Controlled secure code authentication

US 10,474,823 B2
Filed: 02/16/2016
Issued: 11/12/2019
Est. Priority Date: 02/16/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a client device storing an entire image of a code; and

an authentication device physically arranged adjacent to the client device and coupled to the client device through a local connection, the authentication device configured to;

select a plurality of memory address ranges of an authorized code;

determine a respective portion of the authorized code for each of the plurality memory address ranges;

calculate a respective property of each of the respective portions;

send a request to the client device, the request including a challenge for a property of a particular portion from among a plurality of portions of the code stored within the client device, the challenge comprising data indicating a particular memory address range corresponding to the particular portion of the code;

receive a response to the request from the client device, the response including information associated with the property of the code, the information being generated by the client device based on a portion of the code stored within the client device and comprising the property of the portion of the code;

verify correctness of the response based on the received information; and

based on verifying correctness of the response, determine that the entire image of the code stored within the client device is authorized,wherein the verifying correctness of the response comprises determining that the property of the portion of the code in the response matches the property of the particular portion of the authorized code that is obtained based on stored information of the particular portion of the authorized code in a secure storage associated with the authentication device, the stored information of the particular portion of the authorized code comprising the calculated property of the particular portion of the authorized code corresponding to the particular memory address range of the plurality of memory address ranges of the authorized code.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, circuits and computer-readable mediums for controlled secure code authentication are provided. In one aspect, a non-transitory computer-readable storage medium having instructions stored thereon which, when executed by one or more processors, cause the one or more processors to perform a method including: sending a request to a client device, the request including a challenge for a property of a particular portion from among a plurality of portions of code stored within the client device, the challenge including data indicating a particular memory address range corresponding to the particular portion of the code, receiving a response to the request from the client device, the response including information associated with the property of the code, verifying correctness of the response based on the received information, and based on verifying correctness of the response, determining that the code is an authorized code.

Citations

26 Claims

1. A system comprising:
- a client device storing an entire image of a code; and
  
  an authentication device physically arranged adjacent to the client device and coupled to the client device through a local connection, the authentication device configured to;
  
  select a plurality of memory address ranges of an authorized code;
  
  determine a respective portion of the authorized code for each of the plurality memory address ranges;
  
  calculate a respective property of each of the respective portions;
  
  send a request to the client device, the request including a challenge for a property of a particular portion from among a plurality of portions of the code stored within the client device, the challenge comprising data indicating a particular memory address range corresponding to the particular portion of the code;
  
  receive a response to the request from the client device, the response including information associated with the property of the code, the information being generated by the client device based on a portion of the code stored within the client device and comprising the property of the portion of the code;
  
  verify correctness of the response based on the received information; and
  
  based on verifying correctness of the response, determine that the entire image of the code stored within the client device is authorized,wherein the verifying correctness of the response comprises determining that the property of the portion of the code in the response matches the property of the particular portion of the authorized code that is obtained based on stored information of the particular portion of the authorized code in a secure storage associated with the authentication device, the stored information of the particular portion of the authorized code comprising the calculated property of the particular portion of the authorized code corresponding to the particular memory address range of the plurality of memory address ranges of the authorized code.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the authentication device is coupled to a remote host device through a network, andwherein the remote host device is configured to provide an entire image of the authorized code to the authentication device and the client device.
  - 3. The system of claim 1, wherein the local connection comprises a data cable, a wireless connection, a hardware interface, a conductor, or a conductive connection on a circuit board.
  - 4. The system of claim 1, wherein the code comprises at least one of a boot code for the client device to boot and an operation code for the client device to perform a corresponding operation.

