Patents by Inventor Tat Keung Chan
Tat Keung Chan has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11483297Abstract: A method is provided for securely providing data for use in a consumer electronics device having a processor performing instructions defined in a software image. The method includes receiving the data encrypted according to a global key, further encrypting the data according to a device-unique hardware key, storing the further encrypted data in a secure memory of the consumer electronics device, providing the global key to a whitebox encoder for encoding according to a base key to generate a whitebox encoded global key, and transmitting the software image to the consumer electronics device for storage in an operating memory of the consumer electronics device, the software image having a whitebox decoder utility corresponding to the whitebox encoder and the whitebox encoded global key.Type: GrantFiled: September 1, 2020Date of Patent: October 25, 2022Assignee: ARRIS ENTERPRISES LLCInventors: Brian D. Mullen, Alexander Medvinsky, Tat Keung Chan
-
Patent number: 11456866Abstract: A method is provided for generating a key ladder for securely communicating between a first device and a second device using a first device symmetric key and a chip-unique private key. The method includes generating a second processor-specific first device symmetric key from a first processor-specific first device symmetric key and a first identifier (CPU_ID), generating a chip-unique first device application private key (CUAPrK) from a second identifier and the second processor-specific first device symmetric key, generating a chip-unique first device application public key (CUAPuK) from the chip-unique first device application private key (CUAPrK), and transmitting the chip-unique first device application public key (CUAPuK) and an identifier of the processor to the second device.Type: GrantFiled: July 24, 2020Date of Patent: September 27, 2022Assignee: ARRIS Enterprises LLCInventors: Alexander Medvinsky, Tat Keung Chan
-
Patent number: 11444935Abstract: A method and system provide the ability to authenticate client services. A private key and a client certificate are created and delivered to a client. Based on the private key and the certificate, a client account is created for the client on a server. One or more signing or feature licensing configurations are created and authorized on the server for the client account. The client certificate and a request to perform a requested client service are received on the server from a client. The request includes configuration information for the requested client service. The server verifies the client certificate and determines whether the client is authorized to perform the requested client service. The determination is based on the configuration information and the one or more authorized client operations. Upon determining that the client is authorized to perform the requested client service, the request is processed the authorization is sent to the client.Type: GrantFiled: December 11, 2020Date of Patent: September 13, 2022Assignee: ARRIS Enterprises LLCInventors: Tat Keung Chan, Jinsong Zheng, Alexander Medvinsky, Ting Yao, Jason A. Pasion, Eric Brunnett-Lazarte, Cheng Li
-
Patent number: 11329967Abstract: A system and method of provisioning personalization data of a second type to a device having personalization data of a first type, the device having a global root key GK_0, and a secure processing environment having unique information is disclosed. In one embodiment, the method comprises accepting a provisioning request from the device, the provisioning request comprising the unique information and an identifier of a second type of provisioning data requested, converting the personalization data from the first type to the second type, and transmitting the converted personalization data to the device.Type: GrantFiled: May 22, 2020Date of Patent: May 10, 2022Assignee: ARRIS Enterprises LLCInventors: Tat Keung Chan, Alexander Medvinsky
-
Publication number: 20220129557Abstract: A system is provided for configurably signing a secure data image that includes software code that interprets cryptographic atomic code. In the system, a code signing engine includes an interpreter that interprets atomic code signing operations presented in a recipe defined by a system administrator according to configuration parameter values supplied with the input image.Type: ApplicationFiled: January 6, 2022Publication date: April 28, 2022Applicant: ARRIS Enterprises LLCInventors: Tat Keung Chan, Ting Yao, Alexander Medvinsky
-
Patent number: 11250133Abstract: A system is provided for configurably signing a secure data image that includes software code that interprets cryptographic atomic code. In the system, a code signing engine includes an interpreter that interprets atomic code signing operations presented in a recipe defined by a system administrator according to configuration parameter values supplied with the input image.Type: GrantFiled: January 14, 2019Date of Patent: February 15, 2022Assignee: ARRIS Enterprises LLCInventors: Tat Keung Chan, Ting Yao, Alexander Medvinsky
