Controlling digital certificate use
First Claim
Patent Images
1. A system-on-chip, comprising:
- a processor; and
a fuse-based memory storing;
information for deriving a first public key associated with a first asymmetric key pair; and
one or more current certificate version numbers, each associated with a corresponding digital certificate;
wherein, in a secure boot process, the processor is configured to;
load a digital certificate that includes a loaded certificate version number associated with the digital certificate and a secondary public key associated with a second asymmetric key pair;
authenticate the loaded digital certificate using the first public key;
compare the loaded certificate version number with a corresponding current certificate version number in the fuse-based memory, wherein the loaded certificate version number being equal to or higher than the corresponding current certificate version number indicates that the loaded digital certificate is a trusted certificate; and
determine that the loaded digital certificate is a trusted certificate;
wherein the processor is further configured to replace a current certificate version number stored in the fuse-based memory with the loaded certificate version number associated with a trusted digital certificate, thereby preventing a digital certificate with an older certificate version number from being determined as a trusted certificate.
1 Assignment
0 Petitions
Accused Products
Abstract
A computing device includes a processor and a persistent memory for storing information about a first public key associated with a first asymmetric key pair for authenticating the source of a digital certificate. The computing device also includes a second memory for storing one or more current certificate version indicators, each associated with a corresponding digital certificate, and the version indicator is used by the processor to determine the trust of the corresponding digital certificate.
65 Citations
20 Claims
-
1. A system-on-chip, comprising:
-
a processor; and a fuse-based memory storing; information for deriving a first public key associated with a first asymmetric key pair; and one or more current certificate version numbers, each associated with a corresponding digital certificate; wherein, in a secure boot process, the processor is configured to; load a digital certificate that includes a loaded certificate version number associated with the digital certificate and a secondary public key associated with a second asymmetric key pair; authenticate the loaded digital certificate using the first public key; compare the loaded certificate version number with a corresponding current certificate version number in the fuse-based memory, wherein the loaded certificate version number being equal to or higher than the corresponding current certificate version number indicates that the loaded digital certificate is a trusted certificate; and determine that the loaded digital certificate is a trusted certificate; wherein the processor is further configured to replace a current certificate version number stored in the fuse-based memory with the loaded certificate version number associated with a trusted digital certificate, thereby preventing a digital certificate with an older certificate version number from being determined as a trusted certificate. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computing device, comprising:
-
a processor; a persistent memory for storing information about a first public key associated with a first asymmetric key pair for authenticating a digital certificate; and a second memory for storing one or more current certificate version indicators, each associated with a corresponding digital certificate, wherein the one or more current certificate version indicators are used by the processor to determine the trust of the corresponding digital certificate; wherein the processor is further configured to; receive and authenticate a new trusted digital certificate to replace an old digital certificate that has been compromised; and replace a current certificate version indicator stored in the second memory with a certificate version indicator of the new trusted digital certificate, thereby preventing a digital certificate with an older certificate version number from being determined as a trusted certificate. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for generating a digital certificate for a computing device, the computing device having a first public key associated with a first asymmetric key pair for authenticating a digital certificate, the method comprising:
-
generating a second public key associated with a second asymmetric key pair and a corresponding key version number; generating a digital certificate including a certificate version number and the first public key, the generated digital certificate further including the second public key and the corresponding key version number associated with the second public key; signing the generated digital certificate; and sending the generated digital certificate to the computing device, wherein the computing device is configured to; authenticate the generated digital certificate using the first public key and the certificate version number; extract the second public key and the key version number from the generated digital certificate; and authenticate the second public key using the corresponding key version number associated with the second public key. - View Dependent Claims (18, 19, 20)
-
Specification