5. A non-transitory computer-readable storage medium having instructions stored thereon which, when executed by one or more processors, cause the one or more processors to perform a method comprising:
- selecting, by an authentication device, a plurality of memory address ranges of an authorized code;
  
  determining, by the authentication device, a respective portion of the authorized code for each of the plurality memory address ranges;
  
  calculating, by the authentication device, a respective property of each of the respective portions;
  
  sending, from the authentication device, a request to a client device coupled to the authentication device, the request including a challenge for a property of a particular portion from among a plurality of portions of an entire image of a code stored within the client device, the challenge comprising data indicating a particular memory address range corresponding to the particular portion of the code, the authentication device being physically arranged adjacent to the client device and coupled to the client device through a local connection;
  
  receiving, at the authentication device, a response to the request from the client device, the response including information associated with the property of a portion of the code stored within the client device;
  
  verifying correctness of the response based on the received information; and
  
  based on verifying correctness of the response, determining that the entire image of the code stored within the client device is authorized,wherein the verifying correctness of the response comprises determining that the property of the portion of the code in the response matches the property of the particular portion of the authorized code that is obtained based on stored information of the particular portion of the authorized code in a secure storage associated with the authentication device, the stored information of the particular portion of the authorized code comprising the calculated property of the particular portion of the authorized code corresponding to the particular memory address range of the plurality of memory address ranges of the authorized code.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 6. The computer-readable storage medium of claim 5, wherein the method further includes:
    - storing first information indicative of the respective properties of the portions of the authorized code and second information indicative of the respective memory address ranges in the secure storage; and
      
      respectively associating memory address ranges from among the plurality of memory address ranges with properties from among the properties of the portions in the secure storage.
  - 7. The computer-readable storage medium of claim 6, wherein the selecting the plurality of memory address ranges of the authorized code comprises:
    - randomly selecting the plurality of memory address ranges from a range defined by a starting address of the authorized code and an ending address of the authorized code.
  - 8. The computer-readable storage medium of claim 6, wherein the method further comprises:
    - randomly selecting the particular memory address range from among the plurality of memory address ranges, the particular memory address range being associated with a particular property of the particular portion of the authorized code in the secure storage.
  - 9. The computer-readable storage medium of claim 5, wherein the method further includes:
    - receiving an entire image of the authorized code;
      
      receiving a signature associated with the authorized code;
      
      calculating a digest of the received entire image of the authorized code; and
      
      verifying authenticity of the received entire image based on the received signature and the calculated digest of the received entire image.
  - 10. The computer-readable storage medium of claim 5, wherein the method further includes:
    - receiving a second entire image of the authorized code;
      
      selecting randomly a plurality of second address ranges of the second entire image of the authorized code;
      
      determining a respective second portion of the authorized code for each second address range;
      
      calculating a respective second property of each determined second portion of the authorized code; and
      
      replacing the respective properties of the portions of the authorized code with the respective second properties of the second portions of the authorized code in the secure storage.
  - 11. The computer-readable storage medium of claim 5, wherein the method further includes:
    - in response to determining that the code is the authorized code, enabling the client device to use secret data or cryptographic keys stored in the secure storage.
  - 12. The computer-readable storage medium of claim 5, wherein the method further comprises:
    - in response to determining that the code is the authorized code, enabling the client device through a pin coupled to the client device to power on or enable one or more hardware blocks in the client device.
  - 13. The computer-readable storage medium of claim 5, wherein the request includes a second challenge for a property of an entire image of the code stored within the client device.
  - 14. The computer-readable storage medium of claim 5, wherein the request includes a nonce, andwherein the verifying correctness of the response comprises determining that the response includes information associated with the nonce.
  - 15. The computer-readable storage medium of claim 5, wherein the method further comprises:
    - sending a second request to the client device, the second request following the request and including a second challenge for a property of a second, different portion of the code of the client device, the second challenge comprising data indicating a second memory address range corresponding to the second portion of the code.
  - 16. The computer-readable storage medium of claim 15, wherein the sending the second request is in response to determining that a predetermined period of time lapses after determining that the code is the authorized code.
  - 17. The computer-readable storage medium of claim 5, wherein the method further comprises:
    - sending a second request to the client device, the second request following the request and comprising a second challenge for a property of a merged portion of the authorized code that includes at least two different portions of the code, the second challenge comprising data indicating at least two memory address ranges corresponding to the at least two different portions of the code, respectively.
  - 18. The computer-readable storage medium of claim 5, wherein the method further comprises:
    - sending an individual challenge of a plurality of challenges to the client device for an individual authentication, wherein the plurality of challenges includes a first number of first challenges associated with a first portion of the code and a second number of second challenges associated with a second portion of the code; and
      
