SECURE UPGRADE SUPPLIES AND METHODS
Example secure upgrade supplies and methods are disclosed. A disclosed example secure upgrade method includes receiving a request at an imaging supply (115) for an authentication credential associated with the imaging supply (115), providing the authentication credential to an image forming apparatus (105), the provided authentication credential useable by the image forming apparatus (105) to authenticate an identity of the imaging supply (115), and providing upgrade data (110) to the image forming apparatus, the provided upgrade data (110) authenticatable at the image forming apparatus (105) based on the identity of the imaging supply (115), and useable by the image forming apparatus (105) to enable a capability of the image forming apparatus (105).
Image forming apparatus such as printers are designed and manufactured to support, perform and/or carry out particular functions. Generally, the features, capabilities and functions of a printer are embedded into the printer's firmware during manufacture and remain fixed throughout the printer's functional life.
Traditionally the features, capabilities and functions supported by an image formation apparatus (e.g., a printer, an inkjet printer, a dye sublimation printer, a laser printer, a color laser printer, etc.) have been determined, selected and/or fixed during product design. However, the design, manufacture and sale of fixed-functionality image formation apparatus may have a number of disadvantages. For example, because each model has associated design and carrying costs, it may be difficult or costly to customize models for different geographic regions. Further, it may be difficult to pre-identify the features of most interest to high-volume and/or high-value customers. Therefore, the set of features incorporated during product design may not result in an image forming apparatus of interest to these consumers. For these, and/or other reasons, it is desirable to be able to upgrade image formation apparatus functionality late in the product design cycle, during product testing, after product testing, during product release, during market introduction, while a product is being sold, after a product has been sold, after a product has been installed, and/or after a product has been discontinued.
As used herein, image forming apparatus upgrade refers to the activation and/or enablement of a latent, but inactive or inaccessible, feature, functionality and/or capability of an image forming apparatus. Such latent features, functions and/or capabilities are included and/or implemented in the image forming apparatus but not activated, accessible and/or enabled until one of the example upgrade imaging supplies described herein is used to upgrade the image forming apparatus. As described herein, an image forming apparatus may be upgraded without having to modify, change, update and/or upgrade the firmware of the image forming apparatus. Similarly, image forming apparatus downgrade refers to the deactivation and disablement of a feature, functionality and/or capability of an image forming apparatus.
Example methods, apparatus and articles of manufacture to securely upgrade image forming apparatus such as printers are disclosed. In disclosed examples, the image forming apparatus is upgraded using upgrade data stored on and obtained from an upgrade imaging supply (e.g., an ink supply cartridge) when the upgrade imaging supply is inserted into and/or installed in the image forming apparatus. As used herein, the term “upgrade imaging supply” refers to an imaging supply (e.g., an ink supply cartridge) containing information and/or data that may be accessed by an image forming device and used by the image forming device to upgrade the image forming device (e.g., enable and/or activate one or more latent features, functionalities and/or capabilities).
As disclosed herein, secure upgrades may be implemented using an upgrade imaging supply having an embedded integrated circuit (IC) containing tamperproof data storage storing upgrade data. The IC may be implemented via, for example, a smartcard. A disclosed example image forming apparatus includes a second smartcard IC and an associated tamperproof identifier (ID). In some examples, the ID is unique to the image forming apparatus. The image forming apparatus can authenticate the smartcard IC in the upgrade imaging supply and authenticate the smartcard IC in the image forming apparatus to establish a cryptographically secure communication session, and/or to securely transfer data or information between the image forming apparatus and the imaging supply. The secure communication session may be used to securely obtain and verify the upgrade data before it is stored and/or applied to upgrade the image forming apparatus. In some examples, the upgrade data is securely and/or cryptographically stored (e.g., encrypted) in a non-volatile memory of the image forming apparatus to prevent unauthorized copying or counterfeiting of the upgrade data to another image forming apparatus, and/or to enable verification and/or authentication of the upgrade data to prevent and/or detect tampering and/or corruption. Additionally or alternatively, after an image forming apparatus has been upgraded from an upgrade imaging supply, the tamperproof data storage of the upgrade imaging supply may be securely updated with the ID of the image forming apparatus to signify that the upgrade imaging supply has already been used to upgrade that particular image forming apparatus. Thus, the unauthorized upgrade of multiple image forming apparatus from a single upgrade imaging supply can be substantially detected and prevented.
