Method for programming on-chip non-volatile memory in a secure processor, and a device so programmed
First Claim
1. A device comprising:
- on-chip non-volatile (NV) memory including;
a device ID;
a private key;
an issuer ID;
a first signature;
a certificate generating module coupled to the non-volatile memory configured to;
read the device ID, private key, issuer ID, and first signature from the NV memory;
compute a public key as a function of the private key;
construct a device certificate as a function of the device ID, issuer ID, public key, and first signature;
an interface coupled to the certificate generating module, wherein, in operation, a request for the device certificate is received on the interface, the certificate generating module constructs the device certificate, and the device certificate is sent via the interface in response to the request.
4 Assignments
0 Petitions
Accused Products
Abstract
An improved secure programming technique involves reducing the size of bits programmed in on-chip secret non-volatile memory, at the same time enabling the typical secure applications supported by secure devices. A technique for secure programming involves de-coupling chip manufacture from the later process of connecting to ticket servers to obtain tickets. A method according to the technique may involve sending a (manufacturing) server signed certificate from the device prior to any communication to receive tickets. A device according to the technique may include chip-internal non-volatile memory to store the certificate along with the private key, in the manufacturing process.
-
Citations
24 Claims
-
1. A device comprising:
-
on-chip non-volatile (NV) memory including; a device ID; a private key; an issuer ID; a first signature; a certificate generating module coupled to the non-volatile memory configured to; read the device ID, private key, issuer ID, and first signature from the NV memory; compute a public key as a function of the private key; construct a device certificate as a function of the device ID, issuer ID, public key, and first signature; an interface coupled to the certificate generating module, wherein, in operation, a request for the device certificate is received on the interface, the certificate generating module constructs the device certificate, and the device certificate is sent via the interface in response to the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A server comprising:
-
a number generator; a certificate request module; a certificate verification module; an interface, coupled to the number generator, the certificate request module, and the certificate verification module, wherein, in operation the number generator generates a first number, the certificate request module generates a request for a device certificate, the first number and the request for a device certificate are sent via the interface, a response that includes a second number, a second signature that is generated using the second number, and a device certificate are received at the interface, and the certificate verification module validates the device certificate and the second signature, and verifies that the first number and the second number match. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A device comprising:
-
on-chip non-volatile (NV) memory including; a secret seed random number; on-chip writable memory including; a stored sequence number; a means for initializing a state variable to an initial value; a means for computing a key as a function of the secret seed random number and the sequence number; a means for incrementing the sequence number; a means for storing the incremented sequence number; a means for generating a random number as a function of a key and the state variable; a means for incrementing the state variable. - View Dependent Claims (16, 17)
-
-
18. A method comprising:
-
obtaining a device ID of a device; providing a number to use as a small-signature private key; computing a public key from the small-signature private key using common parameters; using a fixed certificate structure to compute a signature with a small-signature algorithm; programming device ID, small-signature private key, issuer ID, and signature into non-volatile (NV) memory of the device. - View Dependent Claims (19, 20, 21)
-
-
22. A device, comprising:
-
on-chip non-volatile (NV) memory for storing a private key; a secure processor; a secure on-chip memory having one or more modules stored thereon, including a security kernel having an authenticated security API; wherein, in operation, the security kernel uses the private key to generate a device certificate using a supplied signature. - View Dependent Claims (23)
-
-
24. A method comprising:
-
initializing a state variable to an initial value; computing a key as a function of a secret seed random number and a sequence number; incrementing the sequence number; generating a random number as a function of a key and the state variable; incrementing the state variable; generating a random number using the key and incremented state variable.
-
Specification