SECURITY PROCESSING UNIT WITH CONFIGURABLE ACCESS CONTROL
First Claim
1. A security processing unit comprising:
- one or more processors;
memory communicatively coupled to the one or more processors and configured to store one or more cryptographic keys and key data describing access permission to the one or more cryptographic keys, the security processing unit being configured to prevent the one or more cryptographic keys from being read by a central processing unit;
an interface communicatively coupled to the one or more processors and configured to receive a command from the central processing unit regarding generation of a new cryptographic key, the command including a key creation parameter; and
a processing module executable by the one or more processors to;
manage the one or more cryptographic keys based at least in part on the key data of the one or more cryptographic keys;
generate the new cryptographic key based at least in part on the key creation parameter and the one or more cryptographic keys, the new cryptographic key being generated with a key derivation function or other one-way function; and
generate key data for the new cryptographic key based on at least a portion of the key creation parameter.
3 Assignments
0 Petitions
Accused Products
Abstract
A security processing unit is configured to manage cryptographic keys. In some instances, the security processing unit may comprise a co-processing unit that includes memory, one or more processors, and other components to perform operations in a secure environment. A component that is external to the security processing unit may communicate with the security processing unit to generate a cryptographic key, manage access to a cryptographic key, encrypt/decrypt data with a cryptographic key, or otherwise utilize a cryptographic key. The external component may comprise a central processing unit, an application, and/or any other hardware or software component that is located outside the security processing unit.
29 Citations
20 Claims
-
1. A security processing unit comprising:
-
one or more processors; memory communicatively coupled to the one or more processors and configured to store one or more cryptographic keys and key data describing access permission to the one or more cryptographic keys, the security processing unit being configured to prevent the one or more cryptographic keys from being read by a central processing unit; an interface communicatively coupled to the one or more processors and configured to receive a command from the central processing unit regarding generation of a new cryptographic key, the command including a key creation parameter; and a processing module executable by the one or more processors to; manage the one or more cryptographic keys based at least in part on the key data of the one or more cryptographic keys; generate the new cryptographic key based at least in part on the key creation parameter and the one or more cryptographic keys, the new cryptographic key being generated with a key derivation function or other one-way function; and generate key data for the new cryptographic key based on at least a portion of the key creation parameter. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. One or more computer-readable media storing computer-executable instructions, the computer-executable instructions upon execution, to instruct a security processing unit to perform operations comprising:
-
receiving, from a component of a computing device that incorporates the security processing unit, a command to create a cryptographic key, the command including a key creation parameter; creating the cryptographic key based at least in part on the key creation parameter; creating key data for the cryptographic key based on at least a portion of the key creation parameter, the key data describing access permission to the cryptographic key; storing the cryptographic key within the security processing unit; and based at least in part on the key data of the cryptographic key, enabling access to the cryptographic key by a particular component of the computing device and restricting access to the cryptographic key by another component of the computing device. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A security processing unit comprising:
-
one or more processors; an interface communicatively coupled to the one or more processors and configured to receive a command from a component that is external to the security processing unit, the command requesting that the security processing unit derive a new cryptographic key with a key creation parameter; a processing module executable by the one or more processors to; read a cryptographic key from non-volatile memory; derive the new cryptographic key with a key derivation function or other one-way function based at least in part on the key creation parameter and the cryptographic key that is read from the non-volatile memory; and cause the new cryptographic key to be stored in memory of the security processing unit or to be sent to at least one of the component that is external to the security processing unit or another component that is external to the security processing unit. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification