capable of storing a private key of a public/private key pair and of transmitting a message signed by the CAM using the respective private key held by the respective CAM.
  • the CAMs may be embodied in different forms and may include the functionality associated with such devices generally known as smart cards which are commercially available from a number of companies and IBUTTONS which are available from Dallas Semiconductor, 4401 South Beltwood Parkway, Dallas, Texas 75244. The CAMs are discussed in greater detail below.
  • the CAMs are securely affixed to the respective components to assure that once a CAM is affixed to the component, it may not be disassociated from that component and attached to another component.
  • the technique employed for mounting a particular CAM to a corapone ⁇ - may vary based upon the nature of the CAM and the component. In typical applications, however, the CAMs may be affixed to the respective components by embedding the CAM within the component, via epoxy or any other suitable glue or adhesive or use of a mechanical fastening technique.
  • CAM 10a is affixed to the rear bumper 11a
  • CAM 10b is affixed to a rear fender lib
  • CAM 10c is affixed to a rear wheel lie
  • CAM lOd is affixed to a rear door lid
  • CAM lOe is affixed to a front door lie
  • CAM lOf is affixed to a front fender llf
  • CAM lOg is affixed to a front wheel llg
  • CAM lOh is affixed to a front bumper llh.
  • the CAMs 10 are capable of communicating with a verification controller 12 over respective communication links.
  • the communication links between the CAMs 10 and the verification controller 12 may comprise hardwired links, a network, such as a local area network, or wireless communication links.
  • the verification controller 12 may be constructed as a part of the assembly or alternatively, may be a mobile unit or separable from the assembly. Different embodiments of the verification controller 12 are discussed subsequently.
  • the verification controller 12 maintains a manifest that, in a preferred embodiment, includes public keys associated with private keys held by CAMs 10 affixed to the respective components of the relevant assembly. In the situation in which the verification controller 12 is constructed as a part of the assembly, the manifest may be stored within the verification controller 12 at the time
  • the manifest may be transmitted or delivered to the verification controller 12 from a manifest server 14 over a network or a suitable communication link at the time of assembly, or thereafter, provided that a manifest server public key is accessible to the verification controller 12 to allow for authentication of the manifest.
  • the manufacturer of the assembly affixes the respective CAMs to the components
  • the manufacturer of the assembly may generate the public/private key pairs and store the public keys in the manifest.
  • such other party or parties may maintain one or more source servers 15, which communicate to the manifest server 14 an identification of a particular component along with the public key associated with the CAM securely affixed to that component.
  • a cryptographic authentication module (CAM) 10 that is securely affixed to a component is depicted in Fig. 2.
  • the CAM 10 includes a processor 16 that is coupled to a memory 20 and an arithmetic accelerator 18. While the processor 16 and arithmetic accelerator 18 are depicted as separate blocks in Fig. 2 it should be appreciated that the processor 16 may include the functions of the arithmetic accelerator 18 as an integral part of the processor 16. At least a portion of the memory 20 is non-volatile and stores the private key of the public/private key pair for the respective CAM 10.
  • the processor 16 is also coupled to a communication interface 22 that is appropriate for the particular type of communication link being employed between the CAM 10 and the verification controller 12.
  • the communication interface 22 includes the data link and MAC interface logic for an Ethernet link.
  • the communication interface 22 in addition to the necessary protocol support, includes an RF receiver and transmitter. It should be noted that any suitable communication link may be employed, including but not limited to a hard-wired link, an RF link or an infrared link.
  • the CAMs 10 may have different levels of security but are typically designed so as to erase the private key held in the memory of the respective CAM in the event that tampering with the CAM is detected. For example, the private key stored within the CAM may be erased from the
  • each CAM 10 securely stores the private key of its respective public/private key pair and the public key is stored in the manifest as is subsequently described in greater detail.
  • the private key may be provided to the CAM
  • the CAMs 10 as input from a secure private key source and the corresponding public key stored within the manifest.
  • the CAMs 10 generates a public/private key pair, securely store the respective private key within the CAM 10 in a manner that precludes access to the private key, and provides access to the respective public key of the public/private key pair.
  • FIG. 3 A block diagram of an illustrative verification controller 12 operative in a manner consistent with the present invention is depicted in Fig. 3.
  • the verification controller 12 may comprise a computer, a personal digital assistant (PDA) , an intelligent network appliance, a controller, or any other device capable of receiving messages from the CAMs 10, and in some embodiment transmitting messages to the CAMs as herein described.
  • the verification controller 12 includes a processor 12a and a communication interface 12d for receiving messages from the CAMs and optionally transmitting messages to the CAMS.
  • the processor 12a is operative to execute a software program out of instruction/data memory 12b and the verification controller, optionally, may include secondary storage 12c.
  • the memory 12b which may comprise RAM, ROM or a combination of both, stores an operating system 12e and application code 12f which is operative to perform the presently described verification functions.
  • the application code 12f includes messaging software for receiving the messages from the CAMs 10 and optionally transmitting requests to the CAMs 10.
  • the manifest server 14 may comprise a computer, a personal digital assistant (PDA) , an intelligent network appliance, a controller, or any other device capable of generating manifests of the type herein described and communicating such manifests to a verification controller 12.
  • the manifest server 14 includes a processor 14a and a communication interface 14d.
  • the communication interface 14d in a preferred embodiment, is coupled to a network to allow the manifest server 14 to forward manifests to verification controllers 12, to receive certificates from source servers 15 (See Fig.
  • the processor 14a is operative to execute a software program out of instruction/data memory 14b.
  • the manifest server 14 may optionally include secondary storage 14c.
  • the memory 14b which may comprise RAM, ROM or a combination of both, stores an operating system 14e and application code 14f that is operative to perform the functions attributed to the manifest server 14.
  • the application code 14f includes messaging software for receiving the messages from source servers 15 and authorized repair agents (not shown) and for generating and forwarding manifests as well as updated manifests .
  • a manufacturer is assembling an automobile.
  • Selected components have CAMs 10 securely affixed to the respective components and a public/private key pair is generated either by or for the respective CAMs 10.
  • Each CAM 10 stores a private key that is employed by the respective CAM to sign messages that are forwarded by that CAM.
  • the private key may be generated within the CAM as one key of a public/private key pair generated by the respective CAM or alternatively, the public/private key pair may be generated external to the CAM and the private key may be stored within the CAM.
  • the public keys are collected and stored within a manifest as illustrated in Fig. 5. More particularly, referring to Fig.
  • the manifest includes a public key associated with a private key held in a CAM for each component illustrated in Fig. 1.
  • the manifest is preferably cryptographically authenticated such as via a digital signature.
  • the minimal manifest includes the public keys associated with the respective CAMs.
  • the manifest may contain additional information such as the Vehicle Identification Number (VIN) number of the vehicle, the name of the manufacturer of the component (Issuer) , an identification of the part (Part No.), a serial number for the part, a manufacturing lot number for the part, the manufacturing location, the manufacturing date and any other information relevant to the part that may be useful during the useful life of the component.
  • VIN Vehicle Identification Number
  • Issuer an identification of the part
  • Part No. an identification of the part
  • serial number for the part a manufacturing lot number for the part
  • the manufacturing location the manufacturing date and any other information relevant to the part that may be useful during the useful life of the component.
  • the information may be provided to the manufacturer of the automobile by the subcontractor in the form of a certificate issued by the respective subcontractor.
  • the information provided to the automobile manufacturer from the subcontractor is in the form of a certificate signed by the subcontractor.
  • the certificates from the subcontractors, or possibly from the manufacturers' remote manufacturing sites are communicated from source servers 15a - 15n to the manifest server 14 via a network 22 as depicted in Fig. 6.
  • the network 22 may comprise a local area network, a wide area network, a wireless network, the Internet or any other network for communicably coupling the source servers 15 to the manifest server 14 and for communicably coupling the manifest server 14 to the verification controller (s) 12.
  • the manifest server 14 assembles the manifest and transmits the completed manifest to the verification controller 12.
  • the communication link between the manifest 14 and the verification controller 12 is illustrated as a network 22, however, the communication link between the manifest server 14 and the verification controller may comprise a hard wired link such as a serial or parallel link, an infra red link, or any other communications link suitable for forwarding the manifest to the verification controller 12.
  • the verification controller 12 In order for the verification controller 12 to verify the authenticity of manifests forwarded to it by the manifest server 14, the verification controller 12 is provided with the public key of the manifest server 1 .
