Integrated Cryptographic Security Module for a Network Node

US 20100037069A1
Filed: 06/29/2009
Published: 02/11/2010
Est. Priority Date: 08/06/2008
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a controller including a processor and a memory device having program instructions stored therein that, when executed by the processor, cause the controller to generate a request for a cryptographic operation, said request including one or more descriptors of the cryptographic operation;

a cryptographic unit communicatively linked to the controller, the cryptographic unit including;

a random number generator configured to generate random values;

a non-volatile memory device having values generated by the random number generator stored therein;

a restrictor device comprised of hardware logic, said restrictor logic causing the restrictor device to prevent access to the values stored in the non-volatile memory device based on the one or more descriptors of the requested cryptographic operation;

a cryptographic accelerator comprised of hardware logic, the accelerator logic causing the cryptographic accelerator to perform the requested cryptographic operation using one or more of the values stored in the non-volatile memory device that correspond to the requested cryptographic operation;

a finite state device comprised of hardware logic, said finite state logic causing the finite state device to enter one of a plurality of states based on a command received from the controller, wherein the states include a first state that allows the cryptographic accelerator to retrieve values stored in the non-volatile recording device and prevents changes to said values.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that provides a cryptographic unit that generates secret keys that are not directly accessible to software executed by a controller. The cryptographic unit can include a restrictor device, a finite state machine, a random number generator communicatively and a memory. The memory stores values generated by the random number generator. The restrictor device and the finite state machine include hardware logic that restricts access or changes to the contents of the memory.

77 Citations

View as Search Results

24 Claims

1. A system comprising:
- a controller including a processor and a memory device having program instructions stored therein that, when executed by the processor, cause the controller to generate a request for a cryptographic operation, said request including one or more descriptors of the cryptographic operation;
  
  a cryptographic unit communicatively linked to the controller, the cryptographic unit including;
  
  a random number generator configured to generate random values;
  
  a non-volatile memory device having values generated by the random number generator stored therein;
  
  a restrictor device comprised of hardware logic, said restrictor logic causing the restrictor device to prevent access to the values stored in the non-volatile memory device based on the one or more descriptors of the requested cryptographic operation;
  
  a cryptographic accelerator comprised of hardware logic, the accelerator logic causing the cryptographic accelerator to perform the requested cryptographic operation using one or more of the values stored in the non-volatile memory device that correspond to the requested cryptographic operation;
  
  a finite state device comprised of hardware logic, said finite state logic causing the finite state device to enter one of a plurality of states based on a command received from the controller, wherein the states include a first state that allows the cryptographic accelerator to retrieve values stored in the non-volatile recording device and prevents changes to said values.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein said restrictor logic causes the restrictor device to, based on the one or more descriptors of the requested cryptographic operation, enable the cryptographic accelerator to access values stored in the non-volatile memory device that correspond to the requested cryptographic operation.
  - 3. The system of claim 1, wherein said restrictor logic causes the restrictor device to, based on the one or more descriptors of the requested cryptographic operation, enable the processor to only access a value stored in the non-volatile memory device that corresponds to the requested cryptographic operation.
  - 4. The system of claim 1, wherein the descriptors of the requested cryptographic operation include one or more of a type and a key size.
  - 5. The system of claim 1, wherein said finite state logic causes the finite state machine to perform the following operations:
    - retrieve, in response to the command received from the controller, a value from a predefined location of the non-volatile memory device;
      
      determine whether the retrieved value is equal to a predefined value; and
      
      when the retrieved value is determined to be equal the predefined value, enter a first state that prevents the processor device from causing the values stored in the non-volatile memory device to be changed.
  - 6. The system of claim 5, wherein the finite state logic causes the finite state machine to, when the retrieved value is determined to be not equal to the predefined value, enter a second state that responds to a second command from the controller by changing the values stored in the non-volatile memory device.
  - 7. The system of claim 6, wherein the finite state logic causes the finite state machine to, when the retrieved value is determined to be equal to the predefined value, enter a second state that is unresponsive to the second command from the controller.
  - 8. The system of claim 6, wherein the hardware logic causes the finite state machine to, when the retrieved value is determined to be not equal to the predefined value, enter a state that responds to a third command from the controller to perform the following operations:
    - store a random value received from the random number generator in the non-volatile memory device; and
      
      store the predefined value in the predetermined location of the non-volatile memory device.
  - 9. The system of claim 5, wherein the hardware logic causes the finite state machine to, when the retrieved value is determined to be equal to the predefined value, enter a second state that responds to a fourth command from the controller to perform an operation of clearing the value stored in the predetermined location of the non-volatile memory device.
  - 10. The system of claim 1, wherein the controller and cryptographic unit are included in a node.
  - 11. The system of claim 10, wherein the node is an element of a utility network.

