HARDWARE TRUST ANCHORS IN SP-ENABLED PROCESSORS

US 20100042824A1
Filed: 08/14/2009
Published: 02/18/2010
Est. Priority Date: 08/14/2008
Status: Active Grant

First Claim

Patent Images

1. A computing device having a hardware portion and at least one memory external to said hardware portion, said computer comprising:

at least one register for storing therein a moderate amount of data, said data register constructed within said hardware portion at a location such that probing of said register by a user is difficult to achieve without rendering data in said register useless for its intended purpose; and

at least one cryptographic key register physically constructed within said hardware portion at a location such that probing of said register by a user is difficult to achieve without rendering data in said register useless for its intended purpose.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trust system and method is disclosed for use in computing devices, particularly portable devices, in which a central Authority shares secrets and sensitive data with users of the respective devices. The central Authority maintains control over how and when shared secrets and data are used. In one embodiment, the secrets and data are protected by hardware-rooted encryption and cryptographic hashing, and can be stored securely in untrusted storage. The problem of transient trust and revocation of data is reduced to that of secure key management and keeping a runtime check of the integrity of the secure storage areas containing these keys (and other secrets). These hardware-protected keys and other secrets can further protect the confidentiality and/or integrity of any amount of other information of arbitrary size (e.g., files, programs, data) by the use of strong encryption and/or keyed-hashing, respectively. In addition to secrets the Authority owns, the system provides access to third party secrets from the computing devices. In one embodiment, the hardware-rooted encryption and hashing each use a single hardware register fabricated as part of the computing device'"'"'s processor or System-on-Chip (SoC) and protected from external probing. The secret data is protected while in the device even during operating system malfunctions and becomes non-accessible from storage according to various rules, one of the rules being the passage of a certain time period. The use of the keys (or other secrets) can be bound to security policies that cannot be separated from the keys (or other secrets). The Authority is also able to establish remote trust and secure communications to the devices after deployment in the field using a special tamper-resistant hardware register in the device, to enable, disable or update the keys or secrets stored securely by the device.

Citations

71 Claims

1. A computing device having a hardware portion and at least one memory external to said hardware portion, said computer comprising:
- at least one register for storing therein a moderate amount of data, said data register constructed within said hardware portion at a location such that probing of said register by a user is difficult to achieve without rendering data in said register useless for its intended purpose; and
  
