Methods and apparatus for protecting data

US 20080159541A1
Filed: 12/29/2006
Published: 07/03/2008
Est. Priority Date: 12/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method for protecting data, the method comprising:

retrieving an encrypted version of a cryptographic key from storage of a processing system into a processing unit of the processing system;

using a processing unit key to decrypt the encrypted version of the cryptographic key;

storing the decrypted key in protected storage in the processing unit, wherein the protected storage cannot be accessed by snooping a processing system bus communicatively coupled to the processing unit; and

using the decrypted key to establish a protected communication channel between the processing unit and a trusted platform module (TPM) of the processing system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An augmented boot code module includes instructions to be executed by a processing unit during a boot process. The augmented boot code module also includes an encrypted version of a cryptographic key that can be decrypted with a cryptographic key that remains in the processing unit despite a reset of the processing unit. In one embodiment, the processing unit may decrypt the encrypted version of the cryptographic key and then use the decrypted key to establish a protected communication channel with a security processor, such as a trusted platform module (TPM). Other embodiments are described and claimed.

38 Citations

View as Search Results

21 Claims

1. A method for protecting data, the method comprising:
- retrieving an encrypted version of a cryptographic key from storage of a processing system into a processing unit of the processing system;
  
  using a processing unit key to decrypt the encrypted version of the cryptographic key;
  
  storing the decrypted key in protected storage in the processing unit, wherein the protected storage cannot be accessed by snooping a processing system bus communicatively coupled to the processing unit; and
  
  using the decrypted key to establish a protected communication channel between the processing unit and a trusted platform module (TPM) of the processing system.
- View Dependent Claims (2, 3, 4, 7)
- - 2. A method according to claim 1, wherein the operation of retrieving the encrypted version of the cryptographic key from storage comprises:
    - retrieving the encrypted version of the cryptographic key from nonvolatile memory of the processing system during a boot process for the processing system.
  - 3. A method according to claim 1, wherein the operation of retrieving the encrypted version of the cryptographic key from storage comprises:
    - retrieving a code module from boot memory of the processing system during a boot process for the processing system; and
      
      extracting the cryptographic key from the code module.
  - 4. A method according to claim 1, further comprising:
    - also using an instance of the decrypted key stored in the TPM to establish the protected communication channel between the processing unit and the TPM.
  - 7. A method according to claim 1, wherein:
    - the cryptographic key comprises a third party key; and
      
      the processing unit key comprises a key that remains in the processing unit despite a reset of the processing unit.

5-6. -6. (canceled)

8. A method comprising:
- saving a first key to a trusted platform module (TPM) of a processing system;
  
  sending the first key to a remote processing system;
  
  receiving an encrypted version of the first key from the remote processing system; and
  
  saving a code module to boot storage in the processing system, wherein the code module comprises user data, the encrypted version of the first key, and a signature generated with a second key.
- View Dependent Claims (9, 10, 11)
- - 9. A method according to claim 8, further comprising:
    - sending the user data for the code module to the remote processing system in a preliminary code module; and
      
      receiving the encrypted version of the first key from the remote processing system in the code module.
  - 10. A method according to claim 8, wherein:
    - the operation of sending the first key to a remote processing system comprises sending the first key to an augmented authentication code module (AACM) generator; and
      
      the operation of receiving an encrypted version of the first key from the remote processing system comprises receiving an AACM from the AACM generator, wherein the AACM comprises the encrypted version of the first key.
  - 11. A method according to claim 8, wherein:
    - the second key used to generate the signature for the code module comprises a private key; and
      
      method comprises loading a public key that corresponds to the private key into the code module.

12. An apparatus comprising:
- a machine-accessible medium; and
  
  an augmented boot code module in the machine-accessible medium, wherein the augmented boot code module comprises;
  
  instructions to be executed by a processing unit of a processing system during a boot process; and
  
  an encrypted version of a first cryptographic key that can be decrypted with a second cryptographic key stored in storage of the processing unit, wherein the second cryptographic key comprises a processing unit key (PUK).
- View Dependent Claims (13)
- - 13. An apparatus according to claim 12, wherein the encrypted version of the first cryptographic key comprises:
    - an encrypted version of a supplemental key to be used to establish a secure communication channel between the processing unit and a trusted platform module (TPM) in the processing system.

14. (canceled)

15. A processing system comprising:
- a processing unit;
  
  nonvolatile storage in communication with the processing unit;
  
  a trusted platform module (TPM) in communication with the processing unit; and
  
  an augmented code module in the nonvolatile storage, wherein the augmented code module comprises;
  
  instructions to be executed by the processing unit during a boot process; and
  
  an encrypted version of a first cryptographic key that can be decrypted with a second cryptographic key that remains in the processing unit despite a reset of the processing unit.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. A processing system according to claim 15, wherein the encrypted version of the first cryptographic key comprises:
    - an encrypted version of a supplemental key to be used to establish a secure communication channel between the processing unit and the TPM.
  - 17. A processing system according to claim 15, wherein the nonvolatile storage comprises instructions which, when executed by the processing unit, cause the processing system to perform operations comprising:
    - using a decrypted instance of the first cryptographic key from the TPM to establish a protected communication channel between the processing unit and the TPM.
  - 18. A processing system according to claim 15, wherein the nonvolatile storage comprises instructions which, when executed by the processing unit, cause the processing system to perform operations comprising:
    - retrieving the encrypted version of the first cryptographic key from the nonvolatile storage of the processing system into the processing unit;
      
      decrypting the encrypted version of the first cryptographic key;
      
      storing the decrypted key in a protected part of the processing unit; and
      
      using the decrypted key to establish a protected communication channel between the processing unit and the TPM.
  - 19. A processing system according to claim 18, wherein the operation of storing the decrypted key in a protected part of the processing unit comprises:
    - storing the decrypted key in a part of the processing unit that cannot be accessed by snooping a processing system bus communicatively coupled to the processing unit.
  - 20. A processing system according to claim 15, wherein the nonvolatile storage comprises instructions which, when executed by the processing unit, cause the processing system to perform operations comprising:
    - using a processing unit key (PUK) to decrypt the encrypted version of the first cryptographic key.
  - 21. A processing system according to claim 20, wherein:
    - the first cryptographic key comprises a third party key; and
      
      the PUK comprises a key stored in nonvolatile storage of the processing unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Kumar, Mohan J., Gueron, Shay

Granted Patent

US 8,364,975 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/278
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 21/85   interconnection devices, e....

Methods and apparatus for protecting data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for protecting data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links