Secure implementation and utilization of device-specific security data

US 20060101288A1
Filed: 10/27/2003
Published: 05/11/2006
Est. Priority Date: 10/31/2002
Status: Active Grant

First Claim

Patent Images

1-46. -46. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention concerns a tamper-resistant electronic circuit configured for implementation in a device. The electronic circuit securely implements and utilizes device-specific security data during operation in the device, and is basically provided with a tamper-resistantly stored secret not accessible over an external circuit interface. The electronic circuit is also provided with functionality for performing cryptographic processing at least partly in response to the stored secret to generate an instance of device-specific security data that is internally confined within said electronic circuit during usage of the device. The electronic circuit is further configured for performing one or more security-related operations or algorithms in response to the internally confined device-specific security data. In this way, secure implementation and utilization device-specific security data for security purposes can be effectively accomplished. The security is uncompromised since the stored secret is never available outside the electronic circuit, and the device-specific security data is internally confined within the circuit during usage or operation of the device.

117 Citations

View as Search Results

75 Claims

1-46. -46. (canceled)

47. A tamper-resistant electronic circuit for implementation in a device, said tamper-resistant electronic circuit comprising:
- means for tamper-resistantly storing a secret not accessible over an external circuit interface;
  
  means for performing cryptographic processing at least partly in response to said stored secret to generate an instance of device-specific security data internally confined within said electronic circuit during usage of said device; and
  
  means for performing a security-related operation in response to said internally confined device-specific security data.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 48. The electronic circuit according to claim 47, wherein said device is a network device and said operation is related to at least one of data confidentiality, data integrity, authentication, authorization and non-repudiation in network communication.
  - 49. The electronic circuit according to claim 47, wherein said device is configured for producing digital content and said security-related operation is configured for marking said digital content based on said device-specific security data.
  - 50. The electronic circuit according to claim 49, wherein said operation is configured for generating a device-specific fingerprint embedded into said digital content.
  - 51. The electronic circuit according to claim 47, wherein said means for performing cryptographic processing is configured for generating said device-specific security data provided that additional input data in the form of predetermined trigger data is applied over an external circuit interface during usage of said device, wherein said trigger data is defined during configuration of said device.
  - 52. The electronic circuit according to claim 51, wherein said trigger data is defined based on configurational device-specific security data provided during configuration of the device, and said electronic circuit further comprises:
    - means for generating, based on said stored secret and said configurational device-specific security data, said trigger data as a cryptographic representation of said configurational device-specific security data during configuration of said device;
      
      means for outputting said cryptographic representation over an external circuit interface during configuration; and
      
      means for internally re-generating said device-specific security data during usage of said device provided that said additional input corresponds to said cryptographic representation.
  - 53. The electronic circuit according to claim 52, further comprising means for internally generating, during configuration of said device, said configurational device-specific security data at least partly based on said stored secret.
  - 54. The electronic circuit according to claim 53, wherein said means for internally generating said configurational device-specific security data comprises means for generating a private key at least partly based on said stored secret, and said trigger data is generated as a cryptographic representation of said private key during configuration of said device.
  - 55. The electronic circuit according to claim 47, further comprising means for making, during configuration of said device, said device-specific security data available over an external circuit interface provided that a predetermined device access code is entered into the electronic circuit.
  - 56. The electronic circuit according to claim 47, further comprising means for disabling internal access to at least one of said stored secret and said device-specific security data unless a predetermined device access code is entered into the electronic circuit.
  - 57. The electronic circuit according to claim 55, further comprising:
    - means for authentication of a manufacturer of said device;
      
      means for providing, during device manufacturing, said device access code to said device manufacturer in response to successful authentication.
  - 58. The electronic circuit according to claim 47, wherein said means for performing a security-related operation based on said confined device-specific security data comprises:
    - means for performing additional cryptographic processing based on said device-specific security data and further external input data to generate further security data; and
      
      means for performing said security-related operation in response to said further security data.
  - 59. The electronic circuit according to claim 58, wherein said device-specific security data represents a private key, and said further external input data represents an encryption of said further device-specific security data by the corresponding public key.
  - 60. The electronic circuit according to claim 59, wherein said further security data represents a symmetric content decryption key issued by a content provider, and said device-specific security data represents a private key of a device manufacturer.
  - 61. The electronic circuit according to claim 47, wherein said means for performing cryptographic processing to generate device-specific security data is configured for generating a symmetric cryptographic key in response to a seed applied over an external circuit interface.
  - 62. The electronic circuit according to claim 47, wherein said means for performing cryptographic processing to generate device-specific security data is configured for generating a private key at least partly based on said stored secret, and said means for performing a security-related operation comprises means for performing asymmetric cryptography operations based on said internally confined private key.
  - 63. The electronic circuit according to claim 62, further comprising means for generating a public key corresponding to said private key during configuration of said device, and means for outputting said public key over an external circuit interface.
  - 64. The electronic circuit according to claim 62, further comprising:
    - means for performing shared key generation to generate a new shared key based on said generated private key and a public key of an intended communication partner; and
      
