Information processing apparatus, method and computer-readable storage medium that encrypts and decrypts data using a value calculated from operating-state data

US 8,438,377 B2
Filed: 04/08/2010
Issued: 05/07/2013
Est. Priority Date: 04/17/2009
Status: Active Grant

First Claim

Patent Images

1. An information processing apparatus comprising:

a storage unit that retains contents stored therein;

a control unit that performs hibernation of generating operating-state data that indicates an operating state of the information processing apparatus when the information processing apparatus is powered off to store the operating-state data in the storage unit, and reading the operating-state data from the storage unit to restore the information processing apparatus to the operating state when the information processing apparatus is powered on;

a security chip that encrypts data based on a value calculated from the generated operating-state data when the information processing apparatus is powered off, and decrypts the encrypted data based on a value calculated from the read operating-state data when the information processing apparatus is powered on; and

a verification unit that performs verification at boot-up from the hibernation by determining whether to permit decryption of the data based on the value calculated from the read operating-state data when the information processing apparatus is powered on.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An information processing apparatus includes a main memory unit storing while on-power; an auxiliary storage unit functionable even off-power; a control unit performing hibernation of generating operating-state data indicating a state when the power is lost, storing the data in the auxiliary storage unit, and, when restored, reading the data from the auxiliary storage unit; and a security chip that including a configuration register, encrypts data, and storing the data in the auxiliary storage unit. The control unit includes: a first registration unit performing, when the data is generated, calculation based thereon to obtain a calculated value; a second registration unit performing, when the data is read from the auxiliary storage unit at the hibernation, calculation based on the data to obtain a calculated value to write it into the configuration register; and a verification unit performing verification at boot-up from the hibernation based on the value written.

22 Citations

View as Search Results

12 Claims

1. An information processing apparatus comprising:
- a storage unit that retains contents stored therein;
  
  a control unit that performs hibernation of generating operating-state data that indicates an operating state of the information processing apparatus when the information processing apparatus is powered off to store the operating-state data in the storage unit, and reading the operating-state data from the storage unit to restore the information processing apparatus to the operating state when the information processing apparatus is powered on;
  
  a security chip that encrypts data based on a value calculated from the generated operating-state data when the information processing apparatus is powered off, and decrypts the encrypted data based on a value calculated from the read operating-state data when the information processing apparatus is powered on; and
  
  a verification unit that performs verification at boot-up from the hibernation by determining whether to permit decryption of the data based on the value calculated from the read operating-state data when the information processing apparatus is powered on.
- View Dependent Claims (2, 3, 4)
- - 2. The information processing apparatus according to claim 1, further comprisinga first registration unit that performs calculation of the value from the generated operation-state data and registers the value to a configuration register of the security chip;
    - anda second registration unit that performs calculation of the value from the read operation-state data and registers the value to the configuration register of the security chip, whereinthe security chip generates a blob encrypting the data based on the value registered by the first registration unit when the information processing apparatus is powered off, and decrypts the encrypted data from the blob when the value registered by the second registration unit when the information processing apparatus is powered off corresponds with the value used in the generation of the blob.
  - 3. The information processing apparatus according to claim 1, wherein the security chip encrypts data based on a set of values previously calculated from the respective software programs needed for an operation of the information processing apparatus, and decrypts the encrypted data based on a set of values calculated from the respective software programs at normal boot-up, andthe verification unit performs verification at normal boot-up by determining whether to permit decryption of the data based on the set of values calculated from the respective software programs at normal boot-up.
  - 4. The information processing apparatus according to claim 3, further comprising:
    - a third registration unit that performs calculation of the set of values from the respective software programs in advance and registers the set of values to configuration registers of the security chip;
      
      a fourth registration unit that performs calculation of the set of values from the respective software programs and registers the set of values to the configuration registers of the security chip, whereinthe security chip generates a blob encrypting the data based on the set of values registered by the third registration unit, and decrypts the data from the blob when the set of values registered by the fourth registration unit at normal boot-up corresponds with the set of values used in the generation of the blob.

