System and Method for Providing Hardware-Based Security

US 20130086385A1
Filed: 09/30/2011
Published: 04/04/2013
Est. Priority Date: 09/30/2011
Status: Abandoned Application

First Claim

Patent Images

1. A method for managing resources of a device, comprising:

receiving, by a system-on-chip (SoC) in the device, from a customer, a request to access one or more resources of the SoC, the SoC includes a non-volatile memory (NVM), a feature register, programming history, and a plurality of resources including the one or more resources;

identifying a customer identifier (CID) based on the received request;

authenticating the customer using a certificate including the CID; and

determining, using the feature register and the CID, whether the SoC grants, to the customer, access to the one or more resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some implementations, a method for managing resources of a device includes receiving, by a system-on-chip (SoC) in the device, from a customer, a request to access one or more resources of the SoC. The SoC includes a non-volatile memory (NVM), a feature register, programming history, and a plurality of resources including the one or more resources. A customer identifier (CID) is identified based on the received request. The customer is authenticated using a certificate including the CID. Whether the SoC grants, to the customer, access to the one or more resources is determine using the feature register and the CID.

Citations

36 Claims

1. A method for managing resources of a device, comprising:
- receiving, by a system-on-chip (SoC) in the device, from a customer, a request to access one or more resources of the SoC, the SoC includes a non-volatile memory (NVM), a feature register, programming history, and a plurality of resources including the one or more resources;
  
  identifying a customer identifier (CID) based on the received request;
  
  authenticating the customer using a certificate including the CID; and
  
  determining, using the feature register and the CID, whether the SoC grants, to the customer, access to the one or more resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the one or more resources includes at least one of a feature, a parameter, a key, data, or a hardware-module configuration data.
  - 3. The method of claim 1, wherein determining whether the SoC grants access to configure the one or more features comprises:
    - comparing the CID to a plurality of segments in the feature register, wherein each of the plurality of segments are assigned to an associated customer;
      
      determining the CID is absent from the plurality of segments; and
      
      prohibiting access to the one or more resources in response to at least the absence of the CID in the feature register.
  - 4. The method of claim 1, wherein the customer comprises a secondary customer, further comprising:
    - receiving, from a primary customer, a request to grant access to the one or more resources of the SoC;
      
      identifying a primary CID based on the primary-customer request, wherein a certificate for the primary customer includes the primary CID;
      
      authenticating the primary customer by comparing the primary CID to a CID hard-coded in the SoC; and
      
      updating the NVM with the CID for the secondary customer CID to identify the one or more resources as accessible by the secondary customer.
  - 5. The method of claim 1, further comprising prohibiting access to one or more resources by the primary customer in response to at least granting access to the secondary customer.
  - 6. The method of claim 1, further comprising:
    - identifying initialization of the device; and
      
      uploading, from the NVM, to the feature register, a plurality of CIDs and information identifying accessible resources for each of the CIDs, wherein each of the plurality of CIDs and associated information identifying accessible resources are stored in different segments in the feature register.
  - 7. The method of claim 1, wherein the customer comprises a secondary customer, and determining whether the SoC grants access to the one or more resources comprises:
    - granting, to the secondary customer, temporary access to the one or more resources in response to at least a match between the second-customer CID and the feature register, wherein the temporary access is granted by updating the feature register with the second-customer CID independent of updating the NVM; and
      
      in response to initialization of the device, overwriting the second-customer CID in the feature register and associated grants using information stored in the NVM, wherein the overwriting prevents the second customer from accessing the one or more resources.
  - 8. The method of claim 7, wherein the secondary customer comprises the primary customer, the method further comprising executing one or more processes to test the one or more resources assigned to the secondary customer during the temporary access, wherein the test processes are initiated by the primary customer.
  - 9. The method of claim 1, wherein the customer comprises a secondary customer, and the feature register is configured to grant the secondary customer access to a first subset of resources and grant a third customer access to a third subset of resources different from the first subset of resources.
  - 10. The method of claim 1, wherein the customer comprises a secondary customer, the one or more resources includes a protected area in the NVM, and the feature register is configured to grant both the secondary customer and a third customer access to the protected area in the NVM.
  - 11. The method of claim 1, wherein the authentication is based on the certificate including the CID, a static public key of the customer, and a signature of a Certificate Authority (CA) applied to the certificate.
  - 12. The method of claim 1, further comprising establishing secure communication between Asset Control Core (ACC) including the NVM and the feature register, programming history and the customer, wherein access to the NVM and the feature register is secured with encryption and authentication using certificates.