  at least one cryptographic key register physically constructed within said hardware portion at a location such that probing of said register by a user is difficult to achieve without rendering data in said register useless for its intended purpose.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 2. The computer of claim 1 wherein at least one of said data registers is used to store a cryptographic hash value, said hash value register constructed within said hardware portion at a location such that probing of said register by a user is difficult to achieve without rendering data in said register useless for its intended purpose.
  - 3. The computer of claim 2 further comprising:
    - means for allowing data to be changed within said registers only at particular times.
  - 4. The computer of claim 2 further comprising:
    - means for allowing data to be changed within said registers only by particular software or only when the computer is put into a particular state or processing mode.
  - 5. The computer of claim 2 further comprising:
    - means for allowing data to be read from said registers only by particular software or only when the computer is put into a particular state or processing mode.
  - 6. The computing device of claim 1 wherein said hardware portion comprises at least one processor and wherein said key register resides either within at least one of said processors or is connected to one of said processors.
  - 7. The computing device of claim 6 wherein said processor is a hardware portion containing at least one processing element with some hardware circuitry capable of executing software code, and wherein said processing element is connected to said cryptographic key register.
  - 8. The computer of claim 6 further comprising:
    - at least one register for storing therein a cryptographic hash value, said hash register also constructed within said processor at a location such that probing of said register by a user is difficult to achieve without rendering data in said register useless for its intended purpose.
  - 9. The computer of claim 6 further comprising:
    - means for allowing data to be changed within said registers only at particular times.
  - 10. The computer of claim 6 further comprising:
    - means for allowing data to be changed within said registers only by particular software or only when the computer is put into a particular state or processing mode.
  - 11. The computer of claim 6 further comprising:
    - means for allowing data to be read from said registers only by particular software or only when the computer is put into a particular state or processing mode.
  - 12. The computer of claim 1 further comprising:
    - means for allowing contents from said register to be used only by other hardware components, and means for at least one of those hardware components to cryptographically transform said contents before making the result accessible to software.
  - 13. The computer of claim 12 further comprising:
    - means for the cryptographic transformation to include as inputs the contents of a processing element'"'"'s registers or other data provided by software.
  - 14. The computer of claim 12 further comprising:
    - means for allowing the result of said transformation to be used only by particular software or only when the computer is put into a particular state or processing mode.
  - 15. The computer of claim 6 further comprising:
    - means for allowing contents from said register to be used only by other hardware components, and means for at least one of those hardware components to cryptographically transform said contents before making the result accessible to software.
  - 16. The computer of claim 15 further comprising:
    - means for the cryptographic transformation to include as inputs the contents of a processing element'"'"'s registers or other data provided by software.
  - 17. The computer of claim 15 further comprising:
    - means for allowing the result of said transformation to be used only by particular software or only when the computer is put into a particular state or processing mode.
  - 18. The computer of claim 3 further comprising:
    - a secure BIOS in addition to or in place of a standard startup BIOS and wherein one of said particular times is initialization of said computer, said initialization using said secure BIOS.
  - 19. The computer of claim 18 further comprising:
    - means by which physical access to said computer by a user is required to trigger said initialization.
  - 20. The computer of claim 3 further comprising:
    - means by which physical access to said computer by a user is required to indicate said particular times.
  - 21. The computer of claim 3 further comprising:
    - means for bypassing the normal boot process of said computer only when a user is physically present and wherein one of said particular times is through said bypassed boot event.
  - 22. The computer of claim 3 wherein said allowing means comprises a register constructed within said hardware portion at a location such that probing of said register by a user is difficult to achieve without rendering data in said register useless for its intended purpose.
  - 23. The computer of claim 3 wherein said allowing means comprises a register constructed within said hardware portion that can only be changed once during each boot of said computer.
  - 24. The computer of claim 1 further comprising:
    - a trusted software module (TSM) stored in said memory, said TSM operative for controlling data stored on said computer, said stored data being stored under said TSM control being encrypted using encryption key data stored in said cryptographic key register or derived from said cryptographic key register.
  - 25. The computer of claim 24 further comprising:
    - means wherein said TSM does not gain access to the contents stored in said cryptographic key register.
  - 26. The computer of claim 24 further comprising:
    - a dynamic code integrity checking circuit for dynamically checking code of said TSM using said registers.
  - 27. The computer of claim 24 further comprising:
    - means for encrypting and/or hashing secure data in the hardware belonging to said TSM before said data leaves said hardware portion, said encrypting based on information in at least one of said registers.
  - 28. The computer of claim 24 further comprising:
    - means for encrypting of general registers during interrupts, system calls or context switches, said encryption based on information in at least one of said registers; and
      
      means for decrypting said last-mention encrypted registers after returning from said interrupts, system calls or context switches, said decryption based on information in at least one of said registers.
  - 29. The computer of claim 24 wherein secure data can be stored in memory of said computer, said secure data bound to a usage key which usage key is bound to a set of zero or more rules, which rules can be different for each set of secure data, and wherein each usage key is bound to said hardware portion via data stored in said at least one of said cryptographic key registers.
  - 30. The system of claim 29 wherein each said usage key is protected from compromise due to any of the following attacks:
    - eavesdropping probing, modifying, replaying, bus contents replacement, memory replacement, disk replacement, non-volatile on-chip memory replacement.
  - 31. The computer of claim 24 further comprising:
    - at least one region of memory that is only accessible to the TSM.
  - 32. The computer of claim 31 further comprising:
    - means to access said TSM-only memory regions using special instructions that access only said regions of memory.
  - 33. The computer of claim 32 further comprising:
    - means to access said TSM-only memory regions by specifying an address range to the hardware.
  - 34. The computer of claim 2 further comprising:
    - a trusted software application module (TSM) stored in said memory, said TSM operative for controlling data stored on said computer, said stored data being stored under said TSM control being encrypted using encryption key data stored in said cryptographic key register or derived from said cryptographic key register and said stored data is verified by said TSM using the contents of said hash register.
  - 35. The computer of claim 1 wherein said registers are non-volatile.

