SECURITY PROCESSING UNIT WITH CONFIGURABLE ACCESS CONTROL

US 20150078550A1
Filed: 03/31/2014
Published: 03/19/2015
Est. Priority Date: 09/13/2013
Status: Abandoned Application

First Claim

Patent Images

1. A security processing unit comprising:

one or more processors;

memory communicatively coupled to the one or more processors and configured to store one or more cryptographic keys and key data describing access permission to the one or more cryptographic keys, the security processing unit being configured to prevent the one or more cryptographic keys from being read by a central processing unit;

an interface communicatively coupled to the one or more processors and configured to receive a command from the central processing unit regarding generation of a new cryptographic key, the command including a key creation parameter; and

a processing module executable by the one or more processors to;

manage the one or more cryptographic keys based at least in part on the key data of the one or more cryptographic keys;

generate the new cryptographic key based at least in part on the key creation parameter and the one or more cryptographic keys, the new cryptographic key being generated with a key derivation function or other one-way function; and

generate key data for the new cryptographic key based on at least a portion of the key creation parameter.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security processing unit is configured to manage cryptographic keys. In some instances, the security processing unit may comprise a co-processing unit that includes memory, one or more processors, and other components to perform operations in a secure environment. A component that is external to the security processing unit may communicate with the security processing unit to generate a cryptographic key, manage access to a cryptographic key, encrypt/decrypt data with a cryptographic key, or otherwise utilize a cryptographic key. The external component may comprise a central processing unit, an application, and/or any other hardware or software component that is located outside the security processing unit.

29 Citations

View as Search Results

20 Claims

1. A security processing unit comprising:
- one or more processors;
  
  memory communicatively coupled to the one or more processors and configured to store one or more cryptographic keys and key data describing access permission to the one or more cryptographic keys, the security processing unit being configured to prevent the one or more cryptographic keys from being read by a central processing unit;
  
  an interface communicatively coupled to the one or more processors and configured to receive a command from the central processing unit regarding generation of a new cryptographic key, the command including a key creation parameter; and
  
  a processing module executable by the one or more processors to;
  
  manage the one or more cryptographic keys based at least in part on the key data of the one or more cryptographic keys;
  
  generate the new cryptographic key based at least in part on the key creation parameter and the one or more cryptographic keys, the new cryptographic key being generated with a key derivation function or other one-way function; and
  
  generate key data for the new cryptographic key based on at least a portion of the key creation parameter.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The security processing unit of claim 1, wherein the memory includes non-volatile memory that includes at least one of one or more registers or a set of fuses to store the one or more cryptographic keys.
  - 3. The security processing unit of claim 1, wherein the processing module is configured to:
    - manage the one or more cryptographic keys by determining whether or not the central processing unit is authorized to utilize the one or more cryptographic keys based at least in part on the key data of the one or more cryptographic keys; and
      
      generate the new cryptographic key when it is determined that the central processing unit is authorized to utilize the one or more cryptographic keys.
  - 4. The security processing unit of claim 1, wherein:
    - the at least the portion of the key creation parameter that is utilized to generate the key data for the new cryptographic key includes key data; and
      
      the key data for the new cryptographic key includes at least one of the key data of the of the key creation parameter or a value that is derived from the key creation parameter.
  - 5. The security processing unit of claim 1, wherein the key data of the new cryptographic key includes at least one of an owner control parameter identifying an owner of the new cryptographic key, an export control parameter indicating whether or not the new cryptographic key is exportable from the security processing unit, or a key usage control parameter specifying usage of the new cryptographic key.
  - 6. The security processing unit of claim 1, wherein the processing module is configured to manage the one or more cryptographic keys by at least one of deleting a cryptographic key of the one or more cryptographic keys, configuring key data for a cryptographic key of the one or more cryptographic keys, storing a cryptographic key of the one or more cryptographic keys in the memory, providing a cryptographic key of the one or more cryptographic keys to the central processing unit, or encrypting or decrypting data with a cryptographic key of the one or more cryptographic keys.