13. An SoC, comprising:
- a non-volatile memory (NVM) configured to store CIDs and information identifying accessible resources associated with a CID;
  
  a feature register for storing the CIDs and the resource information when the device is activated;
  
  programming history;
  
  a plurality of resources configured to provide services; and
  
  one or more processors configured to;
  
  receive, from a customer, a request to access one or more resources of the plurality of resources;
  
  identifying a CID based on the received request;
  
  authenticating the customer using a certificate including the CID; and
  
  determining, using the feature register and the CID, whether the SoC grants, to the customer, access to the one or more resources.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The SoC of claim 13, wherein the one or more resources includes at least one of a feature, a parameter, a key, data, or a hardware-module configuration data.
  - 15. The SoC of claim 13, wherein the processors configure to determine whether the SoC grants access to configure the one or more features comprises the processor configured to:
    - compare the CID to a plurality of segments in the feature register, wherein each of the plurality of segments are assigned to an associated customer;
      
      determine the CID is absent from the plurality of segments; and
      
      prohibit access to the one or more resources in response to at least the absence of the CID in the feature register.
  - 16. The SoC of claim 13, wherein the customer comprises a secondary customer, the processors further configured to:
    - receive, from a primary customer, a request to grant access to the one or more resources of the SoC;
      
      identify a primary CID based on the primary-customer request, wherein a certificate for the primary customer includes the primary CID;
      
      authenticate the primary customer by comparing the primary CID to a CID hard-coded in the SoC; and
      
      update the NVM with the CID for the secondary customer CID to identify the one or more resources as accessible by the secondary customer.
  - 17. The SoC of claim 13, the processors further configured to prohibit access to one or more resources by the primary customer in response to at least granting access to the secondary customer.
  - 18. The SoC of claim 13, the processors further configured to:
    - identify initialization of the device; and
      
      upload, from the NVM, to the feature register, a plurality of CIDs and information identifying accessible resources for each of the CIDs, wherein each of the plurality of CIDs and associated information identifying accessible resources are stored in different segments in the feature register.
  - 19. The SoC of claim 13, wherein the customer comprises a secondary customer, and the processors configured to determine whether the SoC grants access to the one or more resources comprises the processors configured to:
    - grant, to the secondary customer, temporary access to the one or more resources in response to at least a match between the second-customer CID and the feature register, wherein the temporary access is granted by updating the feature register with the second-customer CID independent of updating the NVM; and
      
      in response to initialization of the device, overwrite the second-customer CID in the feature register and associated grants using information stored in the NVM, wherein the overwriting prevents the second customer from accessing the one or more resources.
  - 20. The SoC of claim 19, wherein the secondary customer comprises the primary customer, the processors further configured to execute one or more processes to test the one or more resources assigned to the secondary customer during the temporary access, wherein the test processes are initiated by the primary customer.
  - 21. The SoC of claim 13, wherein the customer comprises a secondary customer, and the feature register is configured to grant the secondary customer access to a first subset of resources and grant a third customer access to a third subset of resources different from the first subset of resources.
  - 22. The SoC of claim 13, wherein the customer comprises a secondary customer, the one or more resources includes a protected area in the NVM, and the feature register is configured to grant both the secondary customer and a third customer access to the protected area in the NVM.
  - 23. The SoC of claim 13, wherein the authentication is based on the certificate including the CID, a static public key of the customer, and a signature of a Certificate Authority (CA) applied to the certificate.
  - 24. The SoC of claim 13, the processors further configured to establish a secure communication between Asset Control Core (ACC) including the NVM and the feature register, programming history and the customer, wherein access to the NVM and the feature register is secured with encryption and authentication using certificates.

