ENCRYPTION APPARATUS AND METHOD THEREFOR

US 20100296651A1
Filed: 05/21/2009
Published: 11/25/2010
Est. Priority Date: 05/21/2009
Status: Active Grant

First Claim

Patent Images

1. :

An encryption apparatus having a reset port at which a reset signal is applied, said apparatus comprising;

a memory for storing a ciphertext key;

a first key register for storing a first plaintext key;

a second key register for storing a second plaintext key;

an encryption processor coupled to said first and second key registers;

a random number generator coupled to said first key register; and

a controller coupled to said random number generator, said memory, and said encryption processor, said controller being configured to cause said first plaintext key to be formed using said random number generator and stored in said first key register in response to activation of said reset signal and configured to cause a second plaintext key to be generated by said encryption processor from said ciphertext key using said first plaintext key and to be stored in said second key register.

View all claims

27 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encryption apparatus (14) includes an integrated circuit (34) having a secure processing section (30). A plaintext reset epoch key (154) is stored in the secure processing section (30) and configured to have a short life. A plaintext master key (160) is stored in the secure processing section (30) and configured to have a long life. A multiplicity of active keys (172) are generated, encrypted using a weaker but faster cryptographic algorithm (68) and the reset epoch key (154), then stored in a high-capacity key magazine (86) portion of unsecured memory (16, 18, 28). Some keys and data are also encrypted using a stronger but slower cryptographic algorithm (70) and the master key (160), then stored in unsecured memory (16, 18, 28). Keys (272, 372) may be converted between weaker, faster encryption and stronger, slower encryption.

Citations

20 Claims

1. :
- An encryption apparatus having a reset port at which a reset signal is applied, said apparatus comprising;
  
  a memory for storing a ciphertext key;
  
  a first key register for storing a first plaintext key;
  
  a second key register for storing a second plaintext key;
  
  an encryption processor coupled to said first and second key registers;
  
  a random number generator coupled to said first key register; and
  
  a controller coupled to said random number generator, said memory, and said encryption processor, said controller being configured to cause said first plaintext key to be formed using said random number generator and stored in said first key register in response to activation of said reset signal and configured to cause a second plaintext key to be generated by said encryption processor from said ciphertext key using said first plaintext key and to be stored in said second key register.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. :
    - An encryption apparatus as claimed in claim 1 wherein;
      
      said first key register is configured as a volatile register; and
      
      said apparatus additionally comprises a third key register, configured as a non-volatile register, for storing a third plaintext key.
  - 3. :
    - An encryption apparatus as claimed in claim 2 wherein said encryption processor and said controller are configured to apply first and second cryptographic algorithms, wherein said first cryptographic algorithm is stronger than said second cryptographic algorithm, said first cryptographic algorithm is applied using said third plaintext key, and said second cryptographic algorithm is applied using said first plaintext key.
  - 4. :
    - An encryption apparatus as claimed in claim 3 wherein said second cryptographic algorithm and said first plaintext key are applied to said ciphertext key to generate said second plaintext key.
  - 5. :
    - An encryption apparatus as claimed in claim 3 wherein said second cryptographic algorithm includes an encryption process and a decryption process which is complimentary to said encryption process, said decryption process being performed at least as fast as said encryption process.
  - 6. :
    - An encryption apparatus as claimed in claim 3 wherein;
      
      said ciphertext key is a first ciphertext key;
      
      said controller and said encryption processor are configured to form a second ciphertext key using said first cryptographic algorithm;
      
      said controller and said encryption processor are configured to convert said second ciphertext key into said first ciphertext key using said first then said second cryptographic algorithms; and
      
      said controller and said encryption processor are configured to convert said first ciphertext key into said second plaintext key using said second cryptographic algorithm.
  - 7. :
    - An encryption apparatus as claimed in claim 3 wherein;
      
      said ciphertext key is a first ciphertext key;
      
      said controller and said encryption processor are configured to convert said first ciphertext key into a second ciphertext key using said second then said first cryptographic algorithms to allow said second plaintext key to be recoverable after said activation of said reset signal.
  - 8. :
    - An encryption apparatus as claimed in claim 1 additionally comprising a tamper detection circuit coupled to said first key register and configured to destroy said first plaintext key upon the detection of a tamper event.
  - 9. :
    - An encryption apparatus as claimed in claim 1 wherein;
      
      said first key register, said second key register, said random number generator, and said controller reside within an integrated circuit; and
      
      said memory resides outside said integrated circuit.

