Methods and systems for authentication of components in a graphics system

US 7,380,130 B2
Filed: 04/18/2002
Issued: 05/27/2008
Est. Priority Date: 12/04/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing authentication in connection with the use of a trusted graphics platform having a graphics card, comprising:

requesting by one of an application and device of a graphics card to verify that the graphics card is a secure graphics card;

in response to said requesting, generating a session key by a cryptographic processor communicatively and securely coupled to the graphics card; and

transmitting said session key to the one of an application and device,wherein the cryptographic processor includes (1) a multi-bit volatile register S for the session key and (2) an array of a plurality of index keys,wherein each of said plurality of index keys (1) is associated with a particular window of a host system that includes said one of an application and device, and (2) is used by the graphics card to decrypt the contents of the window, andwherein each of said plurality of index keys is used only once in accordance with a purpose parameter associated with the index key, wherein when an index key has been filled with a new value, a corresponding former value is irretrievably discarded.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for authenticating component(s) in connection with the use of a trusted graphics system. Techniques are provided for authenticating a graphics card in connection with a system that cryptographically secures content routed through a graphics pipeline, such that an application or device can indicate to the trusted graphics platform that the application or device is a trusted user of the trusted graphics platform, and such that the graphics platform can communicate to the trusted application or device that the graphics platform may be trusted by the application or device.

39 Citations

View as Search Results

54 Claims

1. A method for providing authentication in connection with the use of a trusted graphics platform having a graphics card, comprising:
- requesting by one of an application and device of a graphics card to verify that the graphics card is a secure graphics card;
  
  in response to said requesting, generating a session key by a cryptographic processor communicatively and securely coupled to the graphics card; and
  
  transmitting said session key to the one of an application and device,wherein the cryptographic processor includes (1) a multi-bit volatile register S for the session key and (2) an array of a plurality of index keys,wherein each of said plurality of index keys (1) is associated with a particular window of a host system that includes said one of an application and device, and (2) is used by the graphics card to decrypt the contents of the window, andwherein each of said plurality of index keys is used only once in accordance with a purpose parameter associated with the index key, wherein when an index key has been filled with a new value, a corresponding former value is irretrievably discarded.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A method according to claim 1, further comprising:
    - revealing said session key to the graphics card in connection with a request for resources of the graphics card.
  - 3. A method according to claim 1, wherein each cryptographic processor is individualized and certified during manufacture.
  - 4. A method according to claim 1, wherein each cryptographic processor includes a unique private decryption key.
  - 5. A method according to claim 1, wherein the cryptographic processor is permanently attached to the graphics card, by one of (1) adding the cryptographic processor to an existing chip and (2) adding the cryptographic processor as a separate chip to the graphics card,whereby the physical connection between the cryptographic processor and the rest of the graphics card is not accessible and is not exposed.
  - 6. A method according to claim 1, wherein said requesting includes interfacing with the cryptographic processor via one of (1) an external interface to said one of an application and device and (2) an internal interface to a graphics processing unit (GPU) on the graphics card.
  - 7. A method according to claim 6, wherein said interfacing with an external interface includes using a private key encryption protocol for authentication and key transport, whereby said authentication and key transport includes:
    - encrypting by said one of an application and device the session key with a public key of the cryptographic processor thereby creating a session key cryptoblob;
      
      receiving by the cryptographic processor the session key cryptoblob; and
      
      decrypting by the cryptographic processor the session key cryptoblob with a private key of the cryptographic processor, thus obtaining the session key,whereby said one of an application and device and the cryptographic processor share a secret enabling said one of an application and device to use said session key to send instructions to the cryptographic processor.
  - 8. A method according to claim 7, wherein the external interface is exposed through a set of functions by the cryptographic processor, said set including:
    - a Set Session Key function that invokes said receiving, receiving and decrypting, whereby said session key is used to secure all further communication to and from the cryptographic processor from and to said one of an application and device, respectively;
      
