Control function implementing selective transparent data authentication within an integrated system
First Claim
1. A data authentication method for an integrated device having multiple functional masters, the multiple functional masters having multiple master ids, said method comprising:
- defining different levels of data access security to the multiple functional masters, where the different levels of data access security are predefined in an access table, the access table enforcing the defined access rights for the multiple functional masters to ensure security within the integrated device;
passing a data request, comprising an address associated with requested data, from a functional master through a data access control function disposed within a data path between a bus controller and a slave device coupled to memory, the data access control function residing within a secure memory subsystem of the integrated device;
responsive to the data request, selectively authenticating the requested data by the data access control function transparent to the functional master of the integrated device initiating the data request, the selectively authenticating comprising selectively verifying integrity of the requested data by the data access control function within the secure memory subsystem based on a master ID of the requesting master, the data access level for the requesting master defined in the access table and the address of the requested data, the verifying integrity employing an encrypted integrity check value comprising an encrypted digest of the requested data, the encrypted digest being an encrypted reduced version of the requested data;
when authenticating the requested data, deciding by the data access control function, with reference to the data access level of the requesting master, whether to decrypt the data when the request is a read request, and whether to encrypt the data when the request is a write request; and
wherein the verifying integrity employs a common encryption/decryption engine of the data access control function when encrypting/decrypting integrity check values as used for encrypting/decrypting the requested data.
1 Assignment
0 Petitions
Accused Products
Abstract
A data authentication technique is provided for a data access control function of an integrated system. The technique includes passing a data request from a functional master of the integrated system through the data access control function, and responsive to the data request, selectively authenticating requested data. The selective authentication, which can occur transparent to the functional master initiating the data request, includes employing integrity value generation on the requested data when originally stored and when retrieved, in combination with encryption and decryption thereof to ensure the authenticity of the requested data. As an enhancement, cascading integrity values may be employed to facilitate data authentication.
94 Citations
23 Claims
-
1. A data authentication method for an integrated device having multiple functional masters, the multiple functional masters having multiple master ids, said method comprising:
-
defining different levels of data access security to the multiple functional masters, where the different levels of data access security are predefined in an access table, the access table enforcing the defined access rights for the multiple functional masters to ensure security within the integrated device; passing a data request, comprising an address associated with requested data, from a functional master through a data access control function disposed within a data path between a bus controller and a slave device coupled to memory, the data access control function residing within a secure memory subsystem of the integrated device; responsive to the data request, selectively authenticating the requested data by the data access control function transparent to the functional master of the integrated device initiating the data request, the selectively authenticating comprising selectively verifying integrity of the requested data by the data access control function within the secure memory subsystem based on a master ID of the requesting master, the data access level for the requesting master defined in the access table and the address of the requested data, the verifying integrity employing an encrypted integrity check value comprising an encrypted digest of the requested data, the encrypted digest being an encrypted reduced version of the requested data; when authenticating the requested data, deciding by the data access control function, with reference to the data access level of the requesting master, whether to decrypt the data when the request is a read request, and whether to encrypt the data when the request is a write request; and wherein the verifying integrity employs a common encryption/decryption engine of the data access control function when encrypting/decrypting integrity check values as used for encrypting/decrypting the requested data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A data authentication system for an integrated device having multiple functional masters, the multiple functional master having multiple master ids, said system comprising:
-
means for defining different levels of data access security to the multiple functional masters, where the different levels of data access security are predefined in an access table, the access table enforcing the defined access rights for the multiple functional masters to ensure security within the integrated device; a data access controller for receiving a data request from a functional master, the data request comprising an address associated with requested data, and the data access controller being disposed in a data path between a bus controller and a slave device coupled to memory, the data access control function residing within a secure memory subsystem of the integrated device; means for selectively authenticating the requested data at the data access controller responsive to the data request, wherein the means for selectively authenticating is transparent to the functional master of the integrated device initiating the data request, the selectively authenticating comprising means for selectively verifying integrity of the requested data by the data access control function within the secure memory subsystem based on a master ID of the requesting master, the data access level for the requesting master defined in the access table and the address of the requested data, the means for selectively verifying integrity employing an encrypted integrity check value comprising an encrypted digest of the requested data, the encrypted digest being an encrypted reduced version of the requested data; wherein the means for selectively authenticating comprises means for deciding by the data access controller, with reference to the data access level of the requesting master, whether to decrypt the data when the request is a read request, and whether to encrypt the data when the request is a write request; and wherein the means for selectively verifying integrity further employs a common encryption/decryption engine of the data access control function when encrypting/decrypting integrity check values as used for encrypting/decrypting the requested data. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. At least one program storage device readable by a machine, tangibly embodying at least one program of instructions executable by the machine to perform a data authentication method for an integrated device having multiple functional masters, the multiple functional masters having multiple master ids, the method comprising:
-
defining different levels of data access security to the multiple functional masters, where the different levels of data access security are predefined in an access table, the access table enforcing the defined access rights for the multiple functional masters to ensure security within the integrated device; passing a data request, comprising an address associated with requested data, from a functional master through a data access control function disposed within a data path between a bus controller and a slave device coupled to memory, the data access control function residing within a secure memory subsystem of the integrated device; responsive to the data request, selectively authenticating the requested data by the data access control function transparent to the functional master of the integrated device initiating the data request, the selectively authenticating comprising selectively verifying integrity of the requested data by the data access control function within the secure memory subsystem based on a master ID of the requesting master, the data access level for the requesting master defined in the access table and the address of the requested data, the verifying integrity employing an encrypted integrity check value comprising an encrypted digest of the requested data, the encrypted digest being an encrypted reduced version of the requested data; when authenticating the requested data, deciding by the data access control function, with reference to the data access level of the requesting master, whether to decrypt the data when the request is a read request, and whether to encrypt the data when the request is a write request; and wherein the verifying integrity employs a common encryption/decryption engine of the data access control function when encrypting/decrypting integrity check values as used for encrypting/decrypting the requested data.
-
Specification