METHOD AND SYSTEM FOR GENERATING A SECURE KEY

US 20090202069A1
Filed: 02/11/2008
Published: 08/13/2009
Est. Priority Date: 02/11/2008
Status: Active Grant

First Claim

Patent Images

1. A method of generating a secure key for use on a device, said method comprising:

accessing secure device data and a secret key from said device, said secret key for authenticating boot code for execution by said device;

performing a first encryption of said secure device data to generate an encrypted result, wherein said first encryption comprises encrypting said secure device data using said secret key as an encryption key;

accessing a unique identifier of said device;

performing a logical operation on said encrypted result and said unique identifier to generate a logical result; and

performing a second encryption of said logical result to generate said secure key, wherein said second encryption comprises encrypting said logical result using said secret key as an encryption key, wherein said secure key is unique to said device, and wherein said secure key is larger than said secure device data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system on a chip, and computer system for generating more robust keys which utilize data occupying relatively small die areas is disclosed. Embodiments provide a convenient and effective mechanism for generating a key for use in securing data on a portable electronic device, where the key is generated from repurposed data and a relatively small amount. A multi-stage encryption algorithm may be performed to generate the key, where the first stage may include encrypting the secure data, and the second stage may include encrypting the result of a logical operation on the encrypted secure data with a unique identifier of the portable electronic device. A secret key may be used as the encryption key for each stage. The result of the second encryption stage may include the generated key which may be used to perform subsequent operations on the portable electronic device.

Citations

21 Claims

1. A method of generating a secure key for use on a device, said method comprising:
- accessing secure device data and a secret key from said device, said secret key for authenticating boot code for execution by said device;
  
  performing a first encryption of said secure device data to generate an encrypted result, wherein said first encryption comprises encrypting said secure device data using said secret key as an encryption key;
  
  accessing a unique identifier of said device;
  
  performing a logical operation on said encrypted result and said unique identifier to generate a logical result; and
  
  performing a second encryption of said logical result to generate said secure key, wherein said second encryption comprises encrypting said logical result using said secret key as an encryption key, wherein said secure key is unique to said device, and wherein said secure key is larger than said secure device data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - providing access to said secure key while restricting access to said secret key; and
      
      using said secure key to encrypt data on said device.
  - 3. The method of claim 1, wherein said unique identifier is provided by a first party, and wherein said secure device data and said secret key are provided by a second party.
  - 4. The method of claim 1, wherein said secret key and said secure device data are stored in fuses accessible to said device.
  - 5. The method of claim 1, wherein said secure device data is selected from a group consisting of data unique to said device and data unique to a class of devices, wherein said class of devices comprises said device.
  - 6. The method of claim 1, wherein said secret key is selected from a group consisting of data unique to said device and data unique to a class of devices, wherein said class of devices comprises said device.
  - 7. The method of claim 1, wherein said secure device data is smaller than said secret key, and wherein said method further comprises:
    - padding said secure device data to increase the size of said secure device data prior to said first encryption, wherein said padding is selected from a group consisting of padding said secure device data with a plurality of zeros and padding said secure device data with at least one copy of said secure device data.
  - 8. The method of claim 1, wherein said first and second encryptions comprise symmetric key cryptography in accordance with the advanced encryption standard (AES), and wherein said logical operation comprises an XOR operation.

9. An integrated circuit for use in a portable electronic device, said integrated circuit comprising:
- a plurality of fuses for storing a secret key, secure device data, and a unique identifier of said portable electronic device, wherein said secret key is for authenticating boot code for execution by said integrated circuit; and
  
  a secure encryption engine coupled to said plurality of fuses and for performing a first encryption of said secure device data to generate an encrypted result, wherein said first encryption uses said secret key as an encryption key, wherein said secure encryption engine is further operable to perform a logical operation on said encrypted result and said unique identifier to generate a logical result, wherein said secure encryption engine is further operable to perform a second encryption of said logical result to generate a secure key, wherein said second encryption uses said secret key as an encryption key, wherein said secure key is unique to said portable electronic device, wherein said first and second encryption enable access to said secure key without revealing said secret key, and wherein said secure key is larger than said secure device data.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The integrated circuit of claim 9 further comprising:
    - a memory for storing secure boot code; and
      
