Modules to securely provision an asset to a target device

US 10,581,838 B2
Filed: 06/11/2018
Issued: 03/03/2020
Est. Priority Date: 05/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an Appliance device, a Module over a network from a Service device;

receiving, by the Appliance device, a first deployment authorization message from the Service device, wherein the first deployment authorization message ties the Module to a first Appliance cluster comprising at least the Appliance device and delivers a module key that is used to encrypt a data asset in the Module;

receiving, by the Appliance device, a communication from a cryptographic manager (CM) client library of a tester device, wherein the communication comprises an argument from the CM client library;

in response to the communication, invoking the Module by the Appliance device to generate a Module sequence based on the argument;

verifying that the Appliance device is tied to the Module using the first deployment authorization message; and

sending, by the Appliance device, the Module sequence to the CM client library, wherein a tester script of the tester device delivers the Module sequence to a CM Core of a target device in an operation phase of a manufacturing lifecycle of the target device, wherein the Module sequence comprises a sequence of operations that securely provisions the data asset of the Module to the target device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.

17 Citations

14 Claims

1. A method comprising:
- receiving, by an Appliance device, a Module over a network from a Service device;
  
  receiving, by the Appliance device, a first deployment authorization message from the Service device, wherein the first deployment authorization message ties the Module to a first Appliance cluster comprising at least the Appliance device and delivers a module key that is used to encrypt a data asset in the Module;
  
  receiving, by the Appliance device, a communication from a cryptographic manager (CM) client library of a tester device, wherein the communication comprises an argument from the CM client library;
  
  in response to the communication, invoking the Module by the Appliance device to generate a Module sequence based on the argument;
  
  verifying that the Appliance device is tied to the Module using the first deployment authorization message; and
  
  sending, by the Appliance device, the Module sequence to the CM client library, wherein a tester script of the tester device delivers the Module sequence to a CM Core of a target device in an operation phase of a manufacturing lifecycle of the target device, wherein the Module sequence comprises a sequence of operations that securely provisions the data asset of the Module to the target device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - assembling, by a hardware security module (HSM) on the Appliance device, tester information and a pre-computed data (PCD) asset comprising the data asset;
      
      signing, by the HSM, a delegate signing block (DSB); and
      
      creating, by the HSM, the Module sequence with the tester information, PCD asset and the DSB.
  - 3. The method of claim 1, wherein the tester device is configured to deliver the Module sequence to the CM Core of the target device as part of a test script.
  - 4. The method of claim 1, wherein sending the Module sequence further comprises delivering the data asset to the CM core of the target device via the tester device, wherein the CM core is a hardware core configured to execute a set of commands to provide cryptographic control of the data asset when the target device is deployed in a product.
  - 5. The method of claim 4, wherein the set of commands to provide cryptographic control comprises a command for feature activation of one or more features of the target device.
  - 6. The method of claim 4, wherein the set of commands to provide cryptographic control comprises a command for configuration management of the target device.
  - 7. The method of claim 4, wherein the set of commands to provide cryptographic control comprises a command for secure key management of the target device.

8. An Appliance device comprising:
- a processor;
  
  a network interface coupled to the processor; and
  
  a tester device interface coupled to the processor, wherein the processor is operable to;
  
  receive a Module over a network from a Service device;
  
  receive a first deployment authorization message from the Service device, wherein the first deployment authorization message ties the Module to a first Appliance cluster comprising at least the Appliance device and delivers a module key that is used to encrypt a data asset in the Module;
  
  receive a communication from a cryptographic manager (CM) client library of a tester device, wherein the communication comprises an argument from the CM client library;
  
  in response to the communication, invoke the Module to generate a Module sequence based on the argument;
  
  verify that the Appliance device is tied to the Module using the first deployment authorization message; and
  
  send the Module sequence to the CM client library, wherein a tester script of the tester device delivers the Module sequence to a CM Core of a target device in an operation phase of a manufacturing lifecycle of the target device, wherein the Module sequence comprises a sequence of operations that securely provisions the data asset of the Module to the target device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The Appliance device of claim 8, further comprising a hardware security module (HSM), wherein the HSM is to use the HSM to:
    - assemble tester information and a pre-computed data (PCD) asset;
      
      sign a delegate signing block (DSB); and
      
      create the Module sequence with the tester information, PCD asset, and the DSB.
  - 10. The Appliance device of claim 8, wherein the tester device is configured to deliver the Module sequence to the CM Core of the target device as part of a test script.
  - 11. The Appliance device of claim 8, wherein the CM core is a hardware core configured to execute a set of commands to provide cryptographic control of the data asset when the target device is deployed in a product.
  - 12. The Appliance device of claim 11, wherein the set of commands to provide cryptographic control comprises a command for feature activation of one or more features of the target device.
  - 13. The Appliance device of claim 11, wherein the set of commands to provide cryptographic control comprises a command for configuration management of the target device.
  - 14. The Appliance device of claim 11, wherein the set of commands to provide cryptographic control comprises a command for secure key management of the target device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptography Research, Inc. (Rambus Inc.)
Original Assignee
Cryptography Research, Inc. (Rambus Inc.)
Inventors
Hamburg, Michael, Jun, Benjamin Che-Ming, Kocher, Paul C., O'Loughlin, Daniel, Pochuev, Denis Alexandrovich
Primary Examiner(s)
Potratz, Daniel B
Assistant Examiner(s)
Jones, William B

Application Number

US16/004,715
Publication Number

US 20180295127A1
Time in Patent Office

631 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 21/72   in cryptographic circuits

G06F 21/73   by creating or determining ...

G06F 2221/2107   File encryption

G06F 2221/2135   Metering

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0853   using an additional device,...

H04L 63/123   received data contents, e.g...

H04L 67/60   Scheduling or organising th...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

Modules to securely provision an asset to a target device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Modules to securely provision an asset to a target device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links