Cryptographic chip and related methods

US 10,237,065 B2
Filed: 03/31/2014
Issued: 03/19/2019
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. A chip for performing cryptographic operations, the chip comprising:

a key storage module configured to store one or more cryptographic keys;

a rule storage module configured to store one or more rules, each rule comprising respective rule data, the rule data identifying a respective predetermined cryptographic operation associated with the rule and further identifying at least one of the one or more cryptographic keys to be used in the respective predetermined cryptographic operation;

an interface module configured to receive a rule execution request, wherein the rule execution request comprises a rule identifier to identify a specific rule of the one or more rules to be executed; and

a cryptographic module configured to execute the specific rule so as to perform the respective predetermined cryptographic operation in response to the rule execution request;

wherein the chip is configured such that the cryptographic keys and the cryptographic module may only be used by executing rules from the one or more rules in response to associated rule execution requests received by the interface module;

wherein the interface module is configured to receive the rule execution request from other circuitry included on the chip or from externally of the chip and wherein the interface module is further configured to assess whether the rule execution request is allowable;

wherein the cryptographic module is configured to execute the specific rule so as to perform the respective predetermined cryptographic operation in response to the rule execution request having been assessed as allowable by the interface module and not execute the specific rule in response to the rule execution request having been assessed as not allowable by the interface module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is described a chip for performing cryptographic operations. The chip comprises a key storage module, a rule storage module, an interface module and a cryptographic module. The key storage module is configured to store one or more cryptographic keys. The rule storage module is configured to store one or more rules, each rule comprising respective rule data, the rule data identifying a respective predetermined cryptographic operation associated with the rule and further identifying at least one of the one or more cryptographic keys to be used in the respective predetermined cryptographic operation. The interface module is configured to receive a rule execution request, wherein the rule execution request comprises a rule identifier to identify a specific rule of the one or more rules to be executed. The cryptographic module is configured to execute the specific rule so as to perform the respective predetermined cryptographic operation in response to the rule execution request. The chip is configured such that the cryptographic keys and the cryptographic module may only be used by executing rules from the one or more rules in response to associated rule execution requests received by the interface module. There is also described a set top box comprising the chip, a chip-implemented method of performing a cryptographic operation, and a method of loading a new rule into a rule storage module of a chip.

Citations

17 Claims

1. A chip for performing cryptographic operations, the chip comprising:
- a key storage module configured to store one or more cryptographic keys;
  
  a rule storage module configured to store one or more rules, each rule comprising respective rule data, the rule data identifying a respective predetermined cryptographic operation associated with the rule and further identifying at least one of the one or more cryptographic keys to be used in the respective predetermined cryptographic operation;
  
  an interface module configured to receive a rule execution request, wherein the rule execution request comprises a rule identifier to identify a specific rule of the one or more rules to be executed; and
  
  a cryptographic module configured to execute the specific rule so as to perform the respective predetermined cryptographic operation in response to the rule execution request;
  
  wherein the chip is configured such that the cryptographic keys and the cryptographic module may only be used by executing rules from the one or more rules in response to associated rule execution requests received by the interface module;
  
  wherein the interface module is configured to receive the rule execution request from other circuitry included on the chip or from externally of the chip and wherein the interface module is further configured to assess whether the rule execution request is allowable;
  
  wherein the cryptographic module is configured to execute the specific rule so as to perform the respective predetermined cryptographic operation in response to the rule execution request having been assessed as allowable by the interface module and not execute the specific rule in response to the rule execution request having been assessed as not allowable by the interface module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The chip of claim 1 wherein the chip is configured to execute a security incident procedure in response to the rule execution request having been assessed as not allowable by the interface module.
  - 3. The chip of claim 1 wherein the key storage module comprises a first key storage submodule, the first key storage submodule being programmable to store at least one further key of the one or more cryptographic keys.
  - 4. The chip of claim 1 wherein the key storage module comprises a second key storage submodule including one or more pre-programmed keys of the one or more cryptographic keys.
  - 5. The chip of claim 1 wherein the rule storage module comprises a first rule storage submodule, the first rule storage submodule being programmable to store at least one further rule of the one or more rules.
  - 6. The chip of claim 5 wherein the chip is configured to load a new key into the first key storage submodule by executing a key-derivation rule of the one or more rules, wherein the key-derivation rule is arranged to provide said new key as output data from the respective predetermined cryptographic operation, and wherein the key-derivation rule is arranged to store said output data in the first key storage module.
  - 7. The chip of claim 5:
    - wherein the interface module is further configured to receive a rule loading request, the rule loading request comprising a new rule identifier to identify a new rule to be loaded and further comprising new rule data defining the new rule, the new rule data identifying a specific cryptographic operation associated with the new rule and further identifying at least one of the one or more cryptographic keys to be used in the specific cryptographic operation; and
      
      wherein, in response to the rule loading request, the chip is configured to load the new rule into the first rule storage submodule such that the new rule becomes one of the one or more rules.
  - 8. The chip of claim 7 wherein the interface module is further configured to assess whether the rule loading request is allowable, and wherein the chip is configured to load the new rule into the first rule storage submodule in response to the rule loading request having been assessed as allowable by the interface module.
  - 9. The chip of claim 8 wherein the chip is configured to execute a security incident procedure in response to the rule loading request having been assessed as not allowable by the interface module.
  - 10. The chip of claim 1 wherein the rule storage module comprises a second rule storage submodule including one or more pre-programmed rules of the one or more rules.
  - 11. The chip of claim 1 wherein one or both of the key storage module and the rule storage module are implemented by means of one or more registers.
  - 12. The chip of claim 1 wherein the rule data for each rule comprises at least one of the following:
    - a) data identifying a location of input data on which the respective predetermined cryptographic operation is to be performed;
      