  • the public key of the manifest server 14 may be loaded into the verification controller 12 upon manufacture or initialization of the verification controller 12 or otherwise made available to the verification controller 12 via a secure communications link.
  • the verification controller 12 may determine whether all of the components that correspond to components associated with the public keys within the manifest are present within the vehicle. This determination may be made in response to a request initiated by a verification controller 12 user or alternatively, may be performed from time to time or periodically.
  • the verification controller 12 engages in a challenge response dialog with each of the CAMs. More specifically, the verification controller may transmit random information or a time stamped message to each of the CAMs 10. In response to receipt of the message from the verification controller 12, each CAM transmits a response message to the verification controller 12 that is cryptographically authenticated by the respective CAM.
  • the cryptographic authentication may comprise a digital signature that is generated using the private key of the respective CAM. In the example in which the authentication is via a digital signature that is generated using the CAM private key, for each received message, the verification controller 12 attempts to verify that the message received from the respective CAM was signed with a private key having a corresponding public key contained within the manifest.
  • the verification controller 12 attempts verify the signature of the respective CAM using each of the public keys within the manifest until the proper public key is identified, or alternatively, it is determined that the signed message received from a CAM 10 by the verification controller 12 cannot be verified using any of the public keys within the manifest. If the verification controller verifies all of the signed messages, an indication of such event may be provided to a user. In the event one of the received messages includes a digital signature that cannot be verified using the public keys contained within the manifest or, in the event a digital signature is not received that corresponds to one of the public keys within the manifest, an indication of this circumstance may be provided and an identification of the part may be output via a display such as warning indicator 24 (See Fig. 6). Alternatively, such information may be output audibly or via a link to an external readout device that is linked to the verification controller 12.
  • the verification controller 12 may, upon verification of one of the digitally signed messages, check the time stamp to assure that it corresponds to the time stamp within the challenge response dialog that resulted in the forwarding of the respective message and additionally, to assure that the time stamp corresponds to the transmitted time stamp within a specified time interval . Such a check will avoid the possibility that the verification controller would indicate the presence of a component as a result of the malicious replay of a message previously transmitted by a CAM.
  • a pseudo random number or any other secret value may be included within the request issued by the verification controller 12.
  • the processing time associated with the trial and error approach of attempting to verify a received message with each public key in the manifest until the message is successfully verified or the attempt to verify the message with all public keys has proved unsuccessful may be shortened by including a part number both in the manifest and in the return message from the CAM.
  • the verification controller 12 may then attempt to verify each message with only the public key or keys in the manifest associated with the same part number that was conveyed to the verification controller 12 in the signed message from the respective CAM 10. For example, there may be five public keys in the manifest associated with wheels (four wheels mounted on the automobile and one spare) . All of these components may have the same part number but will be associated with different public/private key pairs.
  • the CAMs 10 transmit messages to the verification controller 12 in response to requests received from the verification controller 12.
  • the CAMs 10 can transmit messages to the verification controller 12 periodically or in response to predetermined events.
  • a CAM 10 may periodically transmit the date and time of day digitally signed by the respective CAM. Assuming that the CAMs and the verification controller 12 have relatively closely synchronized clocks, the verification controller 12 will receive the signed message containing the date and time of day close to the time the message was generated. The verification controller 12 can then verify the signature using one of the public keys in the manifest. In this manner, the CAMs need not respond to a request issued by the verification controller 12 to initiate their respective transmissions.
  • a manifest containing a least the public keys associated with a plurality of components within an assembly is stored on the verification controller 12 as illustrated in step 100.
  • the verification controller 12 sends a request to the CAMs to prove their respective identities. Since the CAMs are securely affixed to specific components of the assembly, if one or more of the components either has a non-functioning CAM, no CAM, or a CAM that possesses the wrong private key, the CAM (if any) associated with the respective component will be unable to respond to the request issued by the verification controller in a manner that will verify the component expected to be present in the assembly.
  • the verification controller 12 receives the signed responses from the CAMs 10 as illustrated in step 104.
  • the verification controller 12 attempts to verify the identify of the respective CAMs affixed to the components via use of the public keys within the manifest stored in the verification controller 12.
  • inquiry step 108 inquiry is made whether any messages were received from a CAM 10 that could not be verified using a public key within the manifest.
  • an indication of the same is provided via a readout, warning indication, control signal or other suitable output indicative of the verification failure as shown in step 112.
  • control passes to inquiry step 110.
  • public keys that correspond to a private key that was not used in the signing of one of the received CAM messages such is indicative that the CAM associated with the component is not responding for any one of a number of reasons.
  • the CAM may have been tampered with and ceased to function.
  • the component may have been replaced with another component that includes a CAM, but the component was not registered with the manifest server, as subsequently described, and accordingly, is not reflected in the manifest.
  • the component may have been replaced with an unapproved component that does not possess the CAM functionality.
  • the manifest is initially stored on the verification controller and additionally, at the request of a user.
  • the manifest may be updated from time to time to account for authorized replacements of components of the assembly. More specifically, referring to the flow diagram of Fig. 8, when a component within the assembly needs to be replaced, such replacement is performed by an authorized agent using approved components.
  • the replacement component having a new CAM securely affixed thereto is substituted within the assembly for the old component as depicted in step 200.
  • the repair center that replaced the component transmits a certificate to the manifest server that identifies the component that was replaced, the vehicle VIN Number (or assembly identification, as applicable) along with the public key associated with the CAM affixed to the substituted component. Additionally, other information pertaining to the substituted component may be included within the certificate as outlined above with respect to Fig. 5.
  • the certificate forwarded to the manifest server 14 from the repair center is preferably signed by the repair center.
  • the manifest server 14 verifies the signature of the repair center using the repair center public key.
  • the manifest server 14 updates the manifest to reflect the public key associated with the replacement part.
  • the manifest may maintain information on the old components that were removed from the assembly for historical purposes; however, the public key associated with the substituted component is used for verification purposes in place of the public key associated with the component that was removed from the assembly.
  • the updated manifest is communicated to the verification controller 12 and is signed by a trusted party, such as the vehicle manufacturer.
  • the updated manifest is signed using the private key of a public/private key pair held by the manifest server.
  • the verification controller 12 verifies the authenticity of the updated manifest using the public key of the manifest server 14 public/private key pair.
  • the verification controller 12 then utilizes the updated manifest for verification of the components of the assembly as described in connection with Fig. 7 hereinabove .
  • the verification controller 12 may comprise a unit integral with the assembly, such as the automobile, or may be a mobile unit that may be communicably coupled to the CAMs via a connector or via a RF or other communications link.
  • the use of a portable verification controller 12 allows law enforcement, or other oversight officials to download manifests for specific vehicles or assemblies and request component verification for the particular vehicle or assembly should there be a concern regarding the components employed within any given vehicle or other assembly.
  • cryptographic authentication of the identify of the CAMs and associated components, verification controller 12, manifest server and other components discussed herein is described in the preferred embodiment using signed messages for cryptographic authentication, cryptographic authentication may be performed using any suitable cryptographic authentication technique including but not limited to a keyed hash, a cryptographic hash incorporated in an encrypted message or any other suitable authentication technique.
  • the presently described methods may be implemented in software executing out of a memory on respective CAMs, the verification controller, the manifest server and the source servers.
  • the presently described functions may be embodied in whole or in part using hardware components such as Application Specific Integrated Circuits (ASICs) , state machines, controllers or other hardware components or devices, or a combination of hardware components and software processes without departing from the inventive concepts herein described.
  • ASICs Application Specific Integrated Circuits