      varying at least one of a ratio of the first number and the second number and a sequence of the first challenges and the second challenges.
  - 19. The computer-readable storage medium of claim 5, wherein the method further comprises:
    - before sending the request, generating a message authentication code (MAC) of the request with a symmetric cryptographic key stored in the secure storage; and
      
      transmitting the MAC of the request to the client device.
  - 20. The computer-readable storage medium of claim 5, wherein the verifying correctness of the response is in response todetermining that a period of time between sending the challenge and receiving the response to the request is smaller than a predetermined threshold.
  - 21. The computer-readable storage medium of claim 5, wherein the method further comprises:
    - determining that a plurality of requests sent to the client device includes challenges for each of the plurality of portions of the code stored in the secure storage, and in response,sending a request for updating the code stored within the client device.
  - 22. The computer-readable storage medium of claim 5, wherein the code of the client device includes a boot code for the client device to start up, andthe method further comprises resetting the authentication device in synchronization with resetting the client device.
  - 23. The computer-readable storage medium of claim 5, wherein the property includes at least one of a digest, a signature, or a message authentication code (MAC).
  - 24. The computer-readable storage medium of claim 5, wherein the authentication device comprises the secure storage configured to store information associated with the authorized code, andwherein the information associated with the authorized code stored in the secure storage comprises at least one of a copy of the authorized code, a digest of the authorized code, a signature of the authorized code, or a message authentication code (MAC) of the authorized code.
  - 25. The computer-readable storage medium of claim 5, wherein the response includes a MAC of a digest of the code generated by the client device based on the digest of the code and a symmetric cryptographic key, andwherein the method further comprises authenticating the response with the symmetric cryptographic key stored in the secure storage.

26. A method comprising:
- selecting, by an authentication device, a plurality of memory address ranges of an authorized code;
  
  determining, by the authentication device, a respective portion of the authorized code for each of the plurality memory address ranges;
  
  calculating, by the authentication device, a respective property of each of the respective portions;
  
  sending, by the authentication device, a request to a client device coupled to the authentication device, the request including a challenge for a property of a particular portion from among a plurality of portions of an entire image of a code stored within the client device, the challenge comprising data indicating a particular memory address range corresponding to the particular portion of the code, the authentication device being physically arranged adjacent to the client device and coupled to the client device through a local connection;
  
  receiving, by the authentication device, a response to the request from the client device, the response including information associated with the property of a portion of the code stored within the client device;
  
  verifying, by the authentication device, correctness of the response based on the received information; and
  
  based on verifying correctness of the response, determining, by the authentication device, that the entire image of the code stored within the client device is authorized,wherein the verifying correctness of the response comprises determining that the property of the portion of the code in the response matches the property of the particular portion of the authorized code that is obtained based on stored information of the particular portion of the authorized code in a secure storage associated with the authentication device, the stored information of the particular portion of the authorized code comprising the calculated property of the particular portion of the authorized code corresponding to the particular memory address range of the plurality of memory address ranges of the authorized code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Atmel Corporation (Microchip Technology Incorporated)
Original Assignee
Atmel Corporation (Microchip Technology Incorporated)
Inventors
Maletsky, Kerry David
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Sarker, Sanchit K

Application Number

US15/044,770
Publication Number

US 20170235957A1
Time in Patent Office

1,365 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 21/602   Providing cryptographic fac...

G06F 21/64   Protecting data integrity, ...

G06F 2221/033   Test or assess software

G06F 2221/2129   Authenticate client device ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 9/3066   involving algebraic varieti...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

Controlled secure code authentication

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Controlled secure code authentication

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links