DEVICE WITH A SECURE VIRTUAL MACHINE

US 20100199104A1
Filed: 07/16/2008
Published: 08/05/2010
Est. Priority Date: 07/20/2007
Status: Active Grant

First Claim

Patent Images

1. A secure computing device comprising:

a secure cryptographic module, including an input, a key generation unit for generating a cryptographic key in dependence on received input and an output for producing the cryptographic key;

a processor;

a storage including a virtual machine that is executable on the processor, and at least one program that is executable on the virtual machine; and

a virtual machine manager including;

means for determining an identifier associated with the virtual machine;

means for supplying a representation of the identifier to the secure cryptographic module and retrieving a cryptographic key from the secure cryptographic module; and

means for, under control of the cryptographic key, decrypting at least a part of data input to the processor and encrypting at least part of data output from the processor when the processor executes the virtual machine.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure computing device (100) includes a secure cryptographic module (120) with a key generation unit (124) for generating a cryptographic key in dependence on received input. A storage (140) is used for storing a virtual machine (142) that is executable on a processor (110) and at least one program (144) that is executable on the virtual machine. A virtual machine manager (130) including means 132 for determining an identifier associated 5 with the virtual machine, means 134 for supplying a representation of the identifier to the secure cryptographic module and retrieving a cryptographic key from the secure cryptographic module; and means 136 for, under control of the cryptographic key, decrypting at least a part of data input to the processor and encrypting at least part of data output from the processor when the processor executes the virtual machine.

66 Citations

View as Search Results

15 Claims

1. A secure computing device comprising:
- a secure cryptographic module, including an input, a key generation unit for generating a cryptographic key in dependence on received input and an output for producing the cryptographic key;
  
  a processor;
  
  a storage including a virtual machine that is executable on the processor, and at least one program that is executable on the virtual machine; and
  
  a virtual machine manager including;
  
  means for determining an identifier associated with the virtual machine;
  
  means for supplying a representation of the identifier to the secure cryptographic module and retrieving a cryptographic key from the secure cryptographic module; and
  
  means for, under control of the cryptographic key, decrypting at least a part of data input to the processor and encrypting at least part of data output from the processor when the processor executes the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A device as claimed in claim 1, wherein the key generation unit includes a Physical Uncloneable Function (PUF).
  - 3. A device as claimed in claim 1, wherein the identifier is derived from at least one of the following:
    - the virtual machine itself, andthe program.
  - 4. A device as claimed in claim 3, wherein the device includes a plurality of programs;
    - each program being executable on the virtual machine and operating on an associated digital content item stored in a data storage; and
      
      the virtual machine manager being arranged to derive the representation of the identifier in dependence on the program and/or the digital content item associated with the program such that the representation of the identifier is unique for the program.
  - 5. A device as claimed in claim 1, wherein the secure computing device is operated under control of an operating system arranged to execute multiple processes associated with the virtual machine;
    - the means for determining an identifier being arranged to;
      
      determine a session identifier at a moment a process is activated, where the session identifier is unique for the process or a program associated with the process;
      
      supply the session identifier as the identifier associated with the virtual machine;
      
      securely store in association with the process as a session key an output generated by the secure cryptographic module; and
      
      during a period in which a process is active use the session key stored in association with the process as the cryptographic key for encrypting/decrypting at least part of the data operated upon by the process.
  - 6. A device as claimed in claim 5, wherein the session identifier depends on at least one of the following:
    - a process identifier,a random number, anda timestamp.
  - 7. A device as claimed in claim 1, wherein the device is arranged to cryptographically secure access by the processor to and from at least one of the following units external to the processor:
    - the storage,an electronic main memory,a program cache,a data cache,an I/O bus, anda plurality of registers.
  - 8. A device as claimed in claim 1, wherein the device includes means for calculating a hash of the identifier associated with the virtual machine;
    - the key generation unit generating the cryptographic key in dependence on the hash.
  - 9. A device as claimed in claim 1, wherein the virtual machine manager and processor are implemented in a same tamper resistant unit.
  - 10. A device as claimed in claim 1, wherein the virtual machine manager is implemented in software and arranged to be executed on the processor.
  - 11. A device as claimed in claim 2, wherein the PUF is physically integrated with the virtual machine manager.
  - 12. A device as claimed in claim 11, wherein the virtual machine manager is implemented on a semiconductor device and the PUF is integrated on the semiconductor device.
  - 13. A device as claimed in claim 12, wherein the PUF is of one of an optical type and an electronic type.

14. A method of securing data being exchanged with a processor in a secure computing device;
- the method comprising;
  
  loading a virtual machine in the processor and executing the virtual machine;
  
  loading at least one program into the processor that is executable on the virtual machine;
  
  determining an identifier associated with the virtual machine,in a secure cryptographic module generating a cryptographic key in dependence on a representation of the identifier; and
  
  under control of the cryptographic key, decrypting at least a part of data input to the processor and encrypting at least part of data output from the processor when the processor executes the virtual machine.
- View Dependent Claims (15)
- - 15. A computer program product for causing a processor to perform the method of claim 14.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Future Link Systems, LLC (Vector Capital Corporation)
Original Assignee
NXP B.V. (NXP Semiconductors NV)
Inventors
Van Rijnswou, Sander M.

Granted Patent

US 8,639,949 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/72   in cryptographic circuits

H04L 9/0866   involving user or device id...

DEVICE WITH A SECURE VIRTUAL MACHINE

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

DEVICE WITH A SECURE VIRTUAL MACHINE

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links