Abstract

A method and apparatus for verifying the presence of approved components within an assembly. A cryptographic key pair comprising first and second cryptographic keys is generated for each of a selected plurality of components of the assembly and one pair is associated with a cryptographic authentication module (CAM) affixed to each of the selected plurality of components. The CAMs store the respective first cryptographic key. The second cryptographic keys corresponding to each of the first cryptographic keys of the cryptographic key pairs are stored within a manifest within a verification controller. Upon request, or from time to time, each one of the CAMs transmits a message to the verification controller that is cryptographically authenticated with the first cryptographic key of the respective module. The verification controller uses the second cryptographic keys to attempt to verify the identity of the CAMs. If the verification controller is able to verify a message using each of the second cryptographic keys stored within the manifest, such is indicative of the presence of the selected plurality of components of the assembly. If the verification controller is not able to verify a message using one of the second cryptographic keys stored within the manifest, such indicates that one of the approved components has been replaced with a component that either does not possess a CAM or alternatively, has been replaced with a CAM that has a cryptographic key pair, however, the second cryptographic key of such key pair has not been registered within the manifest.

Description

TITLE OF THE INVENTION Method and Apparatus Verifying Parts and Parts Lists in an
Assembly
CROSS REFERENCE TO RELATED APPLICATIONS
N/A
STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
N/A
BACKGROUND OF THE INVENTION The present invention relates to methods and apparatus for verifying parts and parts lists in an assembly and more particularly to the identification of parts in the assembly via the use of cryptographic techniques.
Modern day assemblies such as automobiles, airplanes, space vehicles and power plants contain numerous expensive and/or critical components. During the useful lifetime of the assembly it is normal for repairs and replacements of some components to be made. In many assemblies the quality of a replacement component may be essential to the proper operation or fit of the assembly or the resale value of the assembly. For example, reports of the replacement of Original Equipment Manufacturer (OEM) parts in automobiles with cheap and inferior substitute components from stolen or used vehicles have been published. Additionally, car owners who do their own repairs may substitute parts considered by the manufacturer to be unauthorized or unapproved parts for use in a vehicle due to concerns over the quality of the components and related concerns pertaining to operation, safety or vehicle appearance. In some circumstances, such substitutions may affect the warranty obligations of the manufacturer. Similar types of substitutions may be made in numerous types of assemblies including but not limited to computers, home appliances, industrial equipment and electronic equipment.
It is currently very difficult to detect the presence of unauthorized components within an assembly. It would therefore be desirable to be able to identify substituted components within an assembly that are not approved for use in the assembly by the manufacturer or some other organization having oversight responsibility for determining whether components constitute approved replacement components .
BRIEF SUMMARY OF THE INVENTION
A method and system is disclosed for verifying that a plurality of component parts of an assembly comprise components approved for use in said assembly. Consistent with the present invention, an integrated circuit that is subject to cryptographic verification and herein referred to as a cryptographic authentication module (CAM) is embedded within or securely affixed to at least some of the component parts of the assembly. The CAM is capable of securely holding a private or secret cryptographic key and of proving possession of that key to a cooperative verification controller which may be communicably coupled to the respective CAMs via one or more hard-wired communication links or via wireless communication links. The CAM may be packaged and/or secured to the respective component parts in a tamper resistant manner so that the CAMs are disabled if dislodged from the part to which the respective CAM was affixed. Alternatively, the respective CAM may erase its private or secret key, as applicable, upon the detection that the device is being dislodged from the part to which it was mounted, upon the detection of stress, or in response to other predetermined conditions.
In a first embodiment each CAM retains a private key of a public/private key pair. The verification controller stores in a memory a manifest that contains the public keys corresponding to the respective private keys held by the approved components of the assembly. The CAMs from time to time transmit a message to the verification controller proving possession of their respective private key by signing a message with their respective key or alternatively, transmit such messages in response to requests issued by the verification controller. The verification controller attempts to verify the identity of the respective CAMs using the public keys maintained in the manifest. If, for each public key stored within the manifest, a message is received which is signed with the corresponding private key, such is indicative of the fact that all components within the assembly comprise approved components and an indication of such event may be provided.
In the event that no message is received that is signed with a private key that corresponds to one or more of the public keys within the manifest, such is indicative of the presence of unauthorized components within the assembly or the absence of authorized components, and an indication of such occurrence may be provided.
The manifest may be stored in the verification controller upon manufacture of the assembly and the controller and updated via the use of a manifest server.
Moreover, the verification controller may comprise a portable device and the manifest may be downloaded from the manifest server to the verification controller to permit a single verification controller to be used to verify components of a number of assemblies. The manifest server may be administered by a trusted party, such as the manufacturer of the assembly. The trusted party may maintain as a manifest, the valid public keys associated with each of the relevant component parts in the assembly and, in response to a request, generate a certificate that includes the public keys associated with the relevant components of the assembly. This certificate may be signed by the trusted party and time-stamped to permit the verification controller to verify that a received manifest is the appropriate manifest to be used. Along with each public key, information pertaining to the respective part may be included within the manifest.
Other forms, features and aspects of the above- described method and apparatus for verifying components of an assembly are described with particularity below.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING The invention will be more fully understood by reference to the following Detailed Description of the Invention in conjunction with the Drawing of which: Fig. 1 is pictorial exploded view of an assembly of automotive components having cryptographic authentication modules affixed to selected components and a verification controller operative in a manner consistent with the present invention; Fig. 2 is a block diagram of a cryptographic authentication module (CAM) of the type depicted in Fig. 1; Fig. 3 is a block diagram of the verification controller (VC) of Fig. 1;
Fig. 4 is a block diagram of the manifest server of Fig. 1; Fig. 5 is a diagram illustrating a manifest data structure for use in the system depicted in Fig. 1;
Fig. 6 is a block diagram illustrating a verification controller coupled to a plurality of CAMs and a manifest server via a local area network and a wide area network respectively;
Fig. 7 is a flow diagram illustrating a method of operation of a component verification system in a manner consistent with the present invention; and
Fig. 8 is a flow diagram illustrating a method for updating a manifest in the event a component is replaced with an approved replacement component .
DETAILED DESCRIPTION OF THE INVENTION Consistent with the present invention, a method and system is disclosed for verifying that a plurality of component parts comprise approved parts for use within an assembly. The component parts of the assembly for which verification is desired each have a cryptographic authentication module (CAM) securely affixed to the respective component. The CAMs transmit signed messages that are received by a verification controller. The verification controller determines whether the identity of the respective components, as indicated by the signed message, corresponds to an expected identity indicated via an entry in a manifest stored within the verification controller. Referring to Fig 1, an exemplary assembly is illustrated as including a number of components of an automobile. Only a few components are depicted for ease of illustration. A cryptographic authentication module (CAM) 10 is securely affixed to selected components of the automotive assembly. The components to which the CAMs are affixed will vary in different applications. Typically, however, the CAMs are affixed to components of substantial value or components having functions critical to the operation or safe use of the assembly. The CAMs, which are identified in Fig. 1 as CAMs 10a through lOh, and generally referred to herein as CAMs 10, comprise devices which, in one embodiment, are capable of privately and securely holding at least one key of a cryptographic key pair. In the present embodiment, the system is illustrated as using cryptographic key pairs that comprise public/private key pairs, although it should be appreciated that either asymmetric or symmetric keys may be employed. The illustrated CAMs 10 are capable of storing a private key of a public/private key pair and of transmitting a message signed by the CAM using the respective private key held by the respective CAM. The CAMs may be embodied in different forms and may include the functionality associated with such devices generally known as smart cards which are commercially available from a number of companies and IBUTTONS which are available from Dallas Semiconductor, 4401 South Beltwood Parkway, Dallas, Texas 75244. The CAMs are discussed in greater detail below. The CAMs are securely affixed to the respective components to assure that once a CAM is affixed to the component, it may not be disassociated from that component and attached to another component. The technique employed for mounting a particular CAM to a coraponeπ- may vary based upon the nature of the CAM and the component. In typical applications, however, the CAMs may be affixed to the respective components by embedding the CAM within the component, via epoxy or any other suitable glue or adhesive or use of a mechanical fastening technique. In the illustrated example, CAM 10a is affixed to the rear bumper 11a, CAM 10b is affixed to a rear fender lib, CAM 10c is affixed to a rear wheel lie, CAM lOd is affixed to a rear door lid, CAM lOe is affixed to a front door lie, CAM lOf is affixed to a front fender llf, CAM lOg is affixed to a front wheel llg, and CAM lOh is affixed to a front bumper llh. The CAMs 10 are capable of communicating with a verification controller 12 over respective communication links. The communication links between the CAMs 10 and the verification controller 12 may comprise hardwired links, a network, such as a local area network, or wireless communication links.