      a Set function; and
      
      a Get function,wherein said one of an application and device and said cryptographic processor communicate by means of said Set and Get functions, whose parameters are cryptographically protected for confidentiality and integrity.
  - 9. A method according to claim 8, wherein said Get function includes at least one of (1) an Index key property ID method that writes a new key and purpose tag into the key register identified by the index, (2) an Output lock property ID method that sets an output lock flag fixing the screen geometry as well as the graphics card output and (3) an L2KeyMgmt property ID method that sets a key renewal frequency for a layer of video memory encryption protection provided by a trusted graphics platform that includes said secure graphics card and cryptographic processor.
  - 10. A method according to claim 8, wherein said Set function includes at least one of (1) an Output ports method that returns a setting of at least one output of the graphics card, (2) an Authentication code method that returns the hash of the contents of a window as per a first layer of protection of a trusted graphics platform that includes said secure graphics card and cryptographic processor, (3) a Secure surface count method that returns the number of secure surfaces supported by the graphics card, (4) an Overlapping surface count method that returns the number of overlapping secure surfaces supported by the graphics card, (5) a Primary type method that provides flexibility for future methodology of the graphics card (6) a Geometry method that returns the width, height, refresh rate and color depth of a primary surface of video memory of the trusted graphics platform, (7) a method that sets at least one of the location and size of a region of protected overly and (8) a method that sets at least one of the location and size of a fraction of a primary surface to be decrypted.
  - 11. A method according to claim 6, wherein said interfacing with an internal interface includes interfacing between the cryptographic processor and said graphics card, whereby, without destroying the graphics card, (1) the cryptographic processor is permanently secured to the graphics card and (2) the connection between the cryptographic processor and the rest of the graphics card is not exposed.
  - 12. A method according to claim 11, wherein one of (1) the cryptographic processor is soldered onto the graphics card and (2) the cryptographic processor resides on the same chip as the GPU.
  - 13. A method according to claim 1, wherein values of purpose parameters include:
    - an L1STREAM key used with a stream cipher utilized in connection with encryption of overlay surfaces; and
      
      an L2BLOCK key used with a block cipher used to decrypt texture blocks, which were written by said one of an application and device.
  - 14. A method according to claim 1, wherein the lifetime of the session key is the running time of the one of an application and device and the lifetime of each key of the plurality of keys is governed by instructions from the one of an application and device.

15. A computing device, comprising:
- one of an application and device; and
  
  a graphics card having at least one GPU and a cryptographic processor communicatively and securely coupled to said at least one GPU,wherein said one of an application and device requests that the graphics card verify that the graphics card is a secure graphics card and whereby in response to said requesting, the cryptographic processor generates a session key and transmits said session key to the one of an application and device wherein the lifetime of the session key is the running time of the one of an application and device and the lifetime of each key of the plurality of keys is governed by instructions from the one of an application and device,wherein the cryptographic processor includes (1) a multi-bit volatile register S for the session key and (2) an array of a plurality of index keys,wherein each of said plurality of index keys (1) is associated with a particular window of a host system that includes said one of an application and device, and (2) is used by the graphics card to decrypt the contents of the window, andwherein each of said plurality of index keys is used only once in accordance with a purpose parameter associated with the index key, wherein when an index key has been filled with a new value, a corresponding former value is irretrievably discarded.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. A computing device according to claim 15, wherein said session key is revealed to the graphics card in connection with a request for resources of the graphics card.
  - 17. A computing device according to claim 15, wherein each cryptographic processor is individualized and certified during manufacture.
  - 18. A computing device according to claim 15, wherein each cryptographic processor includes a unique private decryption key.
  - 19. A computing device according to claim 15, wherein the cryptographic processor is permanently attached to the graphics card, by one of (1) adding the cryptographic processor to an existing chip and (2) adding the cryptographic processor as a separate chip to the graphics card,whereby the physical connection between the cryptographic processor and the rest of the graphics card is not accessible and is not exposed.
  - 20. A computing device according to claim 15, wherein said one of an application and device interfaces with the cryptographic processor via one of (1) an external interface to said one of an application and device and (2) an internal interface to a graphics processing unit (GPU) on the graphics card.
  - 21. A computing device according to claim 20, wherein said one of an application and device interfaces with an external interface using a private key encryption protocol for authentication and key transport, whereby said authentication and key transport includes:
    - encrypting by said one of an application and device the session key with a public key of the cryptographic processor thereby creating a session key cryptoblob;
      
      receiving by the cryptographic processor the session key cryptoblob; and
      
      decrypting by the cryptographic processor the session key cryptoblob with a private key of the cryptographic processor, thus obtaining the session key,whereby said one of an application and device and the cryptographic processor share a secret enabling said one of an application and device to use said session key to send instructions to the cryptographic processor.
  - 22. A computing device according to claim 21, wherein the external interface is exposed through a set of functions by the cryptographic processor, said set including:
    - a Set Session Key function that invokes said receiving, receiving and decrypting, whereby said session key is used to secure all further communication to and from the cryptographic processor from and to said one of an application and device, respectively;
      