7. One or more computer-readable media storing computer-executable instructions, the computer-executable instructions upon execution, to instruct a security processing unit to perform operations comprising:
- receiving, from a component of a computing device that incorporates the security processing unit, a command to create a cryptographic key, the command including a key creation parameter;
  
  creating the cryptographic key based at least in part on the key creation parameter;
  
  creating key data for the cryptographic key based on at least a portion of the key creation parameter, the key data describing access permission to the cryptographic key;
  
  storing the cryptographic key within the security processing unit; and
  
  based at least in part on the key data of the cryptographic key, enabling access to the cryptographic key by a particular component of the computing device and restricting access to the cryptographic key by another component of the computing device.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The one or more computer-readable media of claim 7, wherein the component from which the command is received comprises at least one of a central processing unit of the computing device or an application that is executing on the computing device.
  - 9. The one or more computer-readable media of claim 7, wherein the particular component to which access is enabled comprises at least one of the component from which the command is received, the security processing unit, or a further component of the computing device.
  - 10. The one or more computer-readable media of claim 7, wherein:
    - the command specifies a destination location to store the cryptographic key within the security processing unit; and
      
      the cryptographic key is stored at the destination location that is specified in the command.
  - 11. The one or more computer-readable media of claim 7, wherein:
    - the command identifies another cryptographic key; and
      
      the cryptographic key is created with a key derivation function or other one-way function based at least in part on the other cryptographic key.
  - 12. The one or more computer-readable media of claim 11, wherein the operations further comprise:
    - determining that the component from which the command is received is authorized to access the other cryptographic key; and
      
      wherein the cryptographic key is created upon determining that the component from which the command is received is authorized to access the other cryptographic key.
  - 13. The one or more computer-readable media of claim 7, wherein the operations further comprise:
    - after enabling or restricting access to the cryptographic key, receiving a request for the cryptographic key from the particular component of the computing device;
      
      determining that the particular component is authorized to access the cryptographic key based at least in part on the key data of the cryptographic key; and
      
      sending the cryptographic key to the particular component in response to the determining.

14. A security processing unit comprising:
- one or more processors;
  
  an interface communicatively coupled to the one or more processors and configured to receive a command from a component that is external to the security processing unit, the command requesting that the security processing unit derive a new cryptographic key with a key creation parameter;
  
  a processing module executable by the one or more processors to;
  
  read a cryptographic key from non-volatile memory;
  
  derive the new cryptographic key with a key derivation function or other one-way function based at least in part on the key creation parameter and the cryptographic key that is read from the non-volatile memory; and
  
  cause the new cryptographic key to be stored in memory of the security processing unit or to be sent to at least one of the component that is external to the security processing unit or another component that is external to the security processing unit.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The security processing unit of claim 14, wherein:
    - the processing module is further configured to determine that the component that is external to the security processing unit is authorized to utilize the cryptographic key to derive the new cryptographic key; and
      
      the processing module is configured to derive the new cryptographic key in response to determining that the component is authorized to utilize the cryptographic key.
  - 16. The security processing unit of claim 14, wherein:
    - the memory of the security processing unit includes the non-volatile memory, the non-volatile memory comprising at least one of a set of fuses or a set of registers;
      
      the command identifies at least one of the set of fuses or a register of the set of registers in which to store the new cryptographic key; and
      
      the processing module is configured to store the new cryptographic key in at least one of the set of fuses or the register that is identified in the command.
  - 17. The security processing unit of claim 14, wherein the processing module is configured to send the new cryptographic key to at least one of the component that is external to the security processing unit or the other component that is external to the security processing unit.
  - 18. The security processing unit of claim 14, wherein:
    - the interface is further configured to receive a command requesting that key data of at least one of the new cryptographic key or the cryptographic key be configured; and
      
      the processing module is further configured to configure the key data of at least one of the new cryptographic key or the cryptographic key by restricting or enabling access to the new cryptographic key or the cryptographic key.
  - 19. The security processing unit of claim 14, wherein:
    - the interface is further configured to receive a command requesting that data be encrypted or decrypted with at least one of the new cryptographic key or the cryptographic key; and
      
      the processing module is further configured to encrypt or decrypt the data with at least one of the new cryptographic key or the cryptographic key and to provide the encrypted or decrypted data.
  - 20. The security processing unit of claim 14, wherein:
    - the interface is further configured to receive a command requesting that the cryptographic key be deleted; and
      
      the processing module is further configured to delete the cryptographic key from the non-volatile memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ferguson, Niels T., McPherson, Dave M., Novak, Mark Fishel, England, Paul

Application Number

US14/230,918
Publication Number

US 20150078550A1
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

H04L 9/0861   Generation of secret inform...

H04L 9/0877   using additional device, e....

H04L 9/088   Usage controlling of secret...

SECURITY PROCESSING UNIT WITH CONFIGURABLE ACCESS CONTROL

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY PROCESSING UNIT WITH CONFIGURABLE ACCESS CONTROL

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links