The verification controller 12 may be constructed as a part of the assembly or alternatively, may be a mobile unit or separable from the assembly. Different embodiments of the verification controller 12 are discussed subsequently.
The verification controller 12 maintains a manifest that, in a preferred embodiment, includes public keys associated with private keys held by CAMs 10 affixed to the respective components of the relevant assembly. In the situation in which the verification controller 12 is constructed as a part of the assembly, the manifest may be stored within the verification controller 12 at the time
-1- of manufacture. Additionally, the manifest may be transmitted or delivered to the verification controller 12 from a manifest server 14 over a network or a suitable communication link at the time of assembly, or thereafter, provided that a manifest server public key is accessible to the verification controller 12 to allow for authentication of the manifest. In the event the manufacturer of the assembly affixes the respective CAMs to the components, the manufacturer of the assembly may generate the public/private key pairs and store the public keys in the manifest. Alternatively, in the circumstance in which subcontractors or others provide components for inclusion in the assembly, such other party or parties may maintain one or more source servers 15, which communicate to the manifest server 14 an identification of a particular component along with the public key associated with the CAM securely affixed to that component.
As illustrative block diagram of a cryptographic authentication module (CAM) 10 that is securely affixed to a component is depicted in Fig. 2. The CAM 10 includes a processor 16 that is coupled to a memory 20 and an arithmetic accelerator 18. While the processor 16 and arithmetic accelerator 18 are depicted as separate blocks in Fig. 2 it should be appreciated that the processor 16 may include the functions of the arithmetic accelerator 18 as an integral part of the processor 16. At least a portion of the memory 20 is non-volatile and stores the private key of the public/private key pair for the respective CAM 10. The processor 16 is also coupled to a communication interface 22 that is appropriate for the particular type of communication link being employed between the CAM 10 and the verification controller 12. For example, in the event the communication link between the CAMs 10 and the verification controller 12 comprises an Ethernet link, the communication interface 22 includes the data link and MAC interface logic for an Ethernet link. In the event the communication link between the CAMs 10 and the verification controller 12 comprises a wireless RF link, the communication interface 22, in addition to the necessary protocol support, includes an RF receiver and transmitter. It should be noted that any suitable communication link may be employed, including but not limited to a hard-wired link, an RF link or an infrared link.
The CAMs 10 may have different levels of security but are typically designed so as to erase the private key held in the memory of the respective CAM in the event that tampering with the CAM is detected. For example, the private key stored within the CAM may be erased from the
CAM memory 20 in the event of mechanical tampering with the CAM package, upon detection of an ambient temperature above or below predetermined thresholds, upon detection of radiation, upon detection of pressure applied to the CAM housing or attempted removal of a cover, or upon the detection of light in the vicinity of the CAM 10 integrated circuit die. In an embodiment of the system employing a public/private key pair for performing authentication functions, each CAM 10 securely stores the private key of its respective public/private key pair and the public key is stored in the manifest as is subsequently described in greater detail. The private key may be provided to the CAM
10 as input from a secure private key source and the corresponding public key stored within the manifest. In another embodiment, the CAMs 10 generates a public/private key pair, securely store the respective private key within the CAM 10 in a manner that precludes access to the private key, and provides access to the respective public key of the public/private key pair.
A block diagram of an illustrative verification controller 12 operative in a manner consistent with the present invention is depicted in Fig. 3. The verification controller 12 may comprise a computer, a personal digital assistant (PDA) , an intelligent network appliance, a controller, or any other device capable of receiving messages from the CAMs 10, and in some embodiment transmitting messages to the CAMs as herein described. As depicted in Fig. 3, the verification controller 12 includes a processor 12a and a communication interface 12d for receiving messages from the CAMs and optionally transmitting messages to the CAMS. The processor 12a is operative to execute a software program out of instruction/data memory 12b and the verification controller, optionally, may include secondary storage 12c. The memory 12b, which may comprise RAM, ROM or a combination of both, stores an operating system 12e and application code 12f which is operative to perform the presently described verification functions. The application code 12f includes messaging software for receiving the messages from the CAMs 10 and optionally transmitting requests to the CAMs 10.
A block diagram of a manifest server operative in a manner consistent with the present invention is depicted in Fig. 4. The manifest server 14 may comprise a computer, a personal digital assistant (PDA) , an intelligent network appliance, a controller, or any other device capable of generating manifests of the type herein described and communicating such manifests to a verification controller 12. As depicted in Fig. 4, The manifest server 14 includes a processor 14a and a communication interface 14d. The communication interface 14d, in a preferred embodiment, is coupled to a network to allow the manifest server 14 to forward manifests to verification controllers 12, to receive certificates from source servers 15 (See Fig. 1) containing information to be included in the manifest and to receive messages from authorized repair agents so that manifests can be updated in the event components are replaced by an authorized agent. Additionally, the processor 14a is operative to execute a software program out of instruction/data memory 14b. The manifest server 14 may optionally include secondary storage 14c. The memory 14b, which may comprise RAM, ROM or a combination of both, stores an operating system 14e and application code 14f that is operative to perform the functions attributed to the manifest server 14. The application code 14f includes messaging software for receiving the messages from source servers 15 and authorized repair agents (not shown) and for generating and forwarding manifests as well as updated manifests .
The operation of the presently described system will be further understood by reference to Figs. 1 and 5 - 7. Assume that a manufacturer is assembling an automobile. Selected components have CAMs 10 securely affixed to the respective components and a public/private key pair is generated either by or for the respective CAMs 10. Each CAM 10 stores a private key that is employed by the respective CAM to sign messages that are forwarded by that CAM. The private key may be generated within the CAM as one key of a public/private key pair generated by the respective CAM or alternatively, the public/private key pair may be generated external to the CAM and the private key may be stored within the CAM. The public keys are collected and stored within a manifest as illustrated in Fig. 5. More particularly, referring to Fig. 5, the manifest includes a public key associated with a private key held in a CAM for each component illustrated in Fig. 1. The manifest is preferably cryptographically authenticated such as via a digital signature. The minimal manifest includes the public keys associated with the respective CAMs. As illustrated, however, the manifest may contain additional information such as the Vehicle Identification Number (VIN) number of the vehicle, the name of the manufacturer of the component (Issuer) , an identification of the part (Part No.), a serial number for the part, a manufacturing lot number for the part, the manufacturing location, the manufacturing date and any other information relevant to the part that may be useful during the useful life of the component. Since subcontractors may manufacture some components within the automobile, the information may be provided to the manufacturer of the automobile by the subcontractor in the form of a certificate issued by the respective subcontractor. Preferably, the information provided to the automobile manufacturer from the subcontractor is in the form of a certificate signed by the subcontractor. The certificates from the subcontractors, or possibly from the manufacturers' remote manufacturing sites are communicated from source servers 15a - 15n to the manifest server 14 via a network 22 as depicted in Fig. 6. The network 22 may comprise a local area network, a wide area network, a wireless network, the Internet or any other network for communicably coupling the source servers 15 to the manifest server 14 and for communicably coupling the manifest server 14 to the verification controller (s) 12. The manifest server 14 assembles the manifest and transmits the completed manifest to the verification controller 12. The communication link between the manifest 14 and the verification controller 12 is illustrated as a network 22, however, the communication link between the manifest server 14 and the verification controller may comprise a hard wired link such as a serial or parallel link, an infra red link, or any other communications link suitable for forwarding the manifest to the verification controller 12.
In order for the verification controller 12 to verify the authenticity of manifests forwarded to it by the manifest server 14, the verification controller 12 is provided with the public key of the manifest server 1 . The public key of the manifest server 14 may be loaded into the verification controller 12 upon manufacture or initialization of the verification controller 12 or otherwise made available to the verification controller 12 via a secure communications link.
Once the automobile is assembled, the verification controller 12 may determine whether all of the components that correspond to components associated with the public keys within the manifest are present within the vehicle. This determination may be made in response to a request initiated by a verification controller 12 user or alternatively, may be performed from time to time or periodically.