      a Set function; and
      
      a Get function,wherein said one of an application and device and said cryptographic processor communicate by means of said Set and Get functions, whose parameters are cryptographically protected for confidentiality and integrity.
  - 23. A computing device according to claim 22, wherein said Get function includes at least one of (1) an Index key property ID method that writes a new key and purpose tag into the key register identified by the index, (2) an Output lock property ID method that sets an output lock flag fixing the screen geometry as well as the graphics card output and (3) an L2KeyMgmt property ID method that sets a key renewal frequency for a layer of video memory encryption protection provided by a trusted graphics platform that includes said secure graphics card and cryptographic processor.
  - 24. A computing device according to claim 22, wherein said Set function includes at least one of (1) an Output ports method that returns a setting of at least one output of the graphics card, (2) an Authentication code method that returns the hash of the contents of a window as per a first layer of protection of a trusted graphics platform that includes said secure graphics card and cryptographic processor, (3) a Secure surface count method that returns the number of secure surfaces supported by the graphics card, (4) an Overlapping surface count method that returns the number of overlapping secure surfaces supported by the graphics card, (5) a Primary type method that provides flexibility for future methodology of the graphics card (6) a Geometry method that returns the width, height, refresh rate and color depth of a primary surface of video memory of the trusted graphics platform, (7) a method that sets at least one of the location and size of a region of protected overlay and (8) a method that sets at least one of the location and size of a fraction of a primary surface to be decrypted.
  - 25. A computing device according to claim 20, wherein said internal interface interfaces between the cryptographic processor and said graphics card, whereby, without destroying the graphics card, (1) the cryptographic processor is permanently secured to the graphics card and (2) the connection between the cryptographic processor and the rest of the graphics card is not exposed.
  - 26. A computing device according to claim 25, wherein one of (1) the cryptographic processor is soldered onto the graphics card and (2) the cryptographic processor resides on the same chip as the GPU.
  - 27. A computing device according to claim 15, wherein values of purpose parameters include:
    - an L1STREAM key used with a stream cipher utilized in connection with encryption of overlay surfaces; and
      
      an L2BLOCK key used with a block cipher used to decrypt texture blocks, which were written by said one of an application and device.
  - 28. A computing device according to claim 15, wherein the lifetime of the session key is the running time of the one of an application and device and the lifetime of each key of the plurality of keys is governed by instructions from the one of an application and device.

29. At least one computer readable medium that is tangible storage medium having stored thereon a plurality of computer-executable instructions, said plurality of computer-executable instructions including:
- means for requesting by one of an application and device of a graphics card to verify that the graphics card is a secure graphics card;
  
  means for generating a session key by a cryptographic processor communicatively and securely coupled to the graphics card in response to requesting by said means for requesting; and
  
  means for transmitting said session key to the one of an application and device,wherein the cryptographic processor includes (1) a multi-bit volatile register S for the session key and (2) an array of a plurality of index keys,wherein each of said plurality of index keys (1) is associated with a particular window of a host system that includes said one of an application and device, and (2) is used by the graphics card to decrypt the contents of the window, andwherein each of said plurality of index keys is used only once in accordance with a purpose parameter associated with the index key, wherein when an index key has been filled with a new value, a corresponding former value is irretrievably discarded.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 30. At least one computer readable medium according to claim 29, further comprising:
    - means for revealing said session key to the graphics card in connection with a request for resources of the graphics card.
  - 31. At least one computer readable medium according to claim 29, wherein each cryptographic processor includes a unique private decryption key and is individualized and certified during manufacture.
  - 32. At least one computer readable medium according to claim 29, wherein the cryptographic processor is permanently attached to the graphics card, by one of (1) adding the cryptographic processor to an existing chip and (2) adding the cryptographic processor as a separate chip to the graphics card,whereby the physical connection between the cryptographic processor and the rest of the graphics card is not accessible and is not exposed.
  - 33. At least one computer readable medium according to claim 29, wherein said means for requesting includes means for interfacing with the cryptographic processor via one of (1) an external interface to said one of an application and device and (2) an internal interface to a graphics processing unit (GPU) on the graphics card.
  - 34. At least one computer readable medium according to claim 33, wherein said means for interfacing with an external interface includes using a private key encryption protocol for authentication and key transport, whereby said authentication and key transport includes:
    - means for encrypting by said one of an application and device the session key with a public key of the cryptographic processor thereby creating a session key cryptoblob;
      