      a central processing unit coupled to said memory and for executing said boot code and authenticating additional boot code using said secret key, said additional boot code for execution after said secure boot code, and wherein said central processing unit is further operable to initiate said first and second encryption by said secure encryption engine during execution of said secure boot code.
  - 11. The integrated circuit of claim 9, wherein said secure encryption engine is further operable to provide access to said secure key while restricting access to said secret key, wherein said secure key is for encrypting data on said portable electronic device, and wherein said secure encryption engine further comprises:
    - a keyslot for storing said secure key.
  - 12. The integrated circuit of claim 9, wherein said unique identifier is provided by a first party, and wherein said secure device data and said secret key are provided by a second party.
  - 13. The integrated circuit of claim 9, wherein said secure device data is selected from a group consisting of data unique to said portable electronic device and data unique to a class of portable electronic devices, wherein said class of portable electronic devices comprises said portable electronic device.
  - 14. The integrated circuit of claim 9, wherein said secure encryption engine is further operable to pad said secure device data to increase the size of said secure device data prior to said first encryption, wherein said padding performed by said secure encryption engine is selected from a group consisting of padding said secure device data with a plurality of zeros and padding said secure device data with at least one copy of said secure device data.
  - 15. The integrated circuit of claim 9, wherein said secure encryption engine is operable to perform symmetric key cryptography in accordance with the advanced encryption standard (AES), and wherein said logical operation comprises an XOR operation.

16. A computer system comprising:
- a processor;
  
  a memory coupled to said processor; and
  
  an integrated circuit coupled to said processor, said integrated circuit comprising;
  
  a plurality of fuses for storing a secret key, secure device data, and a unique identifier of said computer system, wherein said secret key is for authenticating boot code for execution by said integrated circuit; and
  
  a secure encryption engine coupled to said plurality of fuses and for performing a first encryption of said secure device data to generate an encrypted result, wherein said first encryption uses said secret key as an encryption key, wherein said secure encryption engine is further operable to perform a logical operation on said encrypted result and said unique identifier to generate a logical result, wherein said secure encryption engine is further operable to perform a second encryption of said logical result to generate a secure key, wherein said second encryption uses said secret key as an encryption key, wherein said secure key is unique to said portable electronic device, and wherein said first and second encryption enable access to said secure key without revealing said secret key, and wherein said secure key is larger than said secure device data.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computer system of claim 16, wherein said integrated circuit further comprises:
    - a second memory for storing secure boot code; and
      
      a central processing unit coupled to said second memory and for executing said boot code and authenticating additional boot code using said secret key, said additional boot code for execution after said secure boot code, and wherein said central processing unit is further operable to initiate said first and second encryption by said secure encryption engine during execution of said secure boot code.
  - 18. The computer system of claim 16, wherein said secure encryption engine is further operable to provide access to said secure key while restricting access to said secret key, wherein said secure key is for encrypting data on said computer system, and wherein said secure encryption engine further comprises:
    - a keyslot for storing said secure key.
  - 19. The computer system of claim 16, wherein said unique identifier is provided by a first party, and wherein said secure device data and said secret key are provided by a second party.
  - 20. The computer system of claim 16, wherein said secret key is selected from a group consisting of data unique to said computer system and data unique to a class of computer systems, wherein said class of computer systems comprises said computer system.
  - 21. The computer system of claim 16, wherein said secure encryption engine is operable to perform symmetric key cryptography in accordance with the advanced encryption standard (AES), and wherein said logical operation comprises an XOR operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NVIDIA Corporation
Original Assignee
NVIDIA Corporation
Inventors
Lew, Stephen Donald, Smith, Phillip Norman, Cox, Michael Brian

Granted Patent

US 9,158,896 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

G06F 21/107   License processing; Key pro...

G06F 21/575   Secure boot

G06F 21/72   in cryptographic circuits

H04L 2209/20   Manipulating the length of ...

H04L 2209/603   Digital right managament [DRM]

H04L 9/0822   using key encryption key

H04L 9/0866   involving user or device id...

METHOD AND SYSTEM FOR GENERATING A SECURE KEY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR GENERATING A SECURE KEY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links