10. :
- A method of operating an encryption apparatus which receives resets and which performs cryptographic operations using keys stored in unsecured memory, said method comprising;
  
  generating a first plaintext key in a secure processing section of said encryption apparatus in response to a reset;
  
  saving said first plaintext key in a first key register located within said secure processing section;
  
  retrieving a second ciphertext key from said unsecured memory to an encryption engine located within said secure processing section;
  
  decrypting said second ciphertext key using said first plaintext key to form a recovered second plaintext key;
  
  storing said recovered second plaintext key in a second key register located within said secure processing section; and
  
  performing one of said cryptographic operations in said secure processing section using said recovered second plaintext key.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. :
    - A method as claimed in claim 10 additionally comprising;
      
      generating, after said first plaintext key is saved in said first key register, an original second plaintext key;
      
      encrypting said original second plaintext key using said first plaintext key to form said second ciphertext key; and
      
      storing said second ciphertext key in said unsecured memory.
  - 12. :
    - A method as claimed in claim 10 additionally comprising destroying said first plaintext key in response to one of a tamper event and a power-off event.
  - 13. :
    - A method as claimed in claim 10 additionally comprising;
      
      storing a third plaintext key in a non-volatile key register located within said secure processing section;
      
      applying a first cryptographic algorithm using said third plaintext key;
      
      applying a second cryptographic algorithm using said first plaintext key, said second cryptographic algorithm being faster than said first cryptographic algorithm, and said decrypting step being configured to apply said second cryptographic algorithm.
  - 14. :
    - A method as claimed in claim 13 additionally comprising;
      
      generating, before said first plaintext key is stored in said first key register, an original second plaintext key;
      
      encrypting said original second plaintext key using said first cryptographic algorithm and said third plaintext key to form an alternate ciphertext key;
      
      storing said alternate ciphertext key in said unsecured memory;
      
      converting, after said first plaintext key is stored in said first key register, said alternate ciphertext key into said second ciphertext key using said first cryptographic algorithm and said third plaintext key then said second cryptographic algorithm and first plaintext key.
  - 15. :
    - A method as claimed in claim 13 additionally comprising;
      
      encrypting said recovered second plaintext key using said first cryptographic algorithm and said third plaintext key to form an alternate ciphertext key; and
      
      storing said alternate ciphertext key in said unsecured memory to allow said second plaintext key to be recoverable after one of said resets.

16. :
- A method of operating an encryption apparatus having a secure processing section and having a high-capacity key magazine stored in unsecured memory, said method comprising;
  
  generating, in said secure processing section, a first plaintext key;
  
  storing said first plaintext key in a first key register within said secure processing section, said first key register being configured as a volatile register;
  
  generating, in said secure processing section, a multiplicity of independent second plaintext keys;
  
  encrypting, using said first plaintext key, each of said multiplicity of second plaintext keys to form a corresponding multiplicity of second ciphertext keys;
  
  storing said multiplicity of second ciphertext keys in said unsecured memory to form said high-capacity key magazine;
  
  identifying one of said multiplicity of second ciphertext keys to use in performing a cryptographic operation;
  
  retrieving said one of said multiplicity of second ciphertext keys to said secure processing section;
  
  decrypting said one of said multiplicity of second ciphertext keys to form a recovered second plaintext key;
  
  retaining said recovered second plaintext key in a second key register within said secure processing section; and
  
  performing said cryptographic operation in said secure processing section using said recovered second plaintext key.
- View Dependent Claims (17, 18, 19, 20)
- - 17. :
    - A method as claimed in claim 16 wherein said cryptographic operation is a first cryptographic operation and said method additionally comprises;
      
      requesting a succession of cryptographic operations;
      
      repeating said identifying, retrieving, decrypting, retaining, and performing steps for each of said succession of cryptographic operations.
  - 18. :
    - A method as claimed in claim 16 additionally comprising;
      
      storing a third plaintext key in a third key register within said secure processing section, said third key register being configured as a non-volatile register;
      
      applying a first cryptographic algorithm using said third plaintext key; and
      
      applying a second cryptographic algorithm using said first plaintext key, said second cryptographic algorithm being weaker and faster than said first cryptographic algorithm, and said encrypting and decrypting steps being configured to apply said second cryptographic algorithm.
  - 19. :
    - A method as claimed in claim 18 wherein at least a portion of said multiplicity of plaintext keys are encrypted using said first cryptographic algorithm and said third plaintext key, stored in said unsecured memory, retrieved from said unsecured memory, decrypted using said first cryptographic algorithm and said third plaintext key prior to performing said encrypting step using said second cryptographic algorithm.
  - 20. :
    - A method as claimed in claim 18 additionally comprising;
      
      encrypting said recovered second plaintext key using said first cryptographic algorithm and said third plaintext key to form a third ciphertext key; and
      
      storing said third ciphertext key in said unsecured memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NXP USA, Inc. (NXP Semiconductors NV)
Original Assignee
Freescale Semiconductor, Inc. (NXP Semiconductors NV)
Inventors
Tkacik, Thomas E.

Granted Patent

US 8,379,846 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

G09C 1/00   Apparatus or methods whereb...

H04L 2209/12   Details relating to cryptog...

H04L 9/088   Usage controlling of secret...

H04L 9/0894   Escrow, recovery or storing...

ENCRYPTION APPARATUS AND METHOD THEREFOR

First Claim

27 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ENCRYPTION APPARATUS AND METHOD THEREFOR

First Claim

27 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links