      means for receiving by the cryptographic processor the session key cryptoblob; and
      
      means for decrypting by the cryptographic processor the session key cryptoblob with a private key of the cryptographic processor, thus obtaining the session key,whereby said one of an application and device and the cryptographic processor share a secret enabling said one of an application and device to use said session key to send instructions to the cryptographic processor.
  - 35. At least one computer readable medium according to claim 34, wherein the external interface is exposed through a set of functions by the cryptographic processor, said set including:
    - a Set Session Key function that invokes said means for receiving, means for receiving and means for decrypting, whereby said session key is used to secure all further communication to and from the cryptographic processor from and to said one of an application and device, respectively;
      
      a Set function; and
      
      a Get function,wherein said one of an application and device and said cryptographic processor communicate by means of said Set and Get functions, whose parameters are cryptographically protected for confidentiality and integrity.
  - 36. At least one computer readable medium according to claim 35, wherein said Get function includes at least one of (1) an Index key property ID method that writes a new key and purpose tag into the key register identified by the index, (2) an Output lock property ID method that sets an output lock flag fixing the screen geometry as well as the graphics card output and (3) an L2KeyMgmt property ID method that sets a key renewal frequency for a layer of video memory encryption protection provided by a trusted graphics platform that includes said secure graphics card and cryptographic processor.
  - 37. At least one computer readable medium according to claim 35, wherein said Set function includes at least one of (1) an Output ports method that returns a setting of at least one output of the graphics card, (2) an Authentication code method that returns the hash of the contents of a window as per a first layer of protection of a trusted graphics platform that includes said secure graphics card and cryptographic processor, (3) a Secure surface count method that returns the number of secure surfaces supported by the graphics card, (4) an Overlapping surface count method that returns the number of overlapping secure surfaces supported by the graphics card, (5) a Primary type method that provides flexibility for future methodology of the graphics card (6) a Geometry method that returns the width, height, refresh rate and color depth of a primary surface of video memory of the trusted graphics platform, (7) a method that sets at least one of the location and size of a region of protected overly and (8) a method that sets at least one of the location and size of a fraction of a primary surface to be decrypted.
  - 38. At least one computer readable medium according to claim 33, wherein said interfacing with an internal interface includes interfacing between the cryptographic processor and said graphics card, whereby, without destroying the graphics card, (1) the cryptographic processor is permanently secured to the graphics card and (2) the connection between the cryptographic processor and the rest of the graphics card is not exposed.
  - 39. At least one computer readable medium according to claim 38, wherein one of (1) the cryptographic processor is soldered onto the graphics card and (2) the cryptographic processor resides on the same chip as the GPU.
  - 40. At least one computer readable medium according to claim 29, wherein values of purpose parameters include:
    - an L1STREAM key used with a stream cipher utilized in connection with encryption of overlay surfaces; and
      
      an L2BLOCK key used with a block cipher used to decrypt texture blocks, which were written by said one of an application and device.
  - 41. At least one computer readable medium according to claim 29, wherein the lifetime of the session key is the running time of the one of an application and device and the lifetime of each key of the plurality of keys is governed by instructions from the one of an application and device.

42. An operating system of a computing device, comprising:
- means for requesting by one of an application and device of a graphics card to verify that the graphics card is a secure graphics card;
  
  means for generating a session key by a cryptographic processor communicatively and securely coupled to the graphics card in response to requesting by said means for requesting; and
  