36. A system of computers each having at least one hardware processor and at least one memory external to said processors each said computer comprising:
- at least one cryptographic key register and at least one cryptographic hash value register each register physically constructed within said hardware processor at a location such that probing of said registers by a user is difficult to achieve without rendering data in said register useless for its intended purpose;
  
  each said computer having loaded thereon at least one trusted software module (TSM); and
  
  a unique device root encryption key loaded in said cryptographic key register and a hash loaded in said hash register, each set of said registers operatively responding only to a TSM loaded on the same computer.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 37. The system of claim 36 further comprising an authority common to said computers, said authority comprising storage, said storage containing an association of each said computer along with said encryption key unique to said computer.
  - 38. The system of claim 37 further comprising:
    - means by which said TSM can be changed by said authority after initialization.
  - 39. The system of claim 36 further comprising:
    - loading secure data into at least some of said computers, said secure data being controlled by access rules and said secure data encrypted and hashed under control of said TSM operating with at least indirect or limited access to data in said registers.
  - 40. The system of claim 39 wherein said secure data is loaded to a system computer from said authority.
  - 41. The system of claim 39 wherein said rules provide for revocation of access rights for secure data stored on one or more of said computers.
  - 42. The system of claim 41 wherein said revocation is enforced by said TSM on said specific computer.
  - 43. The system of claim 41 wherein said revocation comprises at least one of the following:
    - elapsed time, command or instruction from said authority to said computer, command or instruction from said authority to said third party.
  - 44. The system of claim 39 wherein said secure data can be loaded to or added to a specific system computer from a third party other than said authority upon passage of a certification of authenticity from said specific system computer to said third party, said certificate of authenticity only being allowed under control of said TSM on said specific computer and only in accordance with rules placed on said specific computer by said authority, said riles being part of said secure data loaded from said authority.
  - 45. The system of claim 37 further comprising:
    - means for testing a transmission between said authority and any said system computer to ensure that said cryptographic key has not been compromised.
  - 46. The system of claim 45 further comprising:
    - means for ensuring that if said cryptographic key has not been compromised, then all data encrypted by said cryptographic key has not been compromised, and that said hash register can only be changed by said TSM.
  - 47. The system of claim 40 wherein said secure data is bound to a usage key which usage key is also bound to a set of zero or more rules, which rules can be different for each set of secure data, and wherein each usage key is bound to a particular system computer.
  - 48. The system of claim 47 wherein each said usage key is protected from compromise due to any of the following attacks:
    - eavesdropping, probing, modifying, replay, bus contents replacement, memory replacement, disk replacement, non-volatile on-chip memory replacement.
  - 49. The system of claim 36 further comprising:
    - means for dynamic code integrity checking of said TSM using said registers.
  - 50. The system of claim 36 wherein said registers are non-volatile.

51. A method for storing data on a general purpose computer or, on a special-purpose computing nodes in a secure manner, said method comprising:
- storing a device root key (DRK) by a trusted authority for storage in a register contained within a processor of said computer;
  
  storing a trusted software module (TSM) by said authority on said computer, said TSM being the only software on said computer that can interact with said DRK; and
  
  encoding any secure data to be stored on said computer under control of said TSM working in conjunction with said DRK.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 52. The method of claim 51 wherein said storing further comprises:
    - associating rules for usage of stored secure data, said rules bound to a derivative key using same said DRK to generate such derivative key.
  - 53. The method of claim 51 wherein said encryption comprises:
    - hashing said secure data and said rules and either;
      
      storing the hash result in a cryptographic hash register contained within said processor;
      
