Methods and apparatus for accelerating secure session processing

US 7,600,122 B2
Filed: 11/06/2006
Issued: 10/06/2009
Est. Priority Date: 05/31/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for establishing a secure communications channel between a first entity and a second entity, comprising:

(a) receiving a first message from the first entity, wherein the first message includes a first set of security parameters;

(b) transmitting a second message to the first entity, wherein the second message includes a second set of security parameters;

(c) receiving a negotiation key from the first entity in response to the second message;

(d) issuing a function call to a cryptographic processing module, wherein the function call includes the first set of security parameters, the second set of security parameters, and the negotiation key, wherein the function call causes the cryptographic processing module to generate a master key and a set of server session keys;

(e) receiving the set of server session keys from the cryptographic processing module; and

(f) engaging in secure communications with the first entity using the server session keys.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for an entity such as a CPU to efficiently call a cryptography accelerator to perform cryptographic operations. A function call causes the cryptography accelerator to execute multiple cryptographic operations in a manner tailored for specific processing steps, such as steps during a handshake phase of a secured session. The techniques provide efficient use of hardware processing resources, data interfaces, and memory interfaces.

Citations

19 Claims

1. A method for establishing a secure communications channel between a first entity and a second entity, comprising:
- (a) receiving a first message from the first entity, wherein the first message includes a first set of security parameters;
  
  (b) transmitting a second message to the first entity, wherein the second message includes a second set of security parameters;
  
  (c) receiving a negotiation key from the first entity in response to the second message;
  
  (d) issuing a function call to a cryptographic processing module, wherein the function call includes the first set of security parameters, the second set of security parameters, and the negotiation key, wherein the function call causes the cryptographic processing module to generate a master key and a set of server session keys;
  
  (e) receiving the set of server session keys from the cryptographic processing module; and
  
  (f) engaging in secure communications with the first entity using the server session keys.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - maintaining the master key within the cryptographic processing module.
  - 3. The method of claim 1, further comprising, prior to step (f):
    - receiving a verification message from the first entity, wherein the verification message includes a client authentication parameter;
      
      issuing a second function call to the cryptographic processing module, wherein the second function call causes the cryptographic processing module to generate a server authentication parameter; and
      
      comparing the client authentication parameter to the server authentication parameter to determine whether the key negotiation process of steps (a) through (e) was successful.
  - 4. The method of claim 3, wherein the client authentication parameter includes a cryptographic hash of a set of client session keys.
  - 5. The method of claim 3, wherein the server authentication parameter includes a cryptographic hash of the set of server session keys.
  - 6. The method of claim 1, further comprising, prior to step (f):
    - issuing a second function call to the cryptographic processing module, wherein the second function call causes the cryptographic processing module to generate a server authentication parameter; and
      
      transmitting the server authentication parameter to the first entity for authentication.

7. A method for establishing a secure communications channel between a first entity and a second entity, comprising:
- (a) transmitting a first message to the second entity, wherein the first message includes a first set of security parameters;
  
  (b) receiving a second message from the second entity, wherein the second message includes a second set of security parameters;
  
  (c) generating a negotiation key using at least a portion of the second set of security parameters;
  
  (d) transmitting the negotiation key from the first entity in response to the second message;
  
  (e) issuing a function call to a cryptographic processing module, the function call including the first set of security parameters, the second set of security parameters, and the negotiation key, wherein the function call causes the cryptographic processing module to generate a master key and a set of client session keys;
  
  (f) receiving the set of client session keys from the cryptographic processing module; and
  
  (g) engaging in secure communications with the second entity using the client session keys.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, further comprising:
    - maintaining the master key within the cryptographic processing module.
  - 9. The method of claim 7, further comprising, prior to step (g):
    - issuing a second function call to the cryptographic processing module, wherein the second function call causes the cryptographic processing module to generate a client authentication parameter; and
      
      transmitting the client authentication parameter to the second entity for authentication.
  - 10. The method of claim 7, further comprising, prior to step (g):
    - receiving a verification message from the second entity, wherein the verification message includes a server authentication parameter;
      
      issuing a second function call to the cryptographic processing module, wherein the second function call causes the cryptographic processing module to generate a client authentication parameter; and
      
      comparing the client authentication parameter to the server authentication parameter to determine whether the key negotiation process of steps (a) through (f) was successful.
  - 11. The method of claim 10, wherein the client authentication parameter includes a cryptographic hash of the set of client session keys.
  - 12. The method of claim 10, wherein the server authentication parameter includes a cryptographic hash of a set of server session keys.

13. A system for establishing a security communications channel with an entity, comprising:
- a cryptographic processing module configured to generate a master key and a set of session keys in response to receipt of a key generation function call; and
  
  a central processing unit coupled to the cryptographic processing module, wherein the central processing unit is configured to;
  
  receive a set of messages from the entity, wherein the set of messages includes a set of security parameters, andissue the key generation function call to the cryptographic processing module.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the central processing unit is further configured to receive a negotiation key from the entity.
  - 15. The system of claim 13, wherein the central processing unit is further configured to generate a negotiation key.
  - 16. The system of claim 13, wherein issuing the key generation function call includes the set of security parameters and a negotiation key.
  - 17. The system of claim 13, wherein the central processing unit is further configured to issue a verification function call to the cryptographic processing module and to transmit a verification message to the entity;
    - andwherein the cryptographic processing module is further configured to generate an authentication parameter.
  - 18. The system of claim 13, wherein the central processing unit is further configured to receive a verification message from the entity, wherein the verification message includes a client authentication parameter, issue a verification function call to the cryptographic processing module, and perform authentication processing;
    - andwherein the cryptographic processing module is further configured to generate an authentication parameter in response to the verification function call.
  - 19. The system of claim 13, wherein the central processing unit is further configured to issue a verification function call to the cryptographic processing module and to transmit a verification message to the entity;
    - andwherein the cryptographic processing module is further configured to generate an authentication parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies General IP PTE Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Matthews, Don, Luo, Jianjun, Qi, Zheng, Buer, Mark, Tardo, Joseph, Squires, Ronald
Primary Examiner(s)
PEESO, THOMAS R

Application Number

US11/593,102
Publication Number

US 20070055875A1
Time in Patent Office

1,065 Days
Field of Search

713/171, 713/181, 713/182, 713/185
US Class Current

713/171
CPC Class Codes

H04L 9/0838 Key agreement, i.e. key est...

Methods and apparatus for accelerating secure session processing

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for accelerating secure session processing

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links