Data encryption security module

US 5,999,629 A
Filed: 10/31/1995
Issued: 12/07/1999
Est. Priority Date: 10/31/1995
Status: Expired due to Term

First Claim

Patent Images

1. An information delivery system comprisingan access control system,an information protection system, anda plurality of subscriber terminals, wherein said access control system, said information protection system and said plurality of subscriber terminals each include a security module formed on an integrated circuit chip, said security module comprisinggenerator comprising means, responsive to receipt of particular stimuli via an input terminal, for generating at least a unique serial number (S_id) that is thereafter directly used to uniquely identify the security module and for generating a public key (KP_id) as a function of said unique serial number, said generator further comprising;

means for generating a symmetrical encryption key as a function of said unique serial number and a public key associated with and generated by another security module,means, responsive to receipt of an encrypted program encryption key from said other security module for decrypting said encrypted program encryption key using said symmetrical key,means for generating a device unique key (S_local) and said program encryption key, andmeans for encrypting at least said serial number and said program encryption key using said device unique key and storing the encrypted results in memory internal to the integrated circuit.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

We have recognized that there is a strong need to control and maintain the secrecy of the intelligence that may be used by computers to communicate with another, for example, by encrypting the messages that they exchange with one another. Thus, the encryption keys used to encrypt such messages need to be managed in a highly secure manner. Accordingly, we provide an encryption module, which, in accord with an aspect of the invention, generates a unique device encryption key (S_local), a cryptographic key formed from a unique identification key (S_id) and an associated public key (KP_id), and at least one program encryption key, in which the public key is generated as a function of the unique identification key. The module then encrypts the unique identification key and program encryption key using said device encryption key and stores the encrypted result in memory internal to security module, thereby securing the keys against misappropriation. In addition, the module provides a mechanism for using the program encryption key to encrypt information that it receives from an external source and store the encrypted information in memory external to the security module, and responsive to receiving from a requester a request for the program encryption key, encrypting the program encryption key, in accord with an aspect of the invention, using a symmetrical encryption key generated as a function of a public key generated by a security module associated with the requester. The former security module then supplies the encrypted program encryption key to the requester.

Citations

14 Claims

1. An information delivery system comprisingan access control system,an information protection system, anda plurality of subscriber terminals, wherein said access control system, said information protection system and said plurality of subscriber terminals each include a security module formed on an integrated circuit chip, said security module comprisinggenerator comprising means, responsive to receipt of particular stimuli via an input terminal, for generating at least a unique serial number (S_id) that is thereafter directly used to uniquely identify the security module and for generating a public key (KP_id) as a function of said unique serial number, said generator further comprising;
- means for generating a symmetrical encryption key as a function of said unique serial number and a public key associated with and generated by another security module,means, responsive to receipt of an encrypted program encryption key from said other security module for decrypting said encrypted program encryption key using said symmetrical key,means for generating a device unique key (S_local) and said program encryption key, andmeans for encrypting at least said serial number and said program encryption key using said device unique key and storing the encrypted results in memory internal to the integrated circuit.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1 wherein said memory associated with said security module is external to the integrated circuit and wherein the integrated circuit further comprises means for associating said program encryption key with an identifier and storing the identifier in said external memory in association with the encrypted version of said program encryption key.
  - 3. The system of claim 1 wherein said access control system includes said information protection system.

4. An integrated circuit chip comprisingmeans, responsive to particular stimuli, for generating at least a unique device encryption key (S_local), a unique identification key (S_id) that is thereafter directly used to uniquely identify the integrated circuit chip and an associated public key (KP_id), and at least one program encryption key, said public key being generated as a function of said unique identification key,means for encrypting the unique identification key and said at least one program encryption key using said device encryption key and storing the encrypted results in memory internal to the integrated circuit, andmeans, responsive to receiving from a requester a request for said at least one program encryption key, for encrypting at least one program encryption key using a symmetrical key generated as a function of (a) a public key generated by a security module associated with the requester, and (b) said unique identification key, and supplying the encrypted at least one program encryption key to the requester.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The integrated circuit chip of claim 4 further comprisingmeans, responsive to receipt of an indication to encrypt particular information, for retrieving said encrypted at least one program encryption key from said internal memory and decrypting that key using said device unique key, andmeans for encrypting particular information as it is received using the decrypted program encryption key and stores the encrypted particular information in external memory.
  - 6. The integrated circuit chip of claim 5 wherein said external memory is contained in a data server.
  - 7. The integrated circuit chip of claim 5 wherein said encrypted program encryption key is sent to the requester in a message containing the public key (PK_id) that the sending security module generated.
  - 8. The integrated circuit chip of claim 5 further comprising for causing the integrated circuit to send to the requester (a) the generated public key (KP_id), (b) the encrypted at least one program encryption key and (c) an authentication code derived as a function of the generated public key and an encryption key (S_common) common to each said integrated circuit.
  - 9. The integrated circuit chip of claim 4 wherein said unique device encryption key (S_local) is known only to said integrated circuit chip.
  - 10. The integrated circuit chip of claim 4 wherein said public key (PK_id) is shared with an external device.

11. A method of operating a security module, formed on an integrated circuit chips said security module performing the steps comprising:
- responsive to particular stimuli, generating a unique device encryption key (S_local), a unique identification key (S_id) that is used directly thereafter to uniquely identify the integrated circuit chip and an associated public key (PK_id), and at least one program encryption key, said public key being generated as a function of said unique identification key,encrypting said unique identification key and said at least one program encryption key using said device encryption key and storing the encrypted result in memory internal to said security module,encrypting particular information using said at least one program encryption key and storing the encrypted particular information in memory external to said security module, andresponsive to receiving from a requester a request for said at least one program encryption key, encrypting said at least one program encryption key using a symmetrical key generated as a function of said unique identification key and a public key generated by a security module associated with the requester and supplying the encrypted at least one program encryption key to the requester.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11 further comprising the steps ofresponsive to receipt of an indication to encrypt said particular information, retrieving said encrypted at least one program encryption key from said internal memory and decrypting the encrypted at least one program encryption key using said device unique key, andencrypting said particular information as it is received using the decrypted program encryption key and storing the encrypted particular information in said external memory.
  - 13. The method of claim 12 wherein said external memory is contained in a data server.
  - 14. The method of claim 11 further comprising the step of causing said security module to also send to the requester (a) a segment of said associated public key (PK_id), (b) said encrypted at least one program encryption key and (c) an authentication value derived as a function of said segment of said associated public key (PK_id).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Heer, Daniel Nelson, Maher, David P.
Primary Examiner(s)
Hayes, Gail O.
Assistant Examiner(s)
SAYADIAN, HRAYR

Application Number

US08/550,910
Time in Patent Office

1,498 Days
Field of Search

380/21, 380/23, 380/25, 380/30, 380/49, 380/4
US Class Current

705/51
CPC Class Codes

G06Q 20/3829   involving key management

H04L 2209/60   Digital content management,...

H04L 9/0847   involving identity based en...

Data encryption security module

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Data encryption security module

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links