      b) data identifying a location for storing output data from the respective predetermined cryptographic operation;
      
      c) data identifying a particular cryptographic algorithm to be used in the respective predetermined cryptographic operation;
      
      d) data identifying a mode of operation of the particular cryptographic algorithm to be used in the respective predetermined cryptographic operation; and
      
      e) data indicating whether the respective predetermined cryptographic operation is to be used for encryption or decryption of the input data.

13. A set top box comprising a chip for performing cryptographic operations, the chip comprising:
- a key storage module configured to store one or more cryptographic keys;
  
  a rule storage module configured to store one or more rules, each rule comprising respective rule data, the rule data identifying a respective predetermined cryptographic operation associated with the rule and further identifying at least one of the one or more cryptographic keys to be used in the respective predetermined cryptographic operation;
  
  an interface module configured to receive a rule execution request, wherein the rule execution request comprises a rule identifier to identify a specific rule of the one or more rules to be executed; and
  
  a cryptographic module configured to execute the specific rule so as to perform the respective predetermined cryptographic operation in response to the rule execution request;
  
  wherein the chip is configured such that the cryptographic keys and the cryptographic module may only be used by executing rules from the one or more rules in response to associated rule execution requests received by the interface module;
  
  wherein the interface module is configured to receive a rule execution request from other circuitry included on the chip or from externally of the chip and wherein the interface module is further configured to assess whether the rule execution request is allowable;
  
  wherein the cryptographic module is configured to execute the specific rule so as to perform the respective predetermined cryptographic operation in response to the rule execution request having been assessed as allowable by the interface module and not execute the specific rule in response to the rule execution request having been assessed as not allowable by the interface module.

14. A chip-implemented method of performing a cryptographic operation, the chip comprising a key storage module configured to store one or more cryptographic keys, the chip further comprising a rule storage module configured to store one or more rules, each rule comprising respective rule data, the rule data identifying a respective predetermined cryptographic operation associated with the rule and further identifying at least one of the one or more cryptographic keys to be used in the respective predetermined cryptographic operation, the method comprising:
- (i) receiving a rule execution request, wherein the rule execution request comprises a rule identifier to identify a specific rule of the one or more rules to be executed; and
  
  (ii) using a cryptographic module to execute the specific rule so as to perform the respective predetermined cryptographic operation in response to the rule execution request;
  
  wherein the chip is configured such that the cryptographic keys and the cryptographic module may only be used by executing rules from the one or more rules in response to associated rule execution requests; and
  
  wherein the rule execution request is received from other circuitry included on the chip or from externally of the chip; and
  
  wherein step (ii) comprises assessing whether the rule execution request is allowable and, in response to the rule execution request having been assessed as allowable, using the cryptographic module to execute the specific rule so as to perform the respective predetermined cryptographic operation and in response to the rule execution request having been assessed as not allowable, not executing the specific rule.
- View Dependent Claims (15)
- - 15. The chip-implemented method of claim 14 further comprising:
    - (iii) in response to the rule execution request having been assessed as not allowable, executing a security incident procedure.

16. A method, implemented by one or more processors, of loading a new rule into a rule storage module of a chip, the chip further comprising a key storage module storing one or more cryptographic keys, the rule storage module storing one or more rules, each rule comprising respective rule data, the rule data identifying a respective predetermined cryptographic operation associated with the rule and further identifying at least one of the one or more cryptographic keys to be used in the respective predetermined cryptographic operation, the method comprising:
- (a) receiving a rule loading request, wherein the rule loading request comprises a new rule identifier to identify the new rule to be loaded and further comprises new rule data defining the new rule, the new rule data identifying a specific cryptographic operation associated with the new rule and further identifying at least one of the one or more cryptographic keys to be used in the specific cryptographic operation;
  
  (b) assessing whether the rule loading request is allowable; and
  
  (c) in response to the rule loading request having been assessed as allowable, loading the new rule into a programmable portion of the rule storage module such that the new rule becomes one of the one or more rules and in response to the rule loading request having been assessed as not allowable, not loading the new rule into the programmable portion.
- View Dependent Claims (17)
- - 17. The method of claim 16 further comprising:
    - (d) in response to the rule loading request having been assessed as not allowable, executing a security incident procedure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Irdeto B.V. (MultiChoice Group Ltd.)
Original Assignee
Irdeto B.V. (MultiChoice Group Ltd.)
Inventors
Dekker, Hans, Zivkovic, Vladimir
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Ahmed, Mahabub S

Application Number

US15/300,508
Publication Number

US 20170118018A1
Time in Patent Office

1,814 Days
Field of Search

380277
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2209/12   Details relating to cryptog...

H04L 9/088   Usage controlling of secret...

H04L 9/0897   involving additional device...

H04L 9/14   using a plurality of keys o...

H04L 9/302   involving the integer facto...

H04L 9/3066   involving algebraic varieti...

H04L 9/3249   using RSA or related signat...

Cryptographic chip and related methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic chip and related methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links