KEYING INFRASTRUCTURE
First Claim
Patent Images
1. A method comprising:
- setting, by a computing device, an initial application key in a sequence of application keys;
determining that a component is loaded or executed, and in response to the determining;
deriving an application key for the sequence of application keys with a key derivation function, the application key being derived based at least in part on a preceding application key that directly precedes the application key in the sequence of application keys and based at least in part on a hash of the component that is loaded or executed; and
deleting the preceding application key upon deriving the application key;
utilizing, by the computing device, an application key that remains in the sequence of application keys after the deletion to derive an image operation key; and
utilizing the image operation key to at least one of verify an application state of the computing device or encrypt data.
3 Assignments
0 Petitions
Accused Products
Abstract
A keying infrastructure may generate and/or manage cryptographic keys. The cryptographic keys may include identity keys, encryption keys, and a variety of other types of keys. The cryptographic keys may be derived or created with a key derivation function (KDF) or other one-way function. The cryptographic keys may include keys that are accessible to a boot loader, keys that are accessible to particular components of a Trusted Execution Environment (TrEE), and so on. In some examples, a key may be derived from a preceding key in a sequence of keys. The preceding key may be deleted when the key is derived.
26 Citations
20 Claims
-
1. A method comprising:
-
setting, by a computing device, an initial application key in a sequence of application keys; determining that a component is loaded or executed, and in response to the determining; deriving an application key for the sequence of application keys with a key derivation function, the application key being derived based at least in part on a preceding application key that directly precedes the application key in the sequence of application keys and based at least in part on a hash of the component that is loaded or executed; and deleting the preceding application key upon deriving the application key; utilizing, by the computing device, an application key that remains in the sequence of application keys after the deletion to derive an image operation key; and utilizing the image operation key to at least one of verify an application state of the computing device or encrypt data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more computer-readable media storing computer-executable instructions, the computer-executable instructions upon execution, to instruct one or more processors to perform operations comprising:
-
generating an encryption key hierarchy with a key derivation function, the encryption key hierarchy including (i) a Trusted Execution Environment (TrEE) loader encryption key that is associated with a current security configuration of a TrEE loader and (ii) a TrEE encryption key that is associated with a current security configuration of a TrEE core, the TrEE encryption key being generated based at least in part on the TrEE loader encryption key; and utilizing the TrEE encryption key to encrypt data. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
deriving, by a computing device and with a key derivation function, a Trusted Execution Environment (TrEE) loader encryption key that is associated with a security configuration of a TrEE loader, the TrEE loader being configured to load a TrEE core that implements a TrEE; deriving, by the computing device and with the key derivation function, a TrEE encryption key that is associated with a security configuration of the TrEE core, the TrEE encryption key being derived based at least in part on the TrEE loader encryption key; and utilizing the TrEE encryption key to at least one of encrypt data or decrypt data. - View Dependent Claims (17, 18, 19, 20)
-
Specification