In one embodiment, the verification controller 12 engages in a challenge response dialog with each of the CAMs. More specifically, the verification controller may transmit random information or a time stamped message to each of the CAMs 10. In response to receipt of the message from the verification controller 12, each CAM transmits a response message to the verification controller 12 that is cryptographically authenticated by the respective CAM. The cryptographic authentication may comprise a digital signature that is generated using the private key of the respective CAM. In the example in which the authentication is via a digital signature that is generated using the CAM private key, for each received message, the verification controller 12 attempts to verify that the message received from the respective CAM was signed with a private key having a corresponding public key contained within the manifest. More specifically, the verification controller 12 attempts verify the signature of the respective CAM using each of the public keys within the manifest until the proper public key is identified, or alternatively, it is determined that the signed message received from a CAM 10 by the verification controller 12 cannot be verified using any of the public keys within the manifest. If the verification controller verifies all of the signed messages, an indication of such event may be provided to a user. In the event one of the received messages includes a digital signature that cannot be verified using the public keys contained within the manifest or, in the event a digital signature is not received that corresponds to one of the public keys within the manifest, an indication of this circumstance may be provided and an identification of the part may be output via a display such as warning indicator 24 (See Fig. 6). Alternatively, such information may be output audibly or via a link to an external readout device that is linked to the verification controller 12.
The verification controller 12 may, upon verification of one of the digitally signed messages, check the time stamp to assure that it corresponds to the time stamp within the challenge response dialog that resulted in the forwarding of the respective message and additionally, to assure that the time stamp corresponds to the transmitted time stamp within a specified time interval . Such a check will avoid the possibility that the verification controller would indicate the presence of a component as a result of the malicious replay of a message previously transmitted by a CAM.
In the challenge response dialog, it should be noted that in addition to or instead of the use of a time stamp, or time and date stamp, a pseudo random number or any other secret value may be included within the request issued by the verification controller 12.
The processing time associated with the trial and error approach of attempting to verify a received message with each public key in the manifest until the message is successfully verified or the attempt to verify the message with all public keys has proved unsuccessful may be shortened by including a part number both in the manifest and in the return message from the CAM. The verification controller 12 may then attempt to verify each message with only the public key or keys in the manifest associated with the same part number that was conveyed to the verification controller 12 in the signed message from the respective CAM 10. For example, there may be five public keys in the manifest associated with wheels (four wheels mounted on the automobile and one spare) . All of these components may have the same part number but will be associated with different public/private key pairs.
In a preferred embodiment, the CAMs 10 transmit messages to the verification controller 12 in response to requests received from the verification controller 12. Alternatively, the CAMs 10 can transmit messages to the verification controller 12 periodically or in response to predetermined events. For example, a CAM 10 may periodically transmit the date and time of day digitally signed by the respective CAM. Assuming that the CAMs and the verification controller 12 have relatively closely synchronized clocks, the verification controller 12 will receive the signed message containing the date and time of day close to the time the message was generated. The verification controller 12 can then verify the signature using one of the public keys in the manifest. In this manner, the CAMs need not respond to a request issued by the verification controller 12 to initiate their respective transmissions. The method of operation of the presently disclosed system is further depicted in the flow diagram of Fig. 7. Referring to Fig. 7, a manifest containing a least the public keys associated with a plurality of components within an assembly is stored on the verification controller 12 as illustrated in step 100. As depicted in step 102, the verification controller 12 sends a request to the CAMs to prove their respective identities. Since the CAMs are securely affixed to specific components of the assembly, if one or more of the components either has a non-functioning CAM, no CAM, or a CAM that possesses the wrong private key, the CAM (if any) associated with the respective component will be unable to respond to the request issued by the verification controller in a manner that will verify the component expected to be present in the assembly. The verification controller 12 receives the signed responses from the CAMs 10 as illustrated in step 104. The verification controller 12 attempts to verify the identify of the respective CAMs affixed to the components via use of the public keys within the manifest stored in the verification controller 12. As indicated in inquiry step 108, inquiry is made whether any messages were received from a CAM 10 that could not be verified using a public key within the manifest. In the event messages were received from one or more CAMs 10 which could not be verified using the public keys within the manifest, an indication of the same is provided via a readout, warning indication, control signal or other suitable output indicative of the verification failure as shown in step 112. In the event all CAM messages could be verified via use of the manifest public keys, control passes to inquiry step 110. In inquiry step 110, a determination is made whether there are any public keys within the manifest that are associated with a CAM private key that was not employed in the signing of a CAM message in response to the request issued by the verification controller 12. In the event there are public keys that correspond to a private key that was not used in the signing of one of the received CAM messages, such is indicative that the CAM associated with the component is not responding for any one of a number of reasons. The CAM may have been tampered with and ceased to function. Alternatively, the component may have been replaced with another component that includes a CAM, but the component was not registered with the manifest server, as subsequently described, and accordingly, is not reflected in the manifest. Furthermore, the component may have been replaced with an unapproved component that does not possess the CAM functionality. Should one or more CAMs associated with components fail to respond to the request issued by the verification controller, control passes to step 112 and an indication of the failure of a CAM to respond is presented to the user. Control then passes to step 102. The manifest is initially stored on the verification controller and additionally, at the request of a user.
The manifest may be updated from time to time to account for authorized replacements of components of the assembly. More specifically, referring to the flow diagram of Fig. 8, when a component within the assembly needs to be replaced, such replacement is performed by an authorized agent using approved components. The replacement component having a new CAM securely affixed thereto is substituted within the assembly for the old component as depicted in step 200. The repair center that replaced the component transmits a certificate to the manifest server that identifies the component that was replaced, the vehicle VIN Number (or assembly identification, as applicable) along with the public key associated with the CAM affixed to the substituted component. Additionally, other information pertaining to the substituted component may be included within the certificate as outlined above with respect to Fig. 5. The certificate forwarded to the manifest server 14 from the repair center is preferably signed by the repair center. Upon receipt of the certificate from the repair center, the manifest server 14 verifies the signature of the repair center using the repair center public key. After verifying the authenticity of the certificate, the manifest server 14 updates the manifest to reflect the public key associated with the replacement part. The manifest may maintain information on the old components that were removed from the assembly for historical purposes; however, the public key associated with the substituted component is used for verification purposes in place of the public key associated with the component that was removed from the assembly. As indicated in step 206, the updated manifest is communicated to the verification controller 12 and is signed by a trusted party, such as the vehicle manufacturer. The updated manifest is signed using the private key of a public/private key pair held by the manifest server. The verification controller 12 verifies the authenticity of the updated manifest using the public key of the manifest server 14 public/private key pair. The verification controller 12 then utilizes the updated manifest for verification of the components of the assembly as described in connection with Fig. 7 hereinabove .
The verification controller 12 may comprise a unit integral with the assembly, such as the automobile, or may be a mobile unit that may be communicably coupled to the CAMs via a connector or via a RF or other communications link. The use of a portable verification controller 12 allows law enforcement, or other oversight officials to download manifests for specific vehicles or assemblies and request component verification for the particular vehicle or assembly should there be a concern regarding the components employed within any given vehicle or other assembly. Although cryptographic authentication of the identify of the CAMs and associated components, verification controller 12, manifest server and other components discussed herein is described in the preferred embodiment using signed messages for cryptographic authentication, cryptographic authentication may be performed using any suitable cryptographic authentication technique including but not limited to a keyed hash, a cryptographic hash incorporated in an encrypted message or any other suitable authentication technique.
Those skilled in the art should readily appreciate that computer programs operative to perform the functions herein described can be delivered to the CAMs, the verification controller, the manifest server or the source servers in many forms; including, but not limited to: (a) information permanently stored in a non-writable storage media (e.g. read-only memory devices within a computer such as ROM or CD-ROM disks readable by a computer I/O attachment; (b) information alterably stored on writable storage media (e.g. floppy disks, tapes, read/write optical media and hard drives) ; or (c) information conveyed to a computer through a communication media, for example, using baseband or broadband signaling techniques, such as over computer or telephone networks via a modem. In addition, it should be appreciated that the presently described methods may be implemented in software executing out of a memory on respective CAMs, the verification controller, the manifest server and the source servers. Alternatively, the presently described functions may be embodied in whole or in part using hardware components such as Application Specific Integrated Circuits (ASICs) , state machines, controllers or other hardware components or devices, or a combination of hardware components and software processes without departing from the inventive concepts herein described.
Those of ordinary skill in the art should further appreciate that variations to and modifications of the above-described methods and systems for granting access to a computer resource may be made without departing from the inventive concepts disclosed herein. Accordingly, the invention should be viewed as limited solely by the scope and spirit of the appended claims.