While example methods, apparatus and articles of manufacture to upgrade image forming apparatus are described herein, the example methods, apparatus and articles of manufacture may additionally or alternatively be used to securely upgrade any number and/or type(s) of other device(s) and/or component(s). Other example devices and components that may be securely upgraded (downgraded) include, but are not limited to engine control systems, automobiles, home appliances, consumer electronics, heating and cooling systems, and/or any other devices and/or systems including a processor and embedded firmware and/or software.
The example upgrade cartridge 115 of
While a single upgrade cartridge 115 and a single bay 125 are shown in
To control operation of the example printer 105, the example printer 105 of
Example interactions, processes and/or machine-accessible instructions that may be carried out by the example controller 135 and the security device 130 to upgrade the example printer 105 are described below in connection with
To enable secure communication with the example security device 130 and/or to enable authentication of the example upgrade package 140, the example printer 105 of
In some examples, after the upgrade cartridge 115 has been used to upgrade the printer 105, the example identifier 175 is written as an install ID 180 in a secure memory or storage area 185 of the security device 130. In other examples a portion of the identifier 175 or a modified version of the identifier 175 (e.g., a cryptographic hash) may be written as the install ID 180. In some examples, the install ID 180 and the complement of the install ID 180 are stored at two different byte-aligned memory locations within the memory area 185. If the upgrade cartridge 115 is authorized to upgrade more than one printer 105 (e.g., five), the memory area 185 stores the identifier 175 or a portion or derivative thereof of each upgraded printer 105 and a count (not shown) of the number of upgrades that have already been completed. The count may limit the number of times the upgrade cartridge 115 can be used for upgrades. Thus, when the count reaches a limit, the upgrade cartridge 115 may not be used to perform any additional upgrades. Additionally or alternatively, the count may be omitted and when each of a plurality of install IDs 180 have been written to the upgrade cartridge 115, the upgrade cartridge 115 may not be used to perform any additional upgrades. In some examples, the secure storage 185 includes an upgrade flag 190 to designate whether the upgrade cartridge 115 is an upgrade cartridge.
While the example upgrade cartridges 115 described herein include a single upgrade flag 190 and corresponding upgrade data 110, an upgrade cartridge 115 may contain any number of upgrade flags 190 corresponding to any number and/or type(s) of upgrade data 110 available via the upgrade cartridge 115.
While the example upgrade cartridge 115 of
While an example printer 105 and an example upgrade cartridge 115 have been illustrated in
As used herein, the term “tangible computer-readable medium” is expressly defined to include any type of computer-readable medium and to expressly exclude propagating signals. As used herein, the term “non-transitory computer-readable medium” is expressly defined to include any type of computer-readable medium and to exclude propagating signals. Example tangible and/or non-transitory computer-readable medium include a volatile and/or non-volatile memory, a volatile and/or non-volatile memory device, a compact disc (CD), a digital versatile disc (DVD), a floppy disk, a read-only memory (ROM), a random-access memory (RAM), a programmable ROM (PROM), an electronically-programmable ROM (EPROM), an electronically-erasable PROM (EEPROM), an optical storage disk, an optical storage device, magnetic storage disk, a magnetic storage device, a cache, and/or any other storage media in which information is stored for any duration (e.g., for extended time periods, permanently, brief instances, for temporarily buffering, and/or for caching of the information) and which can be accessed by a processor, a computer and/or other machine having a processor, such as the example processor platform P100 discussed below in connection with
The example controller 135 verifies that the installed cartridge 115 is an upgrade cartridge and has an available upgrade by, for example, carrying out the example interactions and processes of
The example controller 135 obtains the example upgrade package 140 from the example upgrade cartridge 115 by, for example, carrying out the example interactions and processes of
Using the provided authentication credentials 315, the example controller 135 authenticates 320 the identity of the security device 130. The security device 170 provides an indication 325 to the controller 135 indicating whether the identity of the security device 130 was successfully authenticated. If the response 325 is TRUE (i.e., the identity of the security device 130 was authenticated) (block 330), the example process of
