Method and apparatus for secure processing of cryptographic keys

US 20030172265A1
Filed: 02/26/2003
Published: 09/11/2003
Est. Priority Date: 05/04/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for secure processing of cryptographic keys using a main system processor having a secure processor mode, comprising the steps of:

loading a cryptographic key, cryptographic program, and any other required cryptographic data into a secure memory during a secure processor mode or during a power-on initialization sequence; and

executing the cryptographic program in the secure processor mode or during the power-on initialization sequence using the cryptographic key stored in the secure memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for secure processing of cryptographic keys, wherein a cryptographic key stored on a token is processed in a secure processor mode using a secure memory. A main system processor is initialized into a secure processing mode, which cannot be interrupted by other interrupts, during a power-on sequence. A user enters a Personal Identification Number (PIN) to unlock the cryptographic key stored on the token. The cryptographic key and associated cryptographic program are then loaded into the secure memory. The secure memory is locked to prevent access to the stored data from any other processes. The user is then prompted to remove the token and the processor exits the secure mode and the system continues normal boot-up operations. When an application requests security processing, the cryptographic program is executed by the processor in the secure mode such that no other programs or processes can observe the execution of the program. Two-factor authentication is thus obtained without the need for any additional hardware.

Citations

28 Claims

1. A method for secure processing of cryptographic keys using a main system processor having a secure processor mode, comprising the steps of:
- loading a cryptographic key, cryptographic program, and any other required cryptographic data into a secure memory during a secure processor mode or during a power-on initialization sequence; and
  
  executing the cryptographic program in the secure processor mode or during the power-on initialization sequence using the cryptographic key stored in the secure memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the secure memory can only be accessed by the processor while the processor is in the secure processor mode.
  - 3. The method of claim 2, wherein the secure processor mode is a highest interrupt processing mode which cannot be interrupted by other processor interrupts.
  - 4. The method of claim 1, wherein the step of loading is performed during a power-on initialization sequence, and the step of executing is performed after an operating system has loaded.
  - 5. The method of claim 4, wherein the cryptographic program and data are loaded during a power on initialization sequence, and the cryptographic key is loaded during a secure processor mode initialized after an operating system has loaded.
  - 6. The method of claim 3, further comprising the step of:
    - verifying a personal identification number (PIN), before loading the cryptographic key into the secure memory.
  - 7. The method of claim 5, further comprising the step of:
    - locking the secure memory, if required by a system architecture to prevent other processes from accessing the secure memory, after the step of loading the cryptographic program during the power on initialization.
  - 8. The computer password security method of claim 3, wherein the processor is an Intel 386 family compatible processor, or later x86 model processor, and the secure processor mode is a System Management Mode (SMM).
  - 9. The method of claim 8, wherein the secure memory is a System Management Random Access Memory (SMRAM), and the step of initializing the processor comprises the step of invoking a System Management Interrupt (SMI).
  - 10. The method of claim 6, wherein the step of verifying a PIN comprises the step of:
    - reading an encrypted key from the token;
      
      requesting a user to enter a PIN;
      
      decrypting the key using the PIN;
      
      performing a hash function on the decrypted key to generate a digest; and
      
      comparing the generated digest with a digest stored in a system BIOS.

11. A method for secure processing of cryptographic keys using a main system processor, comprising the steps of:
- verifying a user'"'"'s personal identification number (PIN);
  
  loading a cryptographic program, and any other required cryptographic data stored on a token into a secure memory, if the user'"'"'s PIN is verified;
  
  locking the secure memory, if required by a system architecture to prevent other processes from accessing the secure memory, after loading the cryptographic program and any other data; and
  
  exiting the secure processor mode and continuing a normal boot-up procedure.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein a cryptographic key is loaded into the secure memory during a secure processor mode initialized after an operating system has been loaded.
  - 13. The method of claim 11, wherein a cryptographic key is loaded into the secure memory along with the cryptographic program and other data, before an operating system is loaded.
  - 14. The method of claim 11, further comprising the step of:
    - determining if the token is available before verifying the user'"'"'s PIN.
  - 15. The method of claim 14, wherein the step of verifying a PIN comprises the steps of:
    - reading an encrypted key from the token;
      
      requesting a user to enter a PIN;
      
      decrypting the key using the PIN;
      
      performing a has function on the decrypted key to generate a digest; and
      
      comparing the generated digest with a digest stored in a system BIOS.
  - 16. The method of claim 11, wherein the secure memory can only be accessed by the processor while the processor is in the secure processor mode.
  - 17. The method of claim 16, wherein the secure processor mode is a highest interrupt processing mode which cannot be interrupted by other processor interrupts.
  - 18. The method of claim 11, wherein the processor is an Intel 386 family compatible processor, or later x86 processor, and the secure processor mode is a System Management Mode (SMM).
  - 19. The method of claim 18, wherein the secure memory is a System Management Random Access Memory (SMRAM), and the step of initializing the processor comprises the step of invoking a System Management Interrupt (SMI).
  - 20. The method of claim 12, wherein when security services are requested by an application, the processor is initialized into the secure mode, an operating system is placed into a sleep mode, and the cryptographic program is executed.

21. A secure processing apparatus for secure processing of cryptographic keys, the apparatus comprising:
- a main system processor having a secure processor mode;
  
  a secure memory which can only be accessed by the processor while the processor is in the secure mode; and
  
  a cryptographic key, program, and associated data stored on a token, wherein the cryptographic key, program and associated data are stored in the secure memory during a power-on initialization or a secure processor mode, and wherein the cryptographic key, program and associated data are processed by the processor during a power-on initialization or a secure processor mode.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The secure processing apparatus of claim 21, wherein the secure processor mode is a highest interrupt processing mode which cannot be interrupted by other processor interrupts.
  - 23. The secure processing apparatus of claim 22, further comprising:
    - token determination means for determining if the token is available before loading the cryptographic key and program into the secure memory.
  - 24. The computer password processing apparatus of claim 23, further comprising:
    - personal identification number (PIN) verification means for verifying a user'"'"'s PIN after determining that the token is available and before loading the cryptographic key and program.
  - 25. The computer password processing apparatus of claim 24, wherein the processor is an Intel 386 family compatible processor, or later x86 processor, and the secure processor mode is a System Management Mode (SMM).
  - 26. The computer password validation method of claim 25, wherein the secure memory is a System Management Random Access Memory (SMRAM), and the processor is initialized into the System Management Mode (SMM) by invoking a System Management Interrupt (SMI).
  - 27. The secure processing apparatus of claim 24, wherein the PIN verification means comprises:
    - reading means for reading an encrypted key stored on a token;
      
      PIN request means for requesting a user to enter a PIN;
      
      decryption means for decrypting the key using the PIN;
      
      hash function calculation means for calculating a hash function of the decrypted key to generate a digest; and
      
      comparing means for comparing the generated digest with a digest stored in a system BIOS.
  - 28. The secure processing apparatus of claim 23, further comprising locking means for locking the memory if required by a system architecture to prevent other processes from accessing the secure memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kinglite Holdings Inc.
Original Assignee
Kinglite Holdings Inc.
Inventors
Vu, Son Trung, Phan, Quang

Application Number

US10/376,530
Publication Number

US 20030172265A1
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G01S 13/9058   Bistatic or multistatic SAR

G06F 21/602   Providing cryptographic fac...

G06F 21/64   Protecting data integrity, ...

G06F 21/72   in cryptographic circuits

H04L 9/0897   involving additional device...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

Method and apparatus for secure processing of cryptographic keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for secure processing of cryptographic keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links