Claims

CLAIMS What is claimed is:
1. A method for verifying the presence of a plurality of components within an assembly, said method comprising: storing in a memory within a verification controller a plurality of first cryptographic keys, wherein each of said first cryptographic keys comprises one cryptographic key of a cryptographic key pair comprising said first cryptographic key and a second cryptographic key; receiving a plurality of signed messages, wherein each one of said messages is associated with a cryptographic authentication module affixed to one of said components of said assembly and wherein each of said messages is cryptographically authenticated with one of said second cryptographic keys in the event the respective component comprises an approved component within said assembly; determining for each one of said first cryptographic keys stored in said memory, whether one of said plurality of received messages was cryptographically authenticated using the corresponding second cryptographic key; and generating a signal indicative of the results of said determining step.
2. The method of claim 1 wherein said generating step includes the step of generating a signal that indicates that all components within said assembly comprise approved components in the event for each one of said stored first cryptographic keys, one of said plurality of received messages was cryptographically authenticated using the corresponding second cryptographic key.
3. The method of claim 1 wherein said cryptographic key pairs comprise public/private key pairs, wherein said first cryptographic keys comprise public keys of said public/private key pairs and said second cryptographic keys comprise private keys of said public/private key pairs.
4. The method of claim 1 further including the step of transmitting to said cryptographic authentication modules from said verification controller a request to transmit one of said plurality of received messages and wherein said receiving step occurs in response to said transmitting step.
5. The method of claim 3 wherein said request to transmit includes a value specified by said verification controller and the message received from the respective cryptographic authentication module includes said value cryptographically authenticated by the respective cryptographic authentication module.
6. The method of claim 5 wherein said value comprises a time stamp.
7. The method of claim 5 wherein said value comprises a time and date stamp.
8. The method of claim 5 wherein said value comprises a pseudo-random number.
9. The method of claim 4 wherein said transmitting step comprises the step of transmitting said requests as a broadcast message to said cryptographic authentication modules .
10. The method of claim 4 wherein said transmitting step comprises the step of transmitting said requests as a plurality of unicast requests to the respective cryptographic authentication modules.
11. The method of claim 1 wherein said storing step includes the step of receiving a manifest server message at said verification controller that includes said first cryptographic keys.
12. The method of claim 11 wherein said manifest server message comprises a certificate cryptographically authenticated by a manifest server using a first cryptographic key of a manifest server cryptographic key pair and said method further includes the step of verifying said manifest message received at said verification controller using a second cryptographic key of said manifest server cryptographic key pair.
13. The method of claim 1 wherein said cryptographic key pairs comprising first and second cryptographic keys comprise symmetric keys.
14. Apparatus for determining whether a plurality of components of an assembly comprise approved components, said apparatus comprising: a verification controller containing a memory, said memory containing a plurality of first cryptographic keys; said verification controller operative to: receive a plurality of messages from a corresponding plurality of cryptographic authentication modules affixed to respective ones of said plurality of components, wherein each one of said messages is cryptographically authenticated using a second cryptographic key associated with one of said first cryptographic keys in the event said component is an approved component, determine for each one of said first cryptographic keys stored in said memory, whether one of said plurality of received messages was cryptographically authenticated using the corresponding second cryptographic key; and generate a signal that indicates that all components within said assembly comprise approved components in the event for each one of said stored first cryptographic keys, one of said plurality of received messages was cryptographically authenticated using the corresponding second cryptographic key.
15. A method for verifying that a plurality of components comprise approved components of an assembly comprising: affixing a plurality of cryptographic authentication modules to a corresponding plurality of components of an assembly, wherein each of said cryptographic authentication modules is associated with a cryptographic key pair including first and second cryptographic keys; storing the first cryptographic keys within the respective cryptographic authentication modules; storing said second cryptographic keys within a verification controller; transmitting from each of said cryptographic authentication modules a message cryptographically authenticated by the respective cryptographic module using the first cryptographic key of the respective cryptographic key pair; receiving said cryptographically authenticated messages at said verification controller; determining for each one of said second cryptographic keys stored in said verification controller whether one of said cryptographically authenticated messages was signed using said first cryptographic key corresponding to the respective second cryptographic key; and generating a signal indicative of the result of said determining step.
16. The method of claim 15 wherein said generating step includes the step of generating a signal that indicates that all components within said assembly comprise approved components in the event for each one of said stored second cryptographic keys, one of said plurality of cryptographically authenticated messages was cryptographically authenticated using the corresponding first cryptographic key.
17. The method of claim 15 wherein said cryptographic key pairs comprise public/private key pairs, wherein said first cryptographic keys comprise private keys of said public/private key pairs and said second cryptographic keys comprise public keys of said public/private key pairs.
18. The method of claim 15 further including the step of transmitting to said cryptographic authentication modules from said verification controller a request to transmit a message cryptographically authenticated by the respective cryptographic authentication modules and wherein said receiving step occurs in response to said transmitting step.
19. The method of claim 18 wherein said request to transmit includes a value specified by said verification controller and the message received from respective cryptographic authentication module includes said value cryptographically authenticated by the respective cryptographic authentication module.
20. The method of claim 19 wherein said value comprises a time stamp.
21. The method of claim 19 wherein said value comprises a time and date stamp.
22. The method of claim 19 wherein said value comprises a pseudo-random number.
23. The method of claim 18 wherein said transmitting step comprises the step of transmitting said requests as a broadcast message to said cryptographic authentication modules.
24. The method of claim 18 wherein said transmitting step comprises the step of transmitting said requests as a plurality of unicast requests to the respective cryptographic authentication modules.
25. The method of claim 15 wherein said storing step includes the step of receiving a manifest server message at said verification controller that includes said second cryptographic keys.
26. The method of claim 25 wherein said manifest server message comprises a certificate cryptographically authenticated by a manifest server using a first cryptographic key of a manifest server cryptographic key pair and said method further includes the step of verifying said manifest server message received at said verification controller using a second cryptographic key of said manifest server cryptographic key pair.