Based on the response 408 provided by the security device 130, the example controller 135 authenticates 412 the response 408 by, for example, verifying a signature included in the response 408. The security device 170 provides an indication 414 to the controller 135 indicating whether the response 408 was successfully authenticated. If the response 414 is FALSE (the response 408 was not authenticated) (block 420), control exits from the example of
If the response 414 is TRUE (i.e., the response 408 was authenticated) (block 420), the example controller 135 determines whether the upgrade flag is set to TRUE representing the upgrade data 110 has not been installed and the install ID is set to a NULL value (block 424). If upgrade flag is set to TRUE and the install ID is set to a NULL value (block 424), control returns from the illustrated of
Otherwise, the controller 135 determines whether the upgrade flag is set to TRUE and the install ID indicates the upgrade cartridge 115 was previously used to upgrade the printer 105 (block 428). For example, a first value of the install ID may be compared to the example ID 175 and a second value of the install ID compared to the complement of the ID 175. If both comparisons are TRUE, then the upgrade cartridge 115 may be considered as having been previously used to upgrade the printer 105. If upgrade flag is set to TRUE and the install ID indicates the upgrade cartridge 115 was previously used to upgrade the printer 105 (block 428), control returns from the illustrated of
If the upgrade is not a re-install (block 504), the controller 135 sends a store or write command 508 to the security device instructing the controller 135 to set the install ID 180 to, for example, the ID 175. In some examples, a first value of the install ID 180 is set equal to the ID 175, and a second value of the install ID 180 is set equal to the complement of the ID 175. When the write is complete, the security device 130 provides a response 512 acknowledging the write was completed.
Based on the response 512 provided by the security device 130, the example controller 135 authenticates 516 the response 512 by, for example, verifying a signature included in the response 512. The security device 170 provides an indication 520 to the controller 135 indicating whether the response 512 was successfully authenticated. If the response 520 is FALSE (the response 512 was not authenticated) (block 524), control exits from the illustrated example of
The example controller 135 authenticates 608 the upgrade package 140 by, for example, verifying a signature or message authentication code included in the package 140. The security device 170 provides an indication 612 to the controller 135 indicating whether the upgrade package 140 was successfully authenticated. If the response 612 is FALSE (the upgrade package 140 was not authenticated) (block 616), control exits from the illustrated example of
If the response 612 is TRUE (block 616), the controller writes or stores 620 the upgrade package 140 together with any number and/or type(s) of other parameter(s) and/or value(s) that may be used to subsequently authenticate the contents of the upgrade package 140 in the non-volatile memory 145 and/or in the memory 150. Control exits from the illustrated example of
The example process of
The controller 135 applies the authenticated upgrade package 140 (block 720) by, for example, updating a table or other data structure that represents the features, functions and/or capabilities that are enabled, active and accessible. For example, the FLASH 160 may contain a default feature table that is loaded by the controller 135 into the RAM 165 during initialization. When the upgrade package 140 is applied, one or more entries of the feature table in the RAM 165 are updated to enable, activate and/or make accessible one or more additional features, functions and/or capabilities represented and/or identified in the upgrade package 140.
The processor platform P100 of the example of
The processor P105 is in communication with the main memory (including a ROM P120 and/or the RAM P115) via a bus P125. The RAM P115 may be implemented by dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), and/or any other type of RAM device. The ROM P120 may be implemented by flash memory and/or any other desired type of memory device. Access to the memory P115 and the memory P120 may be controlled by a memory controller. The example memory P115 may be used to, for example, implement the example non-volatile memory 145.
The processor platform P100 also includes an interface circuit P130. Any type of interface standard, such as an external memory interface, serial port, general-purpose input/output, etc, may implement the interface circuit P130. One or more input devices P135 and one or more output devices P140 are connected to the interface circuit P130. The example input and output devices P135 and P140 may be used, for example, to implement an I2C interface.
Although certain example methods, apparatus and articles of manufacture have been described herein, the scope of coverage of this patent is not limited thereto. On the contrary, this patent covers all methods, apparatus and articles of manufacture fairly falling within the scope of the claims of this patent either literally or under the doctrine of equivalents.
