Secure data re-encryption
First Claim
1. A method comprising:
- decrypting, using a hardware decryption engine of a cryptographic processor in a device, a first subset of encrypted data using a cryptographic device key associated with the device to produce first plain text, wherein a set of encrypted data comprises the first subset of encrypted data and a second subset of encrypted data, and wherein the first subset of encrypted data and the second subset of encrypted data each contain less encrypted data than the set of encrypted data and are different from each other, the cryptographic device key and the first plain text being stored, without requiring user input, in memory of the cryptographic processor inaccessible from outside of the cryptographic processor;
decrypting, using the decryption engine, the second subset of encrypted data using the cryptographic device key associated with the device to produce second plain text, the second plain text being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside of the cryptographic processor, wherein decrypting the first and second subsets of the encrypted data is responsive to receiving the encrypted data from a data source;
encrypting, using a hardware encryption engine of a cryptographic processor in the device, the first plain text using a first ephemeral key to produce first re-encrypted data, the first ephemeral key being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside of the cryptographic processor;
encrypting, using the encryption engine, the second plain text using a second ephemeral key to produce second re-encrypted data, the second ephemeral key being different from the first ephemeral key, the second ephemeral key being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside of the cryptographic processor;
randomizing, using the encryption engine, the first re-encrypted data by applying a first nonce to the first re-encrypted data to produce first randomized data;
storing, without requiring user input, the first randomized data in a memory of the device outside of the cryptographic processor;
reversing, using the decryption engine, the randomization of and decrypting the first randomized data to produce third plaintext data responsive to a request to access the first randomized data, the third plain text being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside the cryptographic processor;
generating second randomized data by re-encrypting the third plaintext data by encrypting the third plaintext content using a different cryptographic key than was used for the first randomized data and randomizing the encrypted third plaintext content using a second nonce different than the first nonce, the key used to encrypt the third plaintext being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside the cryptographic processor; and
storing, without requiring user input, the second randomized data in the memory of the device outside of the cryptographic processor after processing the request to access the first randomized data.
1 Assignment
0 Petitions
Accused Products
Abstract
A method includes: decrypting, in a device, a first subset of encrypted data using a cryptographic device key associated with the device to produce first plain text, where a set of encrypted data comprises the first subset of encrypted data and a second subset of encrypted data, and where the first subset of encrypted data and the second subset of encrypted data each contain less encrypted data than the set of encrypted data and are different from each other; decrypting, in the device, the second subset of encrypted data using the cryptographic device key to produce second plain text; encrypting, in the device, the first plain text using a first ephemeral key to produce first re-encrypted data; and encrypting, in the device, the second plain text using a second ephemeral key to produce second re-encrypted data, the second ephemeral key being different from the first ephemeral key.
23 Citations
30 Claims
-
1. A method comprising:
-
decrypting, using a hardware decryption engine of a cryptographic processor in a device, a first subset of encrypted data using a cryptographic device key associated with the device to produce first plain text, wherein a set of encrypted data comprises the first subset of encrypted data and a second subset of encrypted data, and wherein the first subset of encrypted data and the second subset of encrypted data each contain less encrypted data than the set of encrypted data and are different from each other, the cryptographic device key and the first plain text being stored, without requiring user input, in memory of the cryptographic processor inaccessible from outside of the cryptographic processor; decrypting, using the decryption engine, the second subset of encrypted data using the cryptographic device key associated with the device to produce second plain text, the second plain text being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside of the cryptographic processor, wherein decrypting the first and second subsets of the encrypted data is responsive to receiving the encrypted data from a data source; encrypting, using a hardware encryption engine of a cryptographic processor in the device, the first plain text using a first ephemeral key to produce first re-encrypted data, the first ephemeral key being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside of the cryptographic processor; encrypting, using the encryption engine, the second plain text using a second ephemeral key to produce second re-encrypted data, the second ephemeral key being different from the first ephemeral key, the second ephemeral key being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside of the cryptographic processor; randomizing, using the encryption engine, the first re-encrypted data by applying a first nonce to the first re-encrypted data to produce first randomized data; storing, without requiring user input, the first randomized data in a memory of the device outside of the cryptographic processor; reversing, using the decryption engine, the randomization of and decrypting the first randomized data to produce third plaintext data responsive to a request to access the first randomized data, the third plain text being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside the cryptographic processor; generating second randomized data by re-encrypting the third plaintext data by encrypting the third plaintext content using a different cryptographic key than was used for the first randomized data and randomizing the encrypted third plaintext content using a second nonce different than the first nonce, the key used to encrypt the third plaintext being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside the cryptographic processor; and storing, without requiring user input, the second randomized data in the memory of the device outside of the cryptographic processor after processing the request to access the first randomized data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A device comprising:
