Initializing, maintaining, updating and recovering secure operation within an integrated system employing a data access control function

US 6,957,335 B2
Filed: 10/23/2003
Issued: 10/18/2005
Est. Priority Date: 04/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method of migrating data encrypted using a first key set to data encrypted using a second key set, said method comprising:

performing multiple writes of encrypted data using a first key set;

employing a usage counter to count each use of the first key set to write encrypted data; and

automatically transitioning to a second key set when the count of the usage counter exceeds a defined threshold, the automatically transitioning comprising;

modifying an access table to indicated that encrypted data in a current data location is to be decrypted using the first key set, and is to be re-encrypted using the second key set when undergoing storage to a new data location;

decrypting the encrypted data using the first key set;

re-encrypting, by a data access control function within an integrated system, the data using the second key set, wherein the decrypting and the re-encrypting comprise reading the encrypted data from the current data location, decrypting the encrypted data using the first key set, then writing the data as encrypted data to the new data location employing the second key set; and

modifying the access table further with the new data location being defined for encryption and decryption with the second key set.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for initializing, maintaining, updating and recovering secure operation within an integrated system. The techniques, which employ a data access control function within the integrated system, include authenticating by a current level of software a next level of software within an integrated system. The authenticating occurs before control is passed to the next level of software. Further, an ability of the next level of software to modify an operational characteristic of the integrated system can be selectively limited via the data access control function. Techniques are also provided for initializing secure operation of the integrated system, for migrating data encrypted using a first key set to data encrypted using a second key set, for updating software and keys within the integrated system, and for recovering integrated system functionality following a trigger event.

Citations

15 Claims

1. A method of migrating data encrypted using a first key set to data encrypted using a second key set, said method comprising:
- performing multiple writes of encrypted data using a first key set;
  
  employing a usage counter to count each use of the first key set to write encrypted data; and
  
  automatically transitioning to a second key set when the count of the usage counter exceeds a defined threshold, the automatically transitioning comprising;
  
  modifying an access table to indicated that encrypted data in a current data location is to be decrypted using the first key set, and is to be re-encrypted using the second key set when undergoing storage to a new data location;
  
  decrypting the encrypted data using the first key set;
  
  re-encrypting, by a data access control function within an integrated system, the data using the second key set, wherein the decrypting and the re-encrypting comprise reading the encrypted data from the current data location, decrypting the encrypted data using the first key set, then writing the data as encrypted data to the new data location employing the second key set; and
  
  modifying the access table further with the new data location being defined for encryption and decryption with the second key set.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the data access control function comprises a hardware component of the integrated system.
  - 3. The method of claim 1, wherein the decrypting is also performed by the data access control function of the integrated circuit.
  - 4. The method of claim 1, further comprising retrieving for decryption, from storage associated with the integrated system, the data encrypted using the first key set.
  - 5. The method of claim 1, wherein the data encrypted using the first key set is received from a source external to the integrated system.
  - 6. The method of claim 5, wherein the decrypting is performed in software within the integrated system, and wherein the re-encrypting, by the data access control function, is performed in hardware of the integrated system.
  - 7. The method of claim 6, wherein the second key set is unique to the integrated system.

8. A system of migrating data encrypted using a first key set to data encrypted using a second key set, said system comprising:
- means for performing multiple writes of encrypted data using a first key set;
  
  means for employing a usage counter to count each use of the first key set to write encrypted data; and
  
  means for automatically transitioning to a second key set when the count of the usage counter exceeds a defined threshold, the means for automatically transitioning comprising;
  
  means for modifying an access table to indicate that encrypted data in a current data location is to be decrypted using the first key set, and is to be re-encrypted using the second key set when undergoing storage to a new data location;
  
  means for decrypting the encrypted data using the first key set;
  
  means for re-encrypting, by a data access control function within an integrated system, the data using the second key set, wherein the decrypting and the re-encrypting comprise reading the encrypted data from the current data location, decrypting the encrypted data using the first key set, then writing the data as encrypted data to the new data location employing the second key set; and
  
  means for modifying the access table further with the new data location being defined for encryption and decryption with the second key set.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the data access control function comprises a hardware component of the integrated system.
  - 10. The system of claim 8, wherein the means for decrypting is also performed by the data access control function of the integrated circuit.
  - 11. The system of claim 8, further comprising means for retrieving for decryption, from storage associated with the integrated system, the data encrypted using the first key set.
  - 12. The system of claim 8, wherein the data encrypted using the first key set is received from a source external to the integrated system.
  - 13. The system of claim 12, wherein the means for decrypting is performed in software within the integrated system, and wherein the re-encrypting, by the data access control function, is performed in hardware of the integrated system.
  - 14. The system of claim 13, wherein the second key set is unique to the integrated system.

15. At least one program storage device readable by a machine embodying at least one program of instructions executable by the machine to perform a method of migrating data encrypted using a first key set to data encrypted using a second key set, said method comprising:
- performing multiple writes of encrypted data using a first key set;
  
  employing a usage counter to count each use of the first key set to write encrypted data; and
  
  automatically transitioning to a second key set when the count of the usage counter exceeds a defined threshold, the automatically transitioning comprising;
  
  modifying an access table to indicated that encrypted data in a current data location is to be decrypted using the first key set, and is to be re-encrypted using the second key set when undergoing storage to a new data location;
  
  decrypting the encrypted data using the first key set;
  
  re-encrypting, by a data access control function within an integrated system, the data using the second key set, wherein the decrypting and the re-encrypting comprise reading the encrypted data from the current data location, decrypting the encrypted data using the first key set, then writing the data as encrypted data to the new data location employing the second key set; and
  
  modifying the access table further with the new data location being defined for encryption and decryption with the second key set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daedalus Blue LLC
Original Assignee
International Business Machines Corporation
Inventors
Hall, William E., Rosu, Marcel C., Foster, Eric M.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Nobahar, Abdulhakim

Application Number

US10/691,632
Publication Number

US 20040088559A1
Time in Patent Office

726 Days
Field of Search

713/153, 713/168, 713/193, 713/171, 713/161, 713/165, 380/277, 380/201
US Class Current

713/171
CPC Class Codes

G06F 21/575   Secure boot

G06F 21/6218   to a system of files or obj...

G06F 2221/2149   Restricted operating enviro...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

Initializing, maintaining, updating and recovering secure operation within an integrated system employing a data access control function

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Initializing, maintaining, updating and recovering secure operation within an integrated system employing a data access control function

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links