Key derivation for secure communications

US 10,193,873 B2
Filed: 09/30/2010
Issued: 01/29/2019
Est. Priority Date: 09/30/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

performing, by a computing device, a first encryption using a device security key stored in a first memory storage area of the computing device as cleartext;

deriving, using a first seed value comprising a combination of an address of the computing device and a first random number, a first derived key;

storing the first derived key in a second memory storage area of the computing device;

performing, after a compromise of the first derived key, a second encryption using the device security key as cleartext;

deriving, using a second seed value comprising a combination of the address of the computing device and a second random number, a second derived key; and

storing the second derived key in the second memory storage area of the computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system is disclosed in which a device-specific key value is provided to a security processing device, and then used to derive additional derived keys for use in secured communications. In response to identifying a compromise of the derived keys, the system can be instructed to derive new or replacement derived keys for use in the secured communications. In some embodiments, the security system can be used in a video reception device, to decrypt encrypted video content.

Citations

20 Claims

1. A method comprising:
- performing, by a computing device, a first encryption using a device security key stored in a first memory storage area of the computing device as cleartext;
  
  deriving, using a first seed value comprising a combination of an address of the computing device and a first random number, a first derived key;
  
  storing the first derived key in a second memory storage area of the computing device;
  
  performing, after a compromise of the first derived key, a second encryption using the device security key as cleartext;
  
  deriving, using a second seed value comprising a combination of the address of the computing device and a second random number, a second derived key; and
  
  storing the second derived key in the second memory storage area of the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - establishing a secure communication session between the computing device and an external security processor; and
      
      using the secure communication session to transmit the first derived key to the external security processor.
  - 3. The method of claim 1, wherein the computing device comprises a video content reception device.
  - 4. The method of claim 1, wherein the first memory storage area and second memory storage area are physically separate memories.
  - 5. The method of claim 1, further comprising receiving the second seed value from an external source.
  - 6. The method of claim 1, wherein the device security key is unique to the computing device.
  - 7. The method of claim 1, wherein the device security key is common to a plurality of other devices, and the method further comprises deriving the second derived key after a global compromise of the first derived key.
  - 8. The method of claim 2, further comprising decrypting, by the external security processor and using the first derived key, encrypted video.
  - 9. The method of claim 2, further comprising:
    - terminating the secure communication session after the compromise; and
      
      using, by a replacement external security processor, the second derived key.
  - 10. The method of claim 2, wherein the external security processor comprises a smart card.

11. A device comprising:
- a first memory storage area configured to store a device security key as cleartext; and
  
  a first processor configured to;
  
  encrypt the device security key in order to derive a first derived key, wherein the encrypting uses a first seed value comprising a combination of an address of the device and a first random number;
  
  store the first derived key in a second memory storage area of the device;
  
  after a compromise of the first derived key, re-encrypt the device security key in order to derive a second derived key, wherein the re-encrypting uses a second seed value comprising a combination of the address of the device and a second random number; and
  
  store the second derived key in the second memory storage area of the device, wherein the first memory storage area and the second memory storage area are secured by different types of security protection.
- View Dependent Claims (12, 13)
- - 12. The device of claim 11, wherein the first memory storage area and the second memory storage area are encrypted using different encryption keys.
  - 13. The device of claim 11, wherein the first memory storage area and second memory storage area are physically separate memories.

14. A security method comprising:
- encrypting, by a processor, a device key stored in a first memory of a device to derive a first derived key for the device, wherein the encrypting uses;
  
  the device key as cleartext, anda seed value comprising a combination of an address of the device and a random number;
  
  using the first derived key for multiple communication sessions involving the device; and
  
  performing, based on a second seed value compromising a combination of the address of the device and a second random number and after a key comprise, a second encryption of the device key to derive a second derived key for the device, wherein the second derived key is different from the first derived key.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising:
    - instructing a plurality of processors on a plurality of different devices to encrypt a common global device key to produce a common global derived key for the plurality of different devices;
      
      determining that a compromise of the common global derived key has occurred;
      
      determining a subset of the plurality of different devices as being affected by the compromise; and
      
      instructing the processors on the subset of the plurality of different devices to encrypt the common global device key a second time, wherein the encrypting the common global device key the second time produces a second global derived key for the subset of the plurality of different devices.
  - 16. The method of claim 14, wherein the processor is part of a portable security device removably attached to a content access device.
  - 17. The method of claim 14, further comprising transmitting a report of a pairing between the device and another device to a service provider, and dissolving the pairing after a compromise of the first derived key.
  - 18. The method of claim 14, further comprising limiting use of the second derived key to the device.
  - 19. The method of claim 14, further comprising limiting use of the second derived key to an authorized pair of devices comprising the device and a second device.
  - 20. The method of claim 15, comprising:
    - splintering the subset of the plurality of different devices into two or more smaller subsets after a second key compromise, and instructing one of the smaller subsets to produce a third derived key for the smaller subset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Comcast Cable Communications LLC (Comcast Corporation)
Original Assignee
Comcast Cable Communications LLC (Comcast Corporation)
Inventors
Fahrny, James W., Kuykendall, Pete, Davoust, Nancy
Primary Examiner(s)
Hong, Michael H

Application Number

US12/895,121
Publication Number

US 20120084806A1
Time in Patent Office

3,043 Days
Field of Search

725 31, 380273, 380277, 380 31
US Class Current
CPC Class Codes

G11B 20/0021   involving encryption or dec...

G11B 20/00478   wherein contents are decryp...

H04L 2463/061   applying further key deriva...

H04L 2463/101   applying security measures ...

H04L 63/06   for supporting key manageme...

H04L 63/068   using time-dependent keys, ...

H04L 9/30   Public key, i.e. encryption...

Key derivation for secure communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Key derivation for secure communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links