      means for performing cryptographic processing based on said new shared key.
  - 65. The electronic circuit according to claim 47, wherein said means for cryptographic processing is operable for generating said device-specific security data 20 as a chain of k bind keys B₁, . . . , B_kin response to corresponding bind identities R₁, . . . R_kaccording to the following formula:
    - B_i=f(B_i-1, R_i) for i=1, . . . , k, where B₀represents the stored secret, and f is a cryptographic one-way function.

66. A device implemented with a tamper-resistant electronic circuit, said electronic circuit comprising:
- means for tamper-resistantly storing a secret not accessible over an external circuit interface;
  
  means for performing cryptographic processing at least partly in response to said stored secret to generate an instance of device-specific security data internally confined within said electronic circuit during usage of said device; and
  
  means for performing a security-related operation in response to said internally confined device-specific security data.
- View Dependent Claims (67, 68, 69)
- - 67. The device according to claim 66, wherein said device is a network device and said operation is related to at least one of data confidentiality, data integrity, authentication, authorization and non-repudiation in network communication.
  - 68. The device according to claim 66, wherein said device is configured for producing digital content and said security-related operation is configured for marking said digital content based on said device-specific security data.
  - 69. The device according to claim 66, wherein said means for performing cryptographic processing is configured for generating said device-specific security data provided that additional input data in the form of predetermined trigger data is applied over an external circuit interface of the electronic circuit during usage of said device, wherein said trigger data is defined during configuration of said device.

70. A method for management of security data for a device, said method comprising the steps of:
- storing, in a controlled environment during manufacturing of a tamperresistant electronic circuit, a secret randomized number in said electronic circuit such that the secret number is not available outside of said electronic circuit;
  
  implementing, during circuit manufacturing, functionality into said electronic circuit for performing cryptographic processing at least partly based on said stored secret number to generate device-specific security data internally confined within said electronic circuit during usage of the device;
  
  implementing, during circuit manufacturing, a security-related operation into said electronic circuit, said security-related operation being configured for receiving at least said internally confined device-specific security data as input during usage of the device; and
  
  installing, during device manufacturing, said electronic circuit into said device.
- View Dependent Claims (71, 72, 73, 74, 75)
- - 71. The method according to claim 70, wherein said device is a network device and said operation is related to at least one of data confidentiality, data integrity, authentication, authorization and non-repudiation in network communication.
  - 72. The method according to claim 70, wherein said device is configured for producing digital content and said security-related operation is configured for marking said digital content based on said device-specific security data.
  - 73. The method according to claim 70, further comprising the step of providing, during configuration of the device, trigger data to be applied later during usage of the device in order to be able to generate said device-specific security data within said electronic circuit.
  - 74. The method according to claim 73, further comprising the steps of:
    - entering, in a controlled environment during device configuration, said trigger data as input data into said electronic circuit in order to obtain device-specific security data from the cryptographic functionality of the electronic circuit;
      
      recording, in a controlled environment during device configuration, said device-specific security data and said input data; and
      
      entering, in a controlled environment during device configuration, a predetermined device access code into the electronic circuit for accessing the device-specific security data over an external circuit interface.
  - 75. The method according to claim 73, further comprising the steps of:
    - generating, in a controlled environment during device configuration, device-specific security data;
      
      entering, in a controlled environment during device configuration, said generated device-specific security data into said electronic circuit in order to obtain said trigger data as a result representation from the cryptographic functionality of the electronic circuit; and
      
      recording, in a controlled environment during device configuration, said result representation and the previously generated device-specific security data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Smeets, Bernard, Selander, Goran, Nerbrant, Per-Olof

Granted Patent

US 7,861,097 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/194
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

G06F 21/72   in cryptographic circuits

H04L 2209/603   Digital right managament [DRM]

H04L 9/0844   with user authentication or...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

Secure implementation and utilization of device-specific security data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

117 Citations

75 Claims

Specification

Solutions

Use Cases

Quick Links

Secure implementation and utilization of device-specific security data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

117 Citations

75 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links