27. The method of claim 15 wherein said cryptographic key pairs comprising first and second cryptographic keys comprise symmetric keys.
28. A system for verifying that a plurality of components within an assembly comprise approved components, said system comprising; a plurality of cryptographic authentication modules, said modules each being affixed to one of said plurality of components of said assembly, wherein each of said cryptographic authentication modules is associated with a cryptographic key pair including first and second cryptographic keys and wherein the respective first cryptographic key is stored within a memory within the associated cryptographic authentication module; a verification controller, said verification controller containing a memory in which said second cryptographic keys are stored; said cryptographic authentication modules being operative to transmit a message for receipt by the verification controller cryptographically authenticated by the respective cryptographic module using the first cryptographic key of the respective cryptographic key pair; and said verification controller being operative to: receive said cryptographally authenticated messages at said verification controller; determine whether a message was received from one of said cryptographic authentication modules that was cryptographically authenticated using a first cryptographic key for each one of said second cryptographic keys stored in said memory; and generating a signal indicative of the result of said determinatio .
29. A computer program product including a computer readable medium, said computer readable medium having a computer program stored thereon for verifying components of an assembly, said computer program for execution in an computer and comprising: program code for storing a plurality of first cryptographic keys in a memory, wherein each of said first cryptographic keys comprises one cryptographic key of a cryptographic key pair comprising said first cryptographic key and a second cryptographic key; program code for receiving a plurality of cryptographically authenticated messages, wherein each one of said messages is associated with a cryptographic authentication module affixed to one of said components of said assembly and wherein each of said messages is cryptographically authenticated with one of said second cryptographic keys in the event the respective component comprises an approved component within said assembly; program code for determining for each one of said first cryptographic keys stored in said memory, whether one of said plurality of cryptographically authenticated messages was received was cryptoraphically authenticated using the corresponding second cryptographic key; and program code generating a signal indicative of the results of said determining step.
30. A computer data signal, said computer data signal including a computer program for use in determining whether a plurality of components comprises approved components of an assembly, said computer program comprising: program code for storing a plurality of first cryptographic keys in a memory, wherein each of said first cryptographic keys comprises one cryptographic key of a cryptographic key pair comprising said first cryptographic key and a second cryptographic key; program code for receiving a plurality of cryptographically authenticated messages, wherein each one of said messages is associated with a cryptographic authentication module affixed to one of said components of said assembly and wherein each of said messages is cryptographically authenticated with one of said second cryptographic keys in the event the respective component comprises an approved component within said assembly; program code for determining for each one of said first cryptographic keys stored in said memory, whether one of said plurality of cryptographically authenticated messages was cryptographically authenticated using the corresponding second cryptographic key; and program code generating a signal indicative of the results of said determining step.
31. Apparatus for determining whether a plurality of components of an assembly comprise approved components, said apparatus comprising: means for storing within a memory in a verification controller a plurality of first cryptographic keys, wherein each of said first cryptographic keys comprises one cryptographic key of a cryptographic key pair comprising said first cryptographic key and a second cryptographic key; means for receiving at said verification controller, a plurality of cryptographically authenticated messages, wherein each one of said messages is associated with a cryptographic authentication module affixed to one of said components of said assembly and wherein each of said messages is cryptographically authenticated with one of said second cryptographic keys in the event the respective component comprises an approved component within said assembly; means for determining for each one of said first cryptographic keys stored in said memory, whether one of said plurality of cryptographically authenticated messages was cryptographically authenticated using the corresponding second cryptographic key; and means for generating a signal indicative of the results of said determining step and whether said components comprise approved components for use in said assembly.
PCT/US2001/012942 2000-04-26 2001-04-20 Method and apparatus verifying parts and parts lists in an assembly WO2001082035A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001255553A AU2001255553A1 (en) 2000-04-26 2001-04-20 Method and apparatus verifying parts and parts lists in an assembly

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US55849100A 2000-04-26 2000-04-26
US09/558,491 2000-04-26

Publications (2)

Publication Number Publication Date
WO2001082035A2 true WO2001082035A2 (en) 2001-11-01
WO2001082035A3 WO2001082035A3 (en) 2003-02-13

Family

ID=24229744

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/012942 WO2001082035A2 (en) 2000-04-26 2001-04-20 Method and apparatus verifying parts and parts lists in an assembly

Country Status (2)

Country Link
AU (1) AU2001255553A1 (en)
WO (1) WO2001082035A2 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004003812A2 (en) * 2002-06-28 2004-01-08 Motorola, Inc., A Corporation Of The State Of Delaware Method and system for authorizing reconfiguration of a vehicle
US7127611B2 (en) 2002-06-28 2006-10-24 Motorola, Inc. Method and system for vehicle authentication of a component class
US7137001B2 (en) 2002-06-28 2006-11-14 Motorola, Inc. Authentication of vehicle components
US7181615B2 (en) 2002-06-28 2007-02-20 Motorola, Inc. Method and system for vehicle authentication of a remote access device
DE10232454B4 (en) * 2002-01-31 2007-08-02 Fujitsu Ltd., Kawasaki Access control method, storage device and information processing device
EP1903518A1 (en) 2006-09-15 2008-03-26 NCR Corporation Security validation of machine components
US7549046B2 (en) * 2002-06-28 2009-06-16 Temic Automotive Of North America, Inc. Method and system for vehicle authorization of a service technician
DE102007044586B3 (en) * 2007-09-19 2009-07-09 Knorr-Bremse Systeme für Nutzfahrzeuge GmbH Control unit and method for identifying spare parts of a vehicle
DE102008032094A1 (en) * 2008-07-08 2010-01-14 Continental Automotive Gmbh Vehicle having a device for detecting vehicle components and method for detecting components by a vehicle
CN103268676A (en) * 2013-04-02 2013-08-28 广州御银科技股份有限公司 System and method for verifying authenticity of financial self-service terminal
DE102009037193B4 (en) * 2008-08-15 2016-10-13 GM Global Technology Operations LLC (n. d. Ges. d. Staates Delaware) A system and method for performing an asymmetric key exchange between a vehicle and a remote device
DE102015218800A1 (en) 2015-09-29 2017-03-30 Continental Automotive Gmbh Communication system for V2X communication
CN112311718A (en) * 2019-07-24 2021-02-02 华为技术有限公司 Method, device and equipment for detecting hardware and storage medium
CN113477679A (en) * 2021-07-19 2021-10-08 青岛科技大学 Interactive generation method for large-batch waste mobile phone disassembling process