12. A memory device comprising a read/write memory and a finite state machine that links the read/write memory to a processor, wherein said finite state machine includes hardware logic that causes the finite state machine to perform the following operations:
- retrieve, in response to a command issued by the processor, a value from a predefined location of the read/write memory;
  
  determine whether the retrieved value is equal to a predefined value; and
  
  when the retrieved value is determined to be equal the predefined value, enter a first state that allows retrieval of other values stored in the read/write memory and prevents changes to said values.
- View Dependent Claims (13, 14, 15)
- - 13. The memory device of claim 12, wherein the hardware logic causes the finite state machine to, when the retrieved value is determined to be not equal to the predefined value, enter a second state that allows the processor to cause the values stored in the read/write memory to be changed.
  - 14. The memory device of claim 13, wherein the finite state machine includes a random number generator, and wherein the hardware logic causes the finite state machine to, when the hardware state machine is in the second state, perform the following operations:
    - store, in response to a command received from the processor, a random value received from the random number generator in the read/write memory; and
      
      store the predefined value in the predetermined location of the read/write memory.
  - 15. The memory device of claim 14, wherein the hardware logic causes the finite state machine to, when the hardware state machine is in the first state, clear the value stored in the predetermined location of the read/write memory device in response to a command received from the processor.

16. A memory device comprising:
- a read/write memory;
  
  a random number generator device; and
  
  a finite state machine that links the read/write memory to a processor, wherein the finite state machine includes hardware logic that causes the finite state machine to enter one of a plurality of states based on a value recorded in a predetermined location of the read/write memory, said states including;
  
  when the finite state machine determines that the value is equal to a first predefined value, the finite state machine enters a first state in which the finite state machine enables access to information in the read/write memory and prevents changes to said information; and
  
  when the finite state machine determines that the value is not equal to a predefined second value, the finite state machine enters a second state in which the finite state machine enables the information in the read/write memory to be overwritten with values generated by the random number generator device.
- View Dependent Claims (17)
- - 17. The memory device of claim 16, wherein the hardware logic causes the finite state machine to, based on the value in the predetermined location, enter a state in which the finite state machine enables said value in the predetermined location of the read/write memory device to be overwritten with a different value.

18. A cryptographic device comprising:
- a finite state machine having a plurality of states;
  
  a random number generator device communicatively linked to the finite state machine; and
  
  a read/write memory communicatively linked to the finite state machine, said memory device storing a key value generated by the random number generator and storing a value in a predetermined location of the read/write memory.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The cryptographic device of claim 18, wherein the finite state machine enters a first state when the finite state machine determines that a predefined value is stored in a predetermined location of the read/write memory, said first state preventing changes to the information stored in the read/write memory.
  - 20. The cryptographic device of claim 18, wherein the finite state machine enters a second state when the finite state machine determines that the predefined value is not stored in the predetermined location of the read/write memory, said second state enabling changes to the information stored in the read/write memory.
  - 21. The cryptographic device of claim 18, wherein, based on received information describing a cryptographic algorithm being performed, the finite state machine enables the cryptographic device to access information stored in the read/write memory.
  - 22. The cryptographic device of claim 18, wherein, based on received information indicating a cryptographic operation being performed, the finite state machine enables the cryptographic device to only access a value stored in the read/write memory that corresponds to the indicated cryptographic operation.
  - 23. The cryptographic device of claim 18, wherein, when the cryptographic device is performing a cryptographic operation, the finite state machine prevents an external processor from accessing the cryptographic device.

24. A system comprising:
- a controller including means for requesting for a cryptographic operation, said request including one or more descriptors of the cryptographic operation; and
  
  a cryptographic unit communicatively linked to the controller, wherein the cryptographic unit includes;
  
  random number generator means for generating random values;
  
  read/write memory means for storing values generated by the random number generator means;
  
  restrictor means for preventing access to the values stored in the read/write memory means based on the one or more descriptors of the requested cryptographic operation;
  
  cryptographic accelerator means for performing the requested cryptographic operation using one or more of the values stored in the read/write memory means that correspond to the requested cryptographic operation; and
  
  access control means for entering one of a plurality of states based on a command received from the controller, wherein the states include a first state that allows the cryptographic accelerator to retrieve values stored in the read/write memory means and prevents changes to said values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Itron Networked Solutions, Inc. (Itron, Inc.)
Original Assignee
Silver Spring Networks, Inc. (Itron, Inc.)
Inventors
Gostrer, Alexander, Dubey, Aditi, Vaswani, Raj, Deierling, Kevin

Granted Patent

US 8,484,486 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 12/1433   for a module or a part of a...

G06F 21/602   Providing cryptographic fac...

G06F 21/72   in cryptographic circuits

G06F 21/79   in semiconductor storage me...

H04L 2209/122   Hardware reduction or effic...

H04L 2209/80   Wireless network architectu...

H04L 9/0637   Modes of operation, e.g. ci...

H04L 9/0662   with particular pseudorando...

Integrated Cryptographic Security Module for a Network Node

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Integrated Cryptographic Security Module for a Network Node

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others