KEY REFRESH BETWEEN TRUSTED UNITS

US 20140281529A1
Filed: 03/18/2013
Published: 09/18/2014
Est. Priority Date: 03/18/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

encryption logic to;

identify a particular session key, wherein the particular session key is one of a plurality of session keys for use in encrypting content to be sent from a first device; and

encrypt particular content with the particular session key to obtain encrypted particular content; and

I/O logic to;

cause the particular content to be sent with a key refresh structure, wherein the key refresh structure is to identify that the particular session key was used to encrypt the particular content.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Encryption logic to identify a particular session key, where the particular session key is one of a plurality of session keys for use in encrypting content to be sent from a first device. The encryption logic is to encrypt particular content with the particular session key to obtain encrypted particular content. I/O logic is provided that can cause the particular content to be sent with a key refresh structure, where the key refresh structure is to identify that the particular session key was used to encrypt the particular content.

Citations

27 Claims

1. An apparatus comprising:
- encryption logic to;
  
  identify a particular session key, wherein the particular session key is one of a plurality of session keys for use in encrypting content to be sent from a first device; and
  
  encrypt particular content with the particular session key to obtain encrypted particular content; and
  
  I/O logic to;
  
  cause the particular content to be sent with a key refresh structure, wherein the key refresh structure is to identify that the particular session key was used to encrypt the particular content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the encryption logic is further to:
    - identify a refresh of the particular session key, wherein the refresh includes identification of a new session key for a session between the first and second devices; and
      
      use the new session key to encrypt subsequent content to be sent to the second device.
  - 3. The apparatus of claim 2, wherein the new session key is associated with a new identifier accessible to both the first and second devices.
  - 4. The apparatus of claim 1, wherein the encryption logic is further to generate the particular session key, wherein the particular session key is to be associated with a particular key identifier identifiable to each of the first and second devices and included in the key refresh structure.
  - 5. The apparatus of claim 4, wherein the encryption logic is further to encrypt the particular session key using an encryption key shared by the first and second devices;
    - and the I/O logic is further to cause the encrypted particular session key to be sent to the second device.
  - 6. The apparatus of claim 5, wherein the encryption key is provisioned on each of the first and second devices at manufacture.
  - 7. The apparatus of claim 5, wherein the encrypted particular session key is to be sent to the second device over a sideband channel.
  - 8. The apparatus of claim 1, wherein the second device comprises a transcoder of a media gateway device.
  - 9. The apparatus of claim 1, wherein the key refresh structure is to be prepended to particular content.

10. An apparatus comprising:
- decryption logic to;
  
  receive a set of encrypted packets and a key refresh structure associated with the set of encrypted packets;
  
  identify from the key refresh structure, a particular one of a plurality of session keys designated for use in encrypting content sent between a first device and a second device; and
  
  decrypt the set of encrypted packets with the particular session key.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10, further comprising transcoder logic, wherein the content includes media content, and the transcoder logic is to transcode the decrypted media content.
  - 12. The apparatus of claim 11, further comprising encryption logic to encrypt the transcoded media content using one of the plurality of session keys, wherein the encrypted transcoded media content is to be sent to a first device with a corresponding key refresh structure that is to identify the session key used to encrypt the transcoded media content.
  - 13. The apparatus of claim 12, wherein the session key used to encrypt the transcoded media content is different from the particular session key.
  - 14. The apparatus of claim 13, wherein the different session key and particular session key are included in an associated pair of session keys.
  - 15. The apparatus of claim 13, wherein the different session key is included in a second session key pair and the particular session key is included in a different, first session key pair.
  - 16. The apparatus of claim 15, wherein the decryption logic is further to:
    - identify a refresh of a first session key included in the first session key pair, wherein the refresh includes receipt of the second session key pair.
  - 17. The apparatus of claim 16, wherein both the first and second session key pairs are to be maintained at least until a subsequent refresh of session keys in the second session key pair.
  - 18. The apparatus of claim 17, wherein the second session key pair is to be received from the first device and is to be sent encrypted using an encryption key shared by the first device and the transcoder.

19. An apparatus comprising:
- I/O logic to;
  
  request generation of at least one new session key for use in encrypting content between a first device and a second device in a session;
  
  assign the new session key a key identifier, wherein the new session key is one of a plurality of session keys to be used by the first and second devices in the session and each of the plurality of session keys is to be associated with a respective key identifier;
  
  cause a set of packets to be encrypted using the new session key; and
  
  send the encrypted set of packets from the first device to the second device, wherein sending the set of packets includes generating a key refresh structure to be included with the encrypted set of packets and identify that the new session key was used by the first device to encrypt the set of packets.
- View Dependent Claims (20, 21, 22)
- - 20. The apparatus of claim 19, wherein assigning the key identifier includes identifying a particular key identifier of a preceding session key and determining a next key identifier according to an identification scheme, and the next key identifier is the key identifier of the new session key.
  - 21. The apparatus of claim 20, wherein the next key identifier is to be determined by incrementing the particular key identifier.
  - 22. The apparatus of claim 19, wherein the I/O logic is further to provide data to the second device identifying that the assignment of the key identifier to the new session key.

23. A system comprising:
- a media gateway comprising;
  
  a system-on-chip to serve content packets;
  
  a transcoder to transcode the content packets; and
  
  a security encryption controller to generate a plurality of session keys during a session between the transcoder and system-on-chip, wherein a plurality of sets of content packets are to be sent between the transcoder and system-on-chip, each set of content packets is to be encrypted by a respective one the plurality of session keys, and each encrypted set of content packets is to be sent to include a key refresh structure identifying the respective session key used to encrypt the set of content packets.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The system of claim 23, wherein the security encryption controller is included on the system-on-chip and is further to:
    - encrypt sets of content packets sent from the system-on-chip to the transcoder using the plurality of session keys; and
      
      decrypt encrypted sets of content packets sent from the transcoder to the system-on-chip using the plurality of session keys.
  - 25. The system of claim 23, wherein the media gateway further comprises key management logic to:
    - manage refreshes of session keys used during the session, wherein a refresh is to replace a previous set of session keys used by the transcoder and system-on-chip in the session with a new set of session keys, each key in the previous and new sets of session keys has an associated key identifier, and the transcoder and system-on-chip are to maintain the previous set of session keys and the new set of session keys at least until a refresh of the new set of session keys.
  - 26. The system of claim 25, wherein the key management logic is to identify to the transcoder association between session keys and corresponding key identifiers.
  - 27. The system of claim 25, wherein each set of session keys includes:
    - a respective system-on-chip session key for use by the system-on-chip to encrypt content packets to be sent to the transcoder and for use by the transcoder to decrypt encrypted packets received from the system-on-chip; and
      
      a respective transcoder session key for use by the transcoder to encrypt transcoded content packets to be sent to the system-on-chip and for use by the system-on-chip to decrypt encrypted packets received from the transcoder.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Epp, Edward C., Yan, Zhaohui, Johnson, Daniel P.

Granted Patent

US 9,467,425 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

H04L 9/0891   Revocation or update of sec...

KEY REFRESH BETWEEN TRUSTED UNITS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

KEY REFRESH BETWEEN TRUSTED UNITS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links