      orperforming one or more further cryptographic transformations on the hash result and other data and storing the result of that transformation in said cryptographic hash register contained within said processor.
  - 54. The method of claim 53 further comprising:
    - allowing DRK and said cryptographic hash register to be changed only at initialization of said computer.
  - 55. The method of claim 53 wherein said DRK and said hash registers are non-volatile.
  - 56. The method of claim 51 further comprising:
    - allowing DRK to be changed only at initialization of said computer.
  - 57. The method of claim 56 wherein said initialization comprises:
    - bypassing the normal boot process to allow for the setting of said DRK.
  - 58. The method of claim 57 further comprising:
    - setting a flag within said processor prior to running the normal boot process, said flag preventing further modifications to said DRK.
  - 59. The method of claim 57 further comprising:
    - controlling data stored on said computer by said TSM, said stored data being stored under said TSM control being encrypted using said DRK or a derivative thereof in conjunction with said DRK such that said TSM does not gain access to said DRK.
  - 60. The method of claim 51 further comprising:
    - dynamically checking code of said TSM to ensure said code has not been compromised while said TSM is performing its operation on data.
  - 61. The method of claim 51 further comprising:
    - encrypting and/or hashing secure data in the hardware belonging to said TSM before said data leaves said processor, said encrypting based on information in at least one of said registers.
  - 62. The method claim 51 further comprising:
    - encrypting of general registers during interrupts;
      
      system calls or context switches, said encryption based on information in at least one of said registers; and
      
      decrypting said last-mention encrypted registers after returning from said interrupts, system calls or context switches, said decryption based on information in at least one of said registers.
  - 63. The method of claim 51 wherein secure data is bound to a usage key which usage key is bound to a set of zero or more rules, which rules can be different for each set of secure data, and wherein each usage key is bound to said processor via said DRK.
  - 64. The method of claim 63 wherein each said usage key is protected from compromise due to any of the following attacks:
    - eavesdropping, probing, modifying, replay, bus contents replacement, memory replacement, disk replacement, non-volatile on-chip memory replacement.
  - 65. The method of claim 57 wherein secure data is bound to a usage key which usage key is bound to at least one or a set of rules, which rules can be different for each set of secure data, and wherein each usage key is bound to said processor via said DRK and is protected from modification by said cryptographic hash register.
  - 66. The method of claim 51 further comprising:
    - at least one region of memory that is only accessible to the TSM.
  - 67. The method of claim 66 further comprising:
    - accessing said TSM-only memory regions using special instructions that access only said regions of memory.
  - 68. The method of claim 67 further comprising:
    - accessing said TSM-only memory regions by specifying an address range to the hardware.

69. A method for secure communication between an authority and one of a plurality of devices pre-associated with said authority, said method comprising:
- establishing a communication connection between said authority and one of said devices;
  
  identifying said one device at said authority;
  
  said authority and said device each generating a message and sending it to the other party, such generation involving a common cryptographic key stored at both said device and said authority and such generation involving data values such that the same message will not be generated more than once; and
  
  said messages being verified by the receiving party involving a computation that involves said cryptographic key and such that the same message will not be accepted more than once;
  
  said stored cryptographic key on the device either stored in a processor of said device or derived from said key stored in said processor of said device;
  
  said cryptographic key on the device also being used to protect a TSM also contained on said device.
- View Dependent Claims (70, 71)
- - 70. The method of claim 69 further comprising:
    - said authority and said device each using said one or more session keys established at least in part by said TSM to provide security for further communications.
  - 71. The method of claim 70 wherein said cryptographic key is different for each device and wherein said authority maintains a secure list of each said associated devices and its cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Coresecure Technologies, LLC
Original Assignee
The Trustees of Princeton University (Princeton University)
Inventors
Dwoskin, Jeffrey S., Lee, Ruby B.

Granted Patent

US 9,317,708 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/2
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

H04L 2209/12   Details relating to cryptog...

H04L 2209/60   Digital content management,...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/083   involving central third par...

H04L 9/0844   with user authentication or...

H04L 9/0894   Escrow, recovery or storing...

HARDWARE TRUST ANCHORS IN SP-ENABLED PROCESSORS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

HARDWARE TRUST ANCHORS IN SP-ENABLED PROCESSORS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links