-
Publication number: 20210409229Abstract: A method for signing data such as software images is provided that uses modules executable by a generic client to sign hashes of the software images rather than the images themselves. The method avoids both the requirement for new or updated client software and the uploading of full software images to the signing system. This approach uses a generic client that requests and downloads processing modules from the signing system to perform the pre-processing operations in signing software images, as well as optionally for post-processing operations.Type: ApplicationFiled: September 8, 2021Publication date: December 30, 2021Inventors: Tat Keung Chan, Ting Yao, Jason A. Pasion
-
Publication number: 20210397677Abstract: A system is provided for configurably signing a secure data image that includes software code that interprets cryptographic atomic code. In the system, a code signing engine includes an interpreter that interprets atomic code signing operations presented in a recipe defined by a system administrator according to configuration parameter values supplied with the input image.Type: ApplicationFiled: January 14, 2019Publication date: December 23, 2021Inventors: Tat Keung Chan, Ting Yao, Alexander Medvinsky
-
Publication number: 20210320789Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.Type: ApplicationFiled: June 23, 2021Publication date: October 14, 2021Applicant: ARRIS Enterprises LLCInventors: Alexander Medvinsky, Jinsong Zheng, Jason A. Pasion, Xin Qiu, Tat Keung Chan, Eric Eugene Berry, Michael Ryan Pilquist, Douglas M. Petty
-
Publication number: 20210306161Abstract: In a system comprising an customer providing a service to a plurality of client devices, a method and system for providing an customer-specific digital certificate to a client device of the plurality of client devices is disclosed. The method comprises receiving, in an intermediate certificate authority, a pre-generated digital certificate and an encrypted client device private key encrypted according to a private key encryption key PrKEK, receiving, from the client device, a request for the customer-specific digital certificate, the request comprising at least one of client device identifying information and information identifying the customer, the request signed according to a pre-provisioned client device digital certificate, and transmitting the customer-specific digital certificate and the encrypted client device private key to the client device.Type: ApplicationFiled: January 15, 2021Publication date: September 30, 2021Applicant: ARRIS Enterprises LLCInventors: Alexander Medvinsky, Tat Keung Chan, Xin Qiu, Jason A. Pasion, Ting Yao, Shanthakumar Ramakrishnan
-
Publication number: 20210248259Abstract: A method is provided that permits user to submit a password to the private key that is to be used to decrypt files either at the time of user account setup or at the time of submitting the files. The password is stored securely in the system, permanently or temporarily, and is used later to decrypt the files right before the system is ready to process the files.Type: ApplicationFiled: April 27, 2021Publication date: August 12, 2021Inventors: Jinsong Zheng, Alexander Medvinsky, Tat Keung Chan, Ting Yao, Jason A. Pasion
-
Patent number: 11063753Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.Type: GrantFiled: March 20, 2019Date of Patent: July 13, 2021Assignee: ARRIS Enterprises LLCInventors: Alexander Medvinsky, Jinsong Zheng, Jason A. Pasion, Xin Qiu, Tat Keung Chan, Eric Eugene Berry, Michael Ryan Pilquist, Douglas M. Petty
-
Publication number: 20210194704Abstract: A method and system provide the ability to authenticate client services. A private key and a client certificate are created and delivered to a client. Based on the private key and the certificate, a client account is created for the client on a server. One or more signing or feature licensing configurations are created and authorized on the server for the client account. The client certificate and a request to perform a requested client service are received on the server from a client. The request includes configuration information for the requested client service. The server verifies the client certificate and determines whether the client is authorized to perform the requested client service. The determination is based on the configuration information and the one or more authorized client operations. Upon determining that the client is authorized to perform the requested client service, the request is processed the authorization is sent to the client.Type: ApplicationFiled: December 11, 2020Publication date: June 24, 2021Applicant: ARRIS Enterprises LLCInventors: Tat Keung Chan, Jinsong Zheng, Alexander Medvinsky, Ting Yao, Jason A. Pasion, Eric Brunnett-Lazarte, Cheng Li
-