-
a memory; and a hardware cryptographic processor communicatively coupled to the memory and comprising; a decryption engine configured to; decrypt a first subset of encrypted data using a cryptographic device key associated with the device to produce first plain text, the cryptographic device key and the first plain text being stored, without requiring user input, in memory of the cryptographic processor inaccessible from outside of the hardware cryptographic processor; and decrypt a second subset of encrypted data using the cryptographic device key associated with the device to produce second plain text, the second plain text being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside of the cryptographic processor, wherein decrypting the first and second subsets of the encrypted data is responsive to receiving the encrypted data from a data source; wherein a set of encrypted data comprises the first subset of encrypted data and the second subset of encrypted data, and wherein the first subset of encrypted data and the second subset of encrypted data each contain less encrypted data than the set of encrypted data and are different from each other; and an encryption engine communicatively coupled to the decryption engine and configured to; encrypt the first plain text using a first ephemeral key to produce first re-encrypted data, the first ephemeral key being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside of the hardware cryptographic processor; encrypt the second plain text using a second ephemeral key to produce second re-encrypted data, the second ephemeral key being different from the first ephemeral key, the second ephemeral key being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside of the hardware cryptographic processor; randomize the first re-encrypted data by applying a first nonce to the first re-encrypted data to produce first randomized data; and store, without requiring user input, the first randomized data in a memory of the device outside of the cryptographic processor, wherein the decryption engine is further configured to reverse the randomization on the first randomized data and to decrypt the first randomized data to produce third plaintext content responsive to a request to access the first randomized data, the third plain text being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside the cryptographic processor, and wherein the encryption engine is configured to generate second randomized data by encrypting the third plaintext content using a different cryptographic key than was used for the first randomized data and randomizing the encrypted third plaintext content using a second nonce different than the first nonce, the key used to encrypt the third plaintext being stored, without requiring user input, in the memory of the cryptographic processor inaccessible from outside the cryptographic processor; and wherein the encryption engine is configured to store, without requiring user input, the second randomized data in the memory of the device outside of the cryptographic processor after processing the request to access the first randomized data. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A device comprising:
-
hardware encryption means; and hardware decryption means for; decrypting a first subset of encrypted data using a cryptographic device key associated with the device to produce first plain text, the cryptographic device key and the first plain text being stored, without requiring user input, in memory inaccessible from outside of the hardware decryption means and a hardware encryption means; and decrypting a second subset of encrypted data using the cryptographic device key associated with the device to produce second plain text, the second plain text being stored, without requiring user input, in the memory inaccessible from outside of the hardware decryption means and the hardware encryption means, wherein decrypting the first and second subsets of the encrypted data is responsive to receiving the encrypted data from a data source; wherein a set of encrypted data comprises the first subset of encrypted data and the second subset of encrypted data, and wherein the first subset of encrypted data and the second subset of encrypted data each contain less encrypted data than the set of encrypted data and are different from each other; and the hardware encryption means is communicatively coupled to the hardware decryption means, and the hardware encryption means comprises means for; encrypting the first plain text using a first ephemeral key to produce first re-encrypted data, the first ephemeral key being stored, without requiring user input, in the memory inaccessible from outside of the hardware decryption means and the hardware encryption means; encrypting the second plain text using a second ephemeral key to produce second re-encrypted data, the second ephemeral key being different from the first ephemeral key, the second ephemeral key being stored, without requiring user input, in the memory inaccessible from outside of the hardware decryption means and the hardware encryption means; randomizing the first re-encrypted data by applying a first nonce to the first re-encrypted data to produce first randomized data; and storing, without requiring user input, the first randomized data in a memory outside of the hardware decryption means and the hardware encryption means, wherein the hardware decryption means is further for reversing the randomization on the first randomized data and for decrypting the first randomized data to produce third plaintext content responsive to a request to access the first randomized data, the third plain text being stored, without requiring user input, in the memory inaccessible from outside of the hardware decryption means and the hardware encryption means, and wherein the hardware encryption means is further for generating second randomized data by encrypting the third plaintext content using a different ephemeral key than was used for the first randomized data and for randomizing the encrypted third plaintext content using a second nonce different than the first nonce, the key used to encrypt the third plaintext being stored, without requiring user input, in the memory inaccessible from outside of the hardware decryption means and the hardware encryption means; and wherein the hardware encryption means is configured to store, without requiring user input, the second randomized data in the memory outside of the hardware decryption means and the hardware encryption means. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
Specification