E-fuses for storing security version data

US 20060015754A1
Filed: 07/15/2004
Published: 01/19/2006
Est. Priority Date: 07/15/2004
Status: Active Grant

First Claim

Patent Images

1. A method of handling secure data in a secure system, wherein the secure data is passed between a processor and memory external to the processor, comprising:

maintaining a security version parameter in persistent storage on the processor, wherein blocks of secure data are encrypted as a function of the security version parameter; and

dynamically changing the security version parameter by modifying the contents of the persistent storage.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and devices that may be utilized in systems to dynamically update a security version parameter used to encrypt secure data are provided. The version may be maintained in persistent storage located on a device implementing the encryption, such as a system on a chip (SOC). The persistent storage does not require battery backing and, thus, the cost and complexity associated with conventional systems utilizing battery backed storage may be reduced.

Citations

25 Claims

1. A method of handling secure data in a secure system, wherein the secure data is passed between a processor and memory external to the processor, comprising:
- maintaining a security version parameter in persistent storage on the processor, wherein blocks of secure data are encrypted as a function of the security version parameter; and
  
  dynamically changing the security version parameter by modifying the contents of the persistent storage.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the security version parameter is dynamically changed while the secure system is running.
  - 3. The method of claim 1, further comprising:
    - dynamically updating the privileges of a user;
      
      encrypting a data structure containing privilege information indicating the updated privileges; and
      
      generating an integrity check value on the data structure, wherein at least one of the encrypting or the generating is affected by the security version parameter.
  - 4. The method of claim 1, wherein dynamically changing the security version parameter comprises blowing a fuse.
  - 5. The method of claim 1, wherein dynamically changing the security version parameter comprises only one of increasing or decreasing the security version.

6. A method of handling secure data in a secure system, wherein the secure data is passed between a processor and memory external to the processor, comprising:
- maintaining a security version parameter and master key data in persistent storage on the processor;
  
  encrypting a block of secure data;
  
  generating an integrity check value for the block of secure data, wherein at least one of the encrypting and the generating is performed as a function of the security version parameter;
  
  storing the encrypted block of secure data in the external memory; and
  
  dynamically changing the security version parameter by modifying the contents of the persistent storage.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method of claim 6, wherein the encrypting and generating is performed in software.
  - 8. The method of claim 6, wherein encrypting a block of secure data is affected by at least one of:
    - the master key data, one or more keys derived from the master key data, and one or more keys protected by the master key data.
  - 9. The method of claim 6, further comprising encrypting the security version parameter and storing the security version parameter in external memory with the block of secure data.
  - 10. The method of claim 9, further comprising:
    - retrieving the encrypted block of secure data and security version parameter from external memory;
      
      decrypting the encrypted block of secure data and security version parameter retrieved from external memory; and
      
      comparing the security version parameter retrieved from external memory with the security version parameter stored in persistent storage.
  - 11. The method of claim 10, further comprising:
    - generating a security exception if the retrieved security version parameter and the security version parameter maintained in the persistent storage are not equal.
  - 12. The method of claim 6, wherein the master key information and security version parameter are stored in different types of persistent storage.

13. A device for encrypting blocks of data to be stored in memory external to the device, comprising:
- first persistent storage elements for storing a security version parameter;
  
  second persistent storage elements for storing master key data;
  
  an encryption engine configured to encrypt secure blocks of data to be stored in the external memory, wherein at least one of;
  
  the encrypted secure blocks or an integrity check value generated therefore are affected by the security version parameter; and
  
  a mechanism for modifying the first persistent storage elements to update the security version parameter without modifying previously modified first persistent storage elements.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The device of claim 13, wherein the first persistent storage elements comprise electrically programmable fuses.
  - 15. The device of claim 13, wherein the second persistent storage elements comprise electrically programmable fuses.
  - 16. The device of claim 13, wherein the second persistent storage elements comprise laser fuses.
  - 17. The device of claim 13, further comprising a validation component configured to:
    - validate that a security version parameter used to encrypt a retrieved block of secure data, or generate an integrity check value therefor, is the same as the security version parameter maintained in the first persistent storage elements.
  - 18. The device of claim 13, wherein the device is a central processing unit.
  - 19. The device of claim 18, wherein the device is a central processing unit on a gaming system.
  - 20. The device of claim 19, wherein the secure data contains key information used to decrypt a game program.

21. A method of handling secure data in a secure system, wherein the secure data is passed between a processor and memory external to the processor, comprising:
- maintaining a security version parameter and master key data in persistent storage on the processor;
  
  storing first and second copies of an encrypted data structure in external memory, wherein at least one of;
  
  the encrypted data structure or an integrity check value calculated therefor are affected by the security version parameter;
  
  dynamically updating the security version parameter without modifying the contents of the persistent storage;
  
  overwriting the first copy of the encrypted data structure with a new encrypted data structure, wherein at least one of;
  
  the encrypted data structure or an integrity check value calculated therefor are affected by the updated security version parameter;
  
  reading back the first copy of the new encrypted data structure;
  
  determining if the first copy of the new encrypted data structure read back is valid; and
  
  modifying the persistent storage to reflect the updated security version parameter only if the first copy of the new encrypted data structure is valid.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, further comprising:
    - overwriting the second copy of the data structure with the new encrypted data structure.
  - 23. The method of claim 21, further comprising:
    - determining if the first and second copies of the encrypted data structure are valid prior to overwriting the first copy of the encrypted data structure with the new encrypted data structure.
  - 24. The method of claim 21, wherein modifying the persistent storage to reflect the updated security version parameter comprises burning a fuse.
  - 25. The method of claim 24, wherein the security version parameter is determined by the total number of fuses burnt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hoover, Russell D., Hall, William E., Drehmel, Robert A.

Granted Patent

US 7,461,268 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/72   in cryptographic circuits

G11C 17/16   using electrically-fusible ...

H04L 9/3236   using cryptographic hash fu...

E-fuses for storing security version data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

E-fuses for storing security version data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links