Patent number: 11032084Abstract: A method for signing data such as software images is provided that uses modules executable by a generic client to sign hashes of the software images rather than the images themselves. The method avoids both the requirement for new or updated client software and the uploading of full software images to the signing system. This approach uses a generic client that requests and downloads processing modules from the signing system to perform the pre-processing operations in signing software images, as well as optionally for post-processing operations.Type: GrantFiled: December 7, 2018Date of Patent: June 8, 2021Assignee: ARRIS Enterprises LLCInventors: Tat Keung Chan, Ting Yao, Jason A. Pasion
-
Patent number: 11005656Abstract: A method and system are provided for updating an elliptic curve (EC) base point G, with the EC basepoint used in encryption and coding of video data. A candidate base point G is generated that includes additional data used for validation purposes and checked as a valid base point before transmission and use.Type: GrantFiled: December 7, 2018Date of Patent: May 11, 2021Assignee: ARRIS Enterprises LLCInventors: Tat Keung Chan, Alexander Medvinsky, Eric J. Sprunk
-
Patent number: 10990691Abstract: A method is provided that permits user to submit a password to the private key that is to be used to decrypt files either at the time of user account setup or at the time of submitting the files. The password is stored securely in the system, permanently or temporarily, and is used later to decrypt the files right before the system is ready to process the files.Type: GrantFiled: May 10, 2019Date of Patent: April 27, 2021Assignee: ARRIS Enterprises LLCInventors: Jinsong Zheng, Alexander Medvinsky, Tat Keung Chan, Ting Yao, Jason A. Pasion
-
Publication number: 20210028933Abstract: A method is provided for generating a key ladder for securely communicating between a first device and a second device using a first device symmetric key and a chip-unique private key. The method includes generating a second processor-specific first device symmetric key from a first processor-specific first device symmetric key and a first identifier (CPU_ID), generating a chip-unique first device application private key (CUAPrK) from a second identifier and the second processor-specific first device symmetric key, generating a chip-unique first device application public key (CUAPuK) from the chip-unique first device application private key (CUAPrK), and transmitting the chip-unique first device application public key (CUAPuK) and an identifier of the processor to the second device.Type: ApplicationFiled: July 24, 2020Publication date: January 28, 2021Applicant: ARRIS Enterprises LLCInventors: Alexander Medvinsky, Tat Keung Chan
-
Publication number: 20200403980Abstract: A method is provided for securely providing data for use in a consumer electronics device having a processor performing instructions defined in a software image. The method includes receiving the data encrypted according to a global key, further encrypting the data according to a device-unique hardware key, storing the further encrypted data in a secure memory of the consumer electronics device, providing the global key to a whitebox encoder for encoding according to a base key to generate a whitebox encoded global key, and transmitting the software image to the consumer electronics device for storage in an operating memory of the consumer electronics device, the software image having a whitebox decoder utility corresponding to the whitebox encoder and the whitebox encoded global key.Type: ApplicationFiled: September 1, 2020Publication date: December 24, 2020Applicant: ARRIS Enterprises LLCInventors: Brian D. Mullen, Alexander Medvinsky, Tat Keung Chan
-
Publication number: 20200374275Abstract: A system and method of provisioning personalization data of a second type to a device having personalization data of a first type, the device having a global root key GK_0, and a secure processing environment having unique information is disclosed. In one embodiment, the method comprises accepting a provisioning request from the device, the provisioning request comprising the unique information and an identifier of a second type of provisioning data requested, converting the personalization data from the first type to the second type, and transmitting the converted personalization data to the device.Type: ApplicationFiled: May 22, 2020Publication date: November 26, 2020Applicant: ARRIS Enterprises LLCInventors: Tat Keung Chan, Alexander Medvinsky
-
Patent number: 10839048Abstract: A method and system is provided that simplifies the key management by allowing personalization data protected for one chip model to be used to provision device with another chip model with different global hardware root keys. The solution minimizes the changes needed to be performed on the device during provisioning and remains secure.Type: GrantFiled: May 21, 2018Date of Patent: November 17, 2020Assignee: ARRIS Enterprises LLCInventors: Tat Keung Chan, Alexander Medvinsky