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5224163A (en) * 1990-09-28 1993-06-29 Digital Equipment Corporation Method for delegating authorization from one entity to another through the use of session encryption keys
US5757916A (en) * 1995-10-06 1998-05-26 International Series Research, Inc. Method and apparatus for authenticating the location of remote users of networked computing systems
WO1999043113A1 (en) * 1998-02-23 1999-08-26 New Id, Inc. Identification system using predetermined interval strobed signals
US5974150A (en) * 1997-09-30 1999-10-26 Tracer Detection Technology Corp. System and method for authentication of goods

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5224163A (en) * 1990-09-28 1993-06-29 Digital Equipment Corporation Method for delegating authorization from one entity to another through the use of session encryption keys
US5757916A (en) * 1995-10-06 1998-05-26 International Series Research, Inc. Method and apparatus for authenticating the location of remote users of networked computing systems
US5974150A (en) * 1997-09-30 1999-10-26 Tracer Detection Technology Corp. System and method for authentication of goods
WO1999043113A1 (en) * 1998-02-23 1999-08-26 New Id, Inc. Identification system using predetermined interval strobed signals

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TEXAS INSTRUMENTS: "Digital Signature 23mm Glass Transponder" INTERNET ARTICLE, [Online] - 14 May 1997 (1997-05-14) page 1-34 XP002212652 Retrieved from the Internet: <URL:http://www.ti.com/tiris/docs/manuals/ refManuals/RI-TRP-BRHPrefGuide.pdf> [retrieved on 2002-09-02] *

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10232454B4 (en) * 2002-01-31 2007-08-02 Fujitsu Ltd., Kawasaki Access control method, storage device and information processing device
US7549046B2 (en) * 2002-06-28 2009-06-16 Temic Automotive Of North America, Inc. Method and system for vehicle authorization of a service technician
WO2004003812A3 (en) * 2002-06-28 2004-04-08 Motorola Inc Method and system for authorizing reconfiguration of a vehicle
US7127611B2 (en) 2002-06-28 2006-10-24 Motorola, Inc. Method and system for vehicle authentication of a component class
US7137001B2 (en) 2002-06-28 2006-11-14 Motorola, Inc. Authentication of vehicle components
US7181615B2 (en) 2002-06-28 2007-02-20 Motorola, Inc. Method and system for vehicle authentication of a remote access device
US7325135B2 (en) 2002-06-28 2008-01-29 Temic Automotive Of North America, Inc. Method and system for authorizing reconfiguration of a vehicle
WO2004003812A2 (en) * 2002-06-28 2004-01-08 Motorola, Inc., A Corporation Of The State Of Delaware Method and system for authorizing reconfiguration of a vehicle
US7575160B2 (en) 2006-09-15 2009-08-18 Ncr Corporation Security validation of machine components
EP1903518A1 (en) 2006-09-15 2008-03-26 NCR Corporation Security validation of machine components
DE102007044586B3 (en) * 2007-09-19 2009-07-09 Knorr-Bremse Systeme für Nutzfahrzeuge GmbH Control unit and method for identifying spare parts of a vehicle
DE102008032094A1 (en) * 2008-07-08 2010-01-14 Continental Automotive Gmbh Vehicle having a device for detecting vehicle components and method for detecting components by a vehicle
DE102009037193B4 (en) * 2008-08-15 2016-10-13 GM Global Technology Operations LLC (n. d. Ges. d. Staates Delaware) A system and method for performing an asymmetric key exchange between a vehicle and a remote device
US9800413B2 (en) 2008-08-15 2017-10-24 Gm Global Technology Operations, Inc. System and method for performing an asymmetric key exchange between a vehicle and a remote device
CN103268676A (en) * 2013-04-02 2013-08-28 广州御银科技股份有限公司 System and method for verifying authenticity of financial self-service terminal
DE102015218800A1 (en) 2015-09-29 2017-03-30 Continental Automotive Gmbh Communication system for V2X communication
US10623921B2 (en) 2015-09-29 2020-04-14 Continental Teves Ag & Co. Ohg Communications system for V2X communication
CN112311718A (en) * 2019-07-24 2021-02-02 华为技术有限公司 Method, device and equipment for detecting hardware and storage medium
CN112311718B (en) * 2019-07-24 2023-08-22 华为技术有限公司 Method, device, equipment and storage medium for detecting hardware
CN113477679A (en) * 2021-07-19 2021-10-08 青岛科技大学 Interactive generation method for large-batch waste mobile phone disassembling process
CN113477679B (en) * 2021-07-19 2022-10-14 青岛科技大学 Method for disassembling mass waste mobile phones

Also Published As

Publication number Publication date
WO2001082035A3 (en) 2003-02-13
AU2001255553A1 (en) 2001-11-07

Similar Documents

Publication Publication Date Title
US8222989B2 (en) Method for the protection of a movable object, especially a vehicle, against unauthorized use
JP6078686B2 (en) Authentication system, in-vehicle control device
US7551986B2 (en) Program distribution system, program distribution device, and in-vehicle gateway device
EP0912919B1 (en) Immobilisation protection system for electronic components and method therefor
US7716486B2 (en) Controlling group access to doors
US7600129B2 (en) Controlling access using additional data
US9571284B2 (en) Controlling access to personal information stored in a vehicle using a cryptographic key
US8261319B2 (en) Logging access attempts to an area
US8015597B2 (en) Disseminating additional data used for controlling access
EP1646937B1 (en) Controlling access to an area
US20050055567A1 (en) Controlling access to an area
WO2001082035A2 (en) Method and apparatus verifying parts and parts lists in an assembly
US9449443B2 (en) Logging access attempts to an area
US9893886B2 (en) Communication device
WO2004004207A1 (en) Method and system for vehicle component authentication of another vehicle component
Kent et al. Assuring vehicle update integrity using asymmetric public key infrastructure (PKI) and public key cryptography (PKC)
US20030074557A1 (en) Method and system for management of properties
Lemke et al. An open approach for designing secure electronic immobilizers
Bar-El Intra-vehicle information security framework
Weimerskirch et al. Cryptographic component identification: Enabler for secure vehicles
US20230237507A1 (en) System and method for generating a digital vehicle identification number
JP2004276828A (en) Vehicle specifying system and vehicle specifying method
Kim et al. Analysis of OBE-related SCMS security requirements and evaluation procedures in V2X environment
Höper Cryptographic protocols for component identification and applications
Weimerskirch et al. Component identification: Enabler for secure networks of complex systems

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP