Stateless hardware security module

US 20060072762A1
Filed: 06/21/2005
Published: 04/06/2006
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A secure data processing method comprising:

storing at least one cipher key in at least one data memory in an integrated circuit;

maintaining the at least one cipher key within a security boundary associated with the integrated circuit;

using the at least one cipher key within the security boundary; and

enforcing policy associated with the at least one cipher key.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Stateless hardware security modules facilitate securing data transfers between devices in a data communication system. The stateless hardware security module may communicate with other devices via a secure communication channel to securely transfer information between the client device and another device. As a result, sensitive information such as cryptographic keys and data may be securely routed between the client device and another device. The stateless hardware security module may support a limited set of key management operations to facilitate routing of information between the client device and another device. However, the stateless hardware security module does not need to maintain state information for the keys it maintains and/or uses. As a result, the stateless hardware security module may be advantageously integrated into a variety of client devices. A stateless hardware security module may support receiving keys in a secure manner from another device and storing and using these keys within a secure boundary. A stateless hardware security module may support generating a private/public key pair within a secure boundary, maintaining the private key within the secure boundary, and exporting the public key to an authenticating entity.

135 Citations

36 Claims

1. A secure data processing method comprising:
- storing at least one cipher key in at least one data memory in an integrated circuit;
  
  maintaining the at least one cipher key within a security boundary associated with the integrated circuit;
  
  using the at least one cipher key within the security boundary; and
  
  enforcing policy associated with the at least one cipher key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the at least one cipher key comprises a private key.
  - 3. The method of claim 1 comprising generating an asymmetric key within the security boundary.
  - 4. The method of claim 3 wherein the at least one cipher key comprises a private key of the asymmetric key.
  - 5. The method of claim 1 comprising using the at least one cipher key to establish a secure communication channel between the integrated circuit and a device.
  - 6. The method of claim 1 comprising:
    - receiving at least one encrypted cipher key in the integrated circuit; and
      
      decrypting the at least one encrypted cipher key within the security boundary.
  - 7. The method of claim 6 comprising providing the decrypted cipher key to at least one cryptographic accelerator within the security boundary.
  - 8. The method of claim 6 comprising using the decrypted cipher key within the security boundary.
  - 9. The method of claim 8 wherein using the decrypted cipher key is performed without maintaining state information associated with the decrypted cipher key.
  - 10. The method of claim 1 comprising:
    - receiving data in the integrated circuit;
      
      encrypting the data within the security boundary; and
      
      transmitting the encrypted data to a device.

11. A security processing system comprising:
- at least one key generator for generating an identity cipher key within an integrated circuit;
  
  at least one data memory within the integrated circuit for storing the identity cipher key; and
  
  at least one processor for processing data using the identity cipher key within the integrated circuit and for enforcing policy associated with key usage.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11 wherein the at least one key generator comprises an asymmetric key generator.
  - 13. The system of claim 11 wherein the identity cipher key comprises a private key.
  - 14. The system of claim 11 comprising at least one data interface for publishing a public key outside the integrated circuit.
  - 15. The system of claim 11 comprising at least one data interface for receiving encrypted keys from a device.
  - 16. The system of claim 15 wherein the at least one processor decrypts encrypted keys received from a device.
  - 17. The system of claim 16 comprising at least one encryption accelerator configured to receive the decrypted cipher key.

18. A security processing system comprising:
- at least one data interface for receiving an identity cipher key within an integrated circuit;
  
  at least one data memory within the integrated circuit for storing the identity cipher key; and
  
  at least one processor for processing data using the identity cipher key within the integrated circuit and for enforcing policy associated with key usage.
- View Dependent Claims (19, 20, 21)
- - 19. The system of claim 18 comprising at least one data interface for receiving data to be encrypted.
  - 20. The system of claim 19 wherein the at least one processor encrypts the data.
  - 21. The system of claim 20 wherein the at least one data interface transmits the encrypted data to a device.

22. A secured data transmission system, comprising:
- at least one data channel;
  
  at least one main security module for distributing encrypted cipher keys over at the least one data channel; and
  
  at least one stateless security module for receiving encrypted cipher keys over the at least one data channel and for encrypting or decrypting data using the cipher keys.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The secured data transmission system of claim 22 comprising at least one data memory for storing encrypted cipher keys.
  - 24. The secured data transmission system of claim 22 wherein the at least one stateless security module comprises at least one cipher for encrypting or decrypting cipher keys.
  - 25. The secured data transmission system of claim 24 comprising at least one data memory for storing encrypted cipher keys.
  - 26. The secured data transmission system of claim 24 wherein at least one of the cipher keys comprises a key for encrypting or decrypting keys.
  - 27. The secured data transmission system of claim 24 wherein the at least one stateless security module encrypts or decrypts data using at least one decrypted cipher key.
  - 28. The secured data transmission system of claim 22 wherein at least one of the cipher keys comprises a private key.

29. A method for providing secured data transmission comprising the steps of:
- establishing communication over a data channel between a main security module and a stateless security module;
  
  establishing a secure channel over the data channel;
  
  generating at least one cipher key in a main security module;
  
  transmitting the at least one cipher key to the stateless security module over the secure channel; and
  
  using the at least one cipher key within a security boundary associated with the stateless security module.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
- - 30. The method of claim 29 comprising maintaining a private key within the security boundary associated with the stateless security module.
  - 31. The method of claim 29 wherein establishing a secure channel comprises using the private key within the security boundary associated with the stateless security module.
  - 32. The method of claim 29 comprising:
    - transmitting at least one encrypted cipher key to the stateless security module; and
      
      decrypting the at least one encrypted cipher key within the security boundary associated with the stateless security module.
  - 33. The method of claim 32 comprising providing the decrypted cipher key to at least one cryptographic accelerator within the security boundary associated with the stateless security module.
  - 34. The method of claim 32 comprising using the decrypted cipher key within the security boundary associated with the stateless security module.
  - 35. The method of claim 34 wherein using the decrypted cipher key is performed without maintaining state information associated with the decrypted cipher key.
  - 36. The method of claim 29 comprising:
    - receiving data in the stateless security module;
      
      encrypting the data within the security boundary associated with the stateless security module; and
      
      transmitting the encrypted data to a device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Buer, Mark

Granted Patent

US 8,160,244 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

G06F 21/72   in cryptographic circuits

G06F 21/85   interconnection devices, e....

G06Q 20/3829   involving key management

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/0853   using an additional device,...

H04L 9/0897   involving additional device...

Stateless hardware security module

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

135 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Stateless hardware security module

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links