Claims
1. A secure upgrade method comprising:
- receiving a request at an imaging supply (115) for an authentication credential associated with the imaging supply (115);
- providing the authentication credential to an image forming apparatus (105), the provided authentication credential useable by the image forming apparatus (105) to authenticate an identity of the imaging supply (115); and
- providing upgrade data (110) to the image forming apparatus (105), the provided upgrade data (110) authenticatable at the image forming apparatus (105) based on the identity of the imaging supply (115), and useable by the image forming apparatus (105) to enable a capability of the image forming apparatus (105).
2. A method as defined in claim 1, further comprising providing first and second identifiers to the image forming apparatus (105) via the secure communication session, the two identifiers useable to determine whether to upgrade the image forming apparatus (105) from the imaging supply (115).
3. A method as defined in claim 1, further comprising receiving from the image forming apparatus (105) a first value to be written in a first memory location associated with the first identifier and a second value to be written in a second memory location associated with the second identifier, the first and second values identifying that the imaging supply (115) has been used to upgrade the image forming apparatus (105).
4. A method as defined in claim 1, further comprising receiving a request from the image forming apparatus (105) for the upgrade data (110).
5. A method as defined in claim 1, further comprising providing a message authentication code to the image forming apparatus (105), the message authentication code usable to authenticate the upgrade data (110).
6. An upgrade supply (115) comprising:
- a memory (185) to store an upgrade (110); and
- a security module (130) to receive a request for an authentication credential associated with an image forming apparatus (105), provide the authentication credential to the image forming apparatus (105), the provided authentication credential useable by the image forming apparatus (105) to authenticate an identity of the upgrade supply (115), and provide the upgrade (110) to the image forming apparatus (105), the provided upgrade (110) being authenticatable at the image forming apparatus (105) based on the identity of the upgrade supply (115), and useable by the image forming apparatus (105) to activate a capability of the image forming apparatus (105).
7. An upgrade supply (115) as defined in claim 6, wherein the memory (185) is to store first and second identifiers, the first and second identifiers representing whether the upgrade (110) may be used to upgrade the imaging forming apparatus (105).
8. An upgrade supply (115) as defined in claim 6, wherein the memory (185) is to store a first value indicating whether the upgrade supply (115) contains the upgrade (110).
9. An upgrade supply (115) as defined in claim 6, wherein the memory comprises tamperproof storage.
10. An upgrade supply (115) as defined in claim 6, further comprising a chamber (120) to store at least one of an ink, a dye or a liquid.
11. A tangible article of manufacture storing machine-readable instructions that, when executed, cause an upgrade imaging supply (115) to at least:
- receive a request at the upgrade imaging supply (115) for an authentication credential associated with the upgrade imaging supply (115);
- provide the authentication credential to the image forming apparatus (105), the provided authentication credential useable by the image forming apparatus (105) to authenticate an identity of the upgrade imaging supply (115); and
- provide upgrade data (110) to the image forming apparatus (105), the provided upgrade data authenticatable at the image forming apparatus (105) based on the identity of the upgrade imaging supply (115), and useable by the image forming apparatus (105) to activate a capability of the image forming apparatus (105).
12. A tangible article of manufacture as defined in claim 11, wherein the machine-readable instructions, when executed, cause the upgrade imaging supply (115) to provide first and second identifiers to the image forming apparatus (105) via the secure communication session, the two identifiers useable to determine whether to upgrade the image forming apparatus (105) from the upgrade imaging supply (115).
13. A tangible article of manufacture as defined in claim 12, wherein the machine-readable instructions, when executed, cause the upgrade imaging supply (115) to receive from the image forming apparatus (105) a first value to be written in a first memory location associated with the first identifier and a second value to be written in a second memory location associated with the second identifier, the first and second values identifying that the upgrade imaging supply (115) has been used to upgrade the image forming apparatus (105).
14. A tangible article of manufacture as defined in claim 11, wherein the machine-readable instructions, when executed, cause the upgrade imaging supply (115) to provide a message authentication code to the image forming apparatus (105), the message authentication code usable to authenticate the upgrade data (110).
Type: Application
Filed: Sep 8, 2010
Publication Date: Jul 4, 2013
Inventors: Stephen D. Panshin (Corvallis, OR), Jefferson P. Ward (Brush Prairie, WA), David B. Novak (Pilomath, OR)
Application Number: 13/821,917
International Classification: G06K 15/00 (20060101);