25. A computer program product for managing resources of a device, the computer program product comprising computer readable instructions embodied on tangible, non-transitory media, the instructions operable when executed to:
- receive, by a SoC in the device, from a customer, a request to access one or more resources of the SoC, the SoC includes a NVM, a feature register, programming history, and a plurality of resources including the one or more resources;
  
  identify a CID based on the received request;
  
  authenticate the customer using a certificate including the CID; and
  
  determine, using the feature register and the CID, whether the SoC grants, to the customer, access to the one or more resources.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The computer program product of claim 25, wherein the one or more resources includes at least one of a feature, a parameter, a key, data, or a hardware-module configuration data.
  - 27. The computer program product of claim 25, wherein the instructions operable to determine whether the SoC grants access to configure the one or more features comprises the instructions operable to:
    - compare the CID to a plurality of segments in the feature register, wherein each of the plurality of segments are assigned to an associated customer;
      
      determine the CID is absent from the plurality of segments; and
      
      prohibit access to the one or more resources in response to at least the absence of the CID in the feature register.
  - 28. The computer program product of claim 25, wherein the customer comprises a secondary customer, the instructions operable to:
    - receive, from a primary customer, a request to grant access to the one or more resources of the SoC;
      
      identify a primary CID based on the primary-customer request, wherein a certificate for the primary customer includes the primary CID;
      
      authenticate the primary customer by comparing the primary CID to a CID hard-coded in the SoC; and
      
      update the NVM with the CID for the secondary customer CID to identify the one or more resources as accessible by the secondary customer.
  - 29. The computer program product of claim 25, the instructions further operable to prohibit access to one or more resources by the primary customer in response to at least granting access to the secondary customer.
  - 30. The computer program product of claim 25, the instructions further operable to:
    - identify initialization of the device; and
      
      upload, from the NVM, to the feature register, a plurality of CIDs and information identifying accessible resources for each of the CIDs, wherein each of the plurality of CIDs and associated information identifying accessible resources are stored in different segments in the feature register.
  - 31. The computer program product of claim 25, wherein the customer comprises a secondary customer, and the instructions operable to determine whether the SoC grants access to the one or more resources comprises the instructions operable to:
    - grant, to the secondary customer, temporary access to the one or more resources in response to at least a match between the second-customer CID and the feature register, wherein the temporary access is granted by updating the feature register with the second-customer CID independent of updating the NVM; and
      
      in response to initialization of the device, overwrite the second-customer CID in the feature register and associated grants using information stored in the NVM, wherein the overwriting prevents the second customer from accessing the one or more resources.
  - 32. The computer program product of claim 31, wherein the secondary customer comprises the primary customer, the instructions operable to execute one or more processes to test the one or more resources assigned to the secondary customer during the temporary access, wherein the test processes are initiated by the primary customer.
  - 33. The computer program product of claim 25, wherein the customer comprises a secondary customer, and the feature register is configured to grant the secondary customer access to a first subset of resources and grant a third customer access to a third subset of resources different from the first subset of resources.
  - 34. The computer program product of claim 25, wherein the customer comprises a secondary customer, the one or more resources includes a protected area in the NVM, and the feature register is configured to grant both the secondary customer and a third customer access to the protected area in the NVM.
  - 35. The method of claim 25, wherein the authentication is based on the certificate including the CID, a static public key of the customer, and a signature of a Certificate Authority (CA) applied to the certificate.
  - 36. The method of claim 25, further comprising establishing secure communication between ACC including the NVM and the feature register, programming history and the customer, wherein access to the NVM and the feature register is secured with encryption and authentication using certificates.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certicom Corporation (Blackberry Limited)
Original Assignee
Certicom Corporation (Blackberry Limited)
Inventors
Poeluev, Yuri

Application Number

US13/250,616
Publication Number

US 20130086385A1
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 12/1416   by checking the object acce...

H04L 2209/26   Testing cryptographic entit...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3252   using DSA or related signat...

System and Method for Providing Hardware-Based Security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Providing Hardware-Based Security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links