  means for transmitting said session key to the one of an application and device,wherein the cryptographic processor includes (1) a multi-bit volatile register S for the session key and (2) an array of a plurality of index keys,wherein each of said plurality of index keys (1) is associated with a particular window of a host system that includes said one of an application and device, and (2) is used by the graphics card to decrypt the contents of the window, andwherein each of said plurality of index keys is used only once in accordance with a purpose parameter associated with the index key, wherein when an index key has been filled with a new value, a corresponding former value is irretrievably discarded.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 43. An operating system according to claim 42, further comprising:
    - means for revealing said session key to the graphics card in connection with a request for resources of the graphics card.
  - 44. An operating system according to claim 42, wherein each cryptographic processor includes a unique private decryption key and is individualized and certified during manufacture.
  - 45. An operating system according to claim 42, wherein the cryptographic processor is permanently attached to the graphics card, by one of (1) adding the cryptographic processor to an existing chip and (2) adding the cryptographic processor as a separate chip to the graphics card,whereby the physical connection between the cryptographic processor and the rest of the graphics card is not accessible and is not exposed.
  - 46. An operating system according to claim 42, wherein said means for requesting includes means for interfacing with the cryptographic processor via one of (1) an external interface to said one of an application and device and (2) an internal interface to a graphics processing unit (GPU) on the graphics card.
  - 47. An operating system according to claim 46, wherein said means for interfacing with an external interface includes using a private key encryption protocol for authentication and key transport, whereby said authentication and key transport includes:
    - means for encrypting by said one of an application and device the session key with a public key of the cryptographic processor thereby creating a session key cryptoblob;
      
      means for receiving by the cryptographic processor the session key cryptoblob; and
      
      means for decrypting by the cryptographic processor the session key cryptoblob with a private key of the cryptographic processor, thus obtaining the session key,whereby said one of an application and device and the cryptographic processor share a secret enabling said one of an application and device to use said session key to send instructions to the cryptographic processor.
  - 48. An operating system according to claim 47, wherein the external interface is exposed through a set of functions by the cryptographic processor, said set including:
    - a Set Session Key function that invokes said means for receiving, means for receiving and means for decrypting, whereby said session key is used to secure all further communication to and from the cryptographic processor from and to said one of an application and device, respectively;
      
      a Set function; and
      
      a Get function,wherein said one of an application and device and said cryptographic processor communicate by means of said Set and Get functions, whose parameters are cryptographically protected for confidentiality and integrity.
  - 49. An operating system according to claim 48, wherein said Get function includes at least one of (1) an Index key property ID method that writes a new key and purpose tag into the key register identified by the index, (2) an Output lock property ID method that sets an output lock flag fixing the screen geometry as well as the graphics card output and (3) an L2KeyMgmt property ID method that sets a key renewal frequency for a layer of video memory encryption protection provided by a trusted graphics platform that includes said secure graphics card and cryptographic processor.
  - 50. An operating system according to claim 48, wherein said Set function includes at least one of (1) an Output ports method that returns a setting of at least one output of the graphics card, (2) an Authentication code method that returns the hash of the contents of a window as per a first layer of protection of a trusted graphics platform that includes said secure graphics card and cryptographic processor, (3) a Secure surface count method that returns the number of secure surfaces supported by the graphics card, (4) an Overlapping surface count method that returns the number of overlapping secure surfaces supported by the graphics card, (5) a Primary type method that provides flexibility for future methodology of the graphics card (6) a Geometry method that returns the width, height, refresh rate and color depth of a primary surface of video memory of the trusted graphics platform, (7) a method that sets at least one of the location and size of a region of protected overly and (8) a method that sets at least one of the location and size of a fraction of a primary surface to be decrypted.
  - 51. An operating system according to claim 46, wherein said interfacing with an internal interface includes interfacing between the cryptographic processor and said graphics card, whereby, without destroying the graphics card, (1) the cryptographic processor is permanently secured to the graphics card and (2) the connection between the cryptographic processor and the rest of the graphics card is not exposed.
  - 52. An operating system according to claim 51, wherein one of (1) the cryptographic processor is soldered onto the graphics card and (2) the cryptographic processor resides on the same chip as the GPU.
  - 53. An operating system according to claim 42, wherein values of purpose parameters include:
    - an L1STREAM key used with a stream cipher utilized in connection with encryption of overlay surfaces; and
      
      an L2BLOCK key used with a block cipher used to decrypt texture blocks, which were written by said one of an application and device.
  - 54. An operating system according to claim 42, wherein the lifetime of the session key is the running time of the one of an application and device and the lifetime of each key of the plurality of keys is governed by instructions from the one of an application and device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wilt, Nicholas P., England, Paul, Peinado, Marcus
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US10/125,170
Publication Number

US 20030200435A1
Time in Patent Office

2,231 Days
Field of Search

713/176, 713/156, 713168-171, 713189-190, 726/24, 380/2, 380/277, 380/44
US Class Current

713/189
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/57   Certifying or maintaining t...

G06F 21/606   by securing the transmissio...

Methods and systems for authentication of components in a graphics system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for authentication of components in a graphics system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links