Method and apparatus for authenticated, recoverable key distribution with no database secrets
First Claim
1. A method comprising:
- issuing, by a chip, a key request including a chip identification (ID), the chip ID generated according to a secret random number programmed into the chip prior to integration of the chip within a platform to form an integrated chip platform, the chip ID previously sent from the integrated chip platform in response to a determining that no encrypted application key is present on the integrated chip platform and that sending the chip ID is a first application-specific operation since a power-up of the integrated chip platform;
decrypting cipher text received in response to the issued key request to access an application key assigned to the integrated chip platform;
storing an encrypted application key within persistent memory of the integrated chip platform, the assigned application key encrypted, by the chip, to form the encrypted application key according to a chip secret key derived from the secret random number programmed into the chip; and
outputting the encrypted application key to enable recovery of the encrypted application key in response to a key reprovisioning request, from the chip, that is authenticated according to the chip ID.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for authenticated recoverable key distribution are described. In one embodiment, an application key is provided to an integrated chip platform. In one embodiment, the integrated chip platform encrypts the application key with a Key Encryption Key, which is stored within the persistent memory on the platform, and outputs a ChipID and the encrypted application key to enable recovery. In one embodiment, the platform can provide the ChipID to a recovery database to replace a lost encrypted application key. In one embodiment, the ChipID is the public key of a public/private key pair, and the application key is provided to the integrated chip platform by encrypting it using this public key. In one embodiment, the ChipID and the Key Encryption Key are derived from a secret random number programmed into the integrated chip. Other embodiments are described and claimed.
315 Citations
26 Claims
-
1. A method comprising:
-
issuing, by a chip, a key request including a chip identification (ID), the chip ID generated according to a secret random number programmed into the chip prior to integration of the chip within a platform to form an integrated chip platform, the chip ID previously sent from the integrated chip platform in response to a determining that no encrypted application key is present on the integrated chip platform and that sending the chip ID is a first application-specific operation since a power-up of the integrated chip platform; decrypting cipher text received in response to the issued key request to access an application key assigned to the integrated chip platform; storing an encrypted application key within persistent memory of the integrated chip platform, the assigned application key encrypted, by the chip, to form the encrypted application key according to a chip secret key derived from the secret random number programmed into the chip; and outputting the encrypted application key to enable recovery of the encrypted application key in response to a key reprovisioning request, from the chip, that is authenticated according to the chip ID. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
generating a secret session key according to a chip identification (ID) that is received with a key provisioning request received from an integrated chip platform, wherein the key provisioning request is authenticated according to the chip ID, wherein the chip ID is received in response to a determining that no encrypted application key is present on the integrated chip platform and that sending the chip ID is a first application-specific operation since a power-up of the integrated chip platform; generating, according to the secret session key, cipher text including an application key assigned to the integrated chip platform according to the authenticated key provisioning request; transmitting, to the integrated chip platform, the cipher text including the assigned application key; and storing an encrypted application key, indexed by the chip ID, to enable recovery of the encrypted application key in response to a key reprovisioning request, from the chip, that is authenticated according to a chip ID, wherein the assigned application key is encrypted, by the chip, to form the encrypted application key according to a chip secret key derived from the secret random number programmed into the integrated chip platform. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An article of manufacture including a non-transitory machine accessible storage medium having stored thereon data which, when accessed, results in the machine performing operations comprising:
-
with a manufactured chip of an integrated chip platform, sending a chip identification (ID) from the integrated chip platform in response to a determining that no encrypted application key is present on the integrated chip platform and that sending the chip ID is a first application-specific operation since a power-up of the integrated chip platform, the chip ID generated according to a secret random number programmed into manufactured chip prior to integration of the chip within a platform to form the integrated chip platform; after the sending the chip ID, transmitting from the integrated chip platform to an original design manufacturer (ODM) a key request including the chip ID; decrypting, according to a key encryption key, cipher text received in response to the issued key request to access an application key assigned to the integrated chip platform by the ODM; encrypting, by the manufactured chip, the assigned application key to form an encrypted application key according to a chip secret key derived from the secret random number programmed into the integrated chip platform; storing the encrypted application key within persistent memory of the integrated chip platform; and outputting the encrypted application key to enable recovery of the encrypted application key in response to a key reprovisioning request, from the manufactured chip, that is authenticated according to the chip ID. - View Dependent Claims (12, 13)
-
-
14. An integrated chip platform comprising:
-
key generation logic including secret key logic to derive a chip secret key from a secret random number programmed into the chip prior to integration of the chip within a platform to form the integrated chip platform, and key request logic to decrypt cipher text, received in response to an issued key request, to access an application key assigned to the integrated chip platform and to store an encrypted application key within persistent memory of the integrated chip platform, the assigned application key encrypted to form the encrypted application key according to the chip secret key, the key generation logic to output the encrypted application key to enable recovery of the encrypted application key in response to a key reprovisioning request, from the integrated chip platform, that is authenticated according to a chip identification (ID); chip identification logic to send the chip ID from the integrated chip platform in response to a determining that no encrypted application key is present on the integrated chip platform and that sending the chip ID is a first application-specific operation since a power-up of the integrated chip platform, the chip ID generated according to the chip secret key, the chip identification logic further to output the chip ID within the issued key request; and at least one key register to store the chip secret key, wherein the issued key request is authenticated according to the chip ID. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A system comprising:
-
a flash memory; a graphics controller coupled to the flash memory including key logic, the key logic including secret key logic to derive a chip secret key from a secret random number programmed into a graphics controller chip prior to integration of the chip within the system, and key request logic to decrypt cipher text, received in response to an issued key request, to access an application key assigned to the integrated chip platform and to store an encrypted application key within the flash memory, the assigned application key encrypted to form the encrypted application key according to the chip secret key, the key logic to output the encrypted application key to enable recovery of the encrypted application key in response to a key reprovisioning request, from the graphics controller chip, that is authenticated according to a chip identification (ID); chip identification logic to send the chip ID from the integrated chip platform in response to a determining that no encrypted application key is present on the integrated chip platform and that sending the chip ID is a first application-specific operation since a power-up of the integrated chip platform, the chip ID generated according to the chip secret key, the chip identification logic further to output the chip ID within the issued key request; and at least one key register to the store the chip secret key. - View Dependent Claims (20, 21)
-
-
22. A method comprising:
-
receiving from an integrated chip platform a chip identification (ID) generated in response to a determining that no encrypted application key is present on the integrated chip platform and that sending the chip ID is a first application-specific operation since a power-up of the integrated chip platform; obtaining an application key from a key generation facility as an assigned application key for the integrated chip platform in response to a key request issued by a manufactured chip of the integrated chip platform, the key request including the chip ID; directing a manufactured chip of the integrated chip platform to encrypt the assigned application key according to a chip secret key derived from a secret random number programmed into the manufactured chip prior to integration of the manufactured chip within a platform to form the integrated chip platform; and storing an encrypted application key within persistent memory of the integrated chip platform; and storing an encrypted application key, indexed by the chip ID, to enable recovery of the encrypted application key in response to a key reprovisioning request, from the manufactured chip, that it is authenticated according to the chip ID. - View Dependent Claims (23, 24, 25, 26)
-
Specification