Secure device authentication system and method
First Claim
Patent Images
1. A method comprising:
- accessing a header including a data structure and a set of hash values;
obtaining from the data structure a first root hash of a hierarchical hash tree;
computing a second root hash from the set of hash values;
comparing the first root hash to the second root hash;
if the first root hash and the second root has match,obtaining an encrypted key from the data structure;
securely decrypting the encrypted key;
securely storing the key such that the key is not passed in the clear;
providing a reference to the key;
decrypting a data block with the reference to the key;
loading authentication data from a sub-block associated with the data block;
identifying, in the authentication data, a first set of hash values associated with a first level of the hierarchical hash tree;
computing a cryptographic hash of the data block to determine a first hash value;
comparing the first hash value to a corresponding value in the first set of hash values;
rejecting a block data request if the first hash value and the corresponding value in the first set of hash values do not match.
4 Assignments
0 Petitions
Accused Products
Abstract
A technique for security and authentication on block-based media includes involves the use of protected keys, providing authentication and encryption primitives. A system according to the technique may include a secure device having a security kernel with protected keys. A disk drive security mechanism may support authentication of data, secrecy, and ticket validation using the security kernel and, for example, a ticket services module (e.g., a shared service that may or may not be used by other storage devices like flash).
143 Citations
21 Claims
-
1. A method comprising:
-
accessing a header including a data structure and a set of hash values; obtaining from the data structure a first root hash of a hierarchical hash tree; computing a second root hash from the set of hash values; comparing the first root hash to the second root hash; if the first root hash and the second root has match, obtaining an encrypted key from the data structure; securely decrypting the encrypted key; securely storing the key such that the key is not passed in the clear; providing a reference to the key; decrypting a data block with the reference to the key; loading authentication data from a sub-block associated with the data block; identifying, in the authentication data, a first set of hash values associated with a first level of the hierarchical hash tree; computing a cryptographic hash of the data block to determine a first hash value; comparing the first hash value to a corresponding value in the first set of hash values; rejecting a block data request if the first hash value and the corresponding value in the first set of hash values do not match. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a block-based media driver coupled to a security API, wherein, in operation, the block-based media driver accesses a header associated with a block-based media device and extracts authentication data from the header; ticket services coupled to the block-based media driver and the security API, wherein, in operation, the ticket services receive the authentication data from the block-based media driver and send a key decryption request to the security API; a security kernel including the security API, an encryption/decryption engine, and a key store accessible to the security API, wherein, in operation, the encryption/decryption engine decrypts the key, the key is stored in the key store, and the security API returns a reference to the key to the ticket services; wherein, in operation, the ticket services validates the authentication data and returns the reference to the key to the block-based media driver; wherein, in operation, the block-based media driver accesses data blocks of the block-based media device, sends a block decryption request to the security API, and the security kernel decrypts the blocks and validates a hierarchical hash tree associated with the data blocks. - View Dependent Claims (16, 17)
-
-
18. A system having a means for secure content delivery with block-based media, comprising:
-
a secure key store means; a means for accessing an encrypted key from a header of a block-based media device; a means for securely decrypting the encrypted key; a means for securely storing the key in the key store; a means for referencing the key to securely decrypt data blocks of the block-based media device; a means for providing hash values in association with the block-based media device and each data block of the block-based media device. - View Dependent Claims (19, 20)
-
-
21. A method comprising:
-
accessing a header including a data structure and a set of hash values; obtaining from the data structure a first root hash of a hierarchical hash tree; computing a second root hash from the set of hash values; comparing the first root hash to the second root hash; if the first root hash and the second root has match, obtaining an encrypted key from the data structure; securely decrypting the encrypted key; securely storing the key such that the key is not passed in the clear; providing a reference to the key; loading authentication data from a sub-block associated with an encrypted data block; identifying, in the authentication data, a first set of hash values associated with a first level of the hierarchical hash tree; computing a cryptographic hash of the encrypted data block to determine a first hash value; comparing the first hash value to a corresponding value in the first set of hash values; rejecting a block data request if the first hash value and the corresponding value in the first set of hash values do not match; decrypting the encrypted data block with the reference to the key.
-
Specification