5. A verification method that is performed in an information processing apparatus that includesa storage unit that retains contents stored therein;
- a control unit that performs hibernation ofgenerating operating-state data that indicates an operating state of the information processing apparatus when the information processing apparatus is powered off to store the operating-state data in the auxiliary storage unit, andreading the operating-state data from the storage unit to restore the information processing apparatus into the operating state when the information processing apparatus is powered on; and
  
  a security chip,the verification method comprising;
  
  encrypting, by the security chip, data based on a value calculated from the generated operating-state data when the information processing apparatus is powered off;
  
  verifying, which is performed by the control unit, a boot-up from the hibernation by determining whether to permit decryption of the data based on a value calculated from the read operating-state data when the information processing apparatus is powered on; and
  
  decrypting, by the security chip based on the determination in the verifying, the encrypted data based on the value calculated from the read operating-state data when the information processing apparatus is powered on.
- View Dependent Claims (7, 8, 9)
- - 7. The verification method according to claim 5, further comprising:
    - performing, at a first registration unit, calculation of the value from the generated operation-state data and registering, at the first generation unit, the value to a configuration register of the security chip;
      
      performing, at a second registration unit, calculation of the value from the read operation-state data and registering, at the second registration unit, the value to the configuration register of the security chip;
      
      generating, by the security chip, a blob encrypting the data based on the value registered by the first registration unit when the information processing apparatus is powered off; and
      
      decrypting, by the security chip, the encrypted data from the blob when the value registered by the second registration unit when the information processing apparatus is powered off corresponds with the value used in the generation of the blob.
  - 8. The verification method according to claim 5, further comprising:
    - encrypting, by the security chip, data based on a set of values previously calculated from the respective software programs needed for an operation of the information processing apparatus;
      
      performing verification at normal boot-up by determining whether to permit decryption of the data based on a set of values calculated from the respective software programs at normal boot-up; and
      
      decrypting, based on the determination in the performing verification, the encrypted data based on the set of values calculated from the respective software programs at normal boot-up.
  - 9. The verification method according to claim 8, further comprising:
    - performing, at a third registration unit, calculation of the set of values from the respective software programs in advance and registering, at the third registration unit, the set of values to configuration registers of the security chip;
      
      performing, at a fourth registration unit, calculation of the set of values from the respective software programs and registering, at the fourth registration unit, the set of values to the configuration registers of the security chip;
      
      generating, by the security chip, a blob encrypting the data based on the set of values registered by the third registration unit; and
      
      decrypting, by the security chip, the data from the blob when the set of values registered by the fourth registration unit at normal boot-up corresponds with the set of values used in the generation of the blob.

6. A non-transitory computer-readable storage medium including computer executable instructions, wherein the instructions, when executed by a computer, cause the computer to perform a method for processing information in an information processing apparatus that includesa storage unit that retains contents stored therein;
- a control unit that performs hibernation ofgenerating operating-state data that indicates an operating state of the information processing apparatus when the information processing apparatus is powered off to store the operating-state data in the storage unit, andreading the operating-state data from the storage unit to restore the information processing apparatus into the operating state when the information processing apparatus is powered on; and
  
  a security chip,the method comprising;
  
  encrypting data based on a value calculated from the generated operating-state data when the information processing apparatus is powered off;
  
  verifying, which is performed by the control unit, a boot-up from the hibernation by determining whether to permit decryption of the data based on a value calculated from the read operating-state data when the information processing apparatus is powered on; and
  
  decrypting, based on the determination in the verifying, the encrypted data based on the value calculated from the read operating-state data when the information processing apparatus is powered on.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory computer-readable storage medium according to claim 6, further comprising:
    - performing, at a first registration unit, calculation of the value from the generated operation-state data and registering, at the first generation unit, the value to a configuration register of the security chip;
      
      performing, at a second registration unit, calculation of the value from the read operation-state data and registering, at the second registration unit, the value to the configuration register of the security chip;
      
      generating, by the security chip, a blob encrypting the data based on the value registered by the first registration unit when the information processing apparatus is powered off; and
      
      decrypting, by the security chip, the encrypted data from the blob when the value registered by the second registration unit when the information processing apparatus is powered off corresponds with the value used in the generation of the blob.
  - 11. The non-transitory computer-readable storage medium according to claim 6, further comprising:
    - encrypting, by the security chip, data based on a set of values previously calculated from the respective software programs needed for an operation of the information processing apparatus;
      
      performing verification at normal boot-up by determining whether to permit decryption of the data based on a set of values calculated from the respective software programs at normal boot-up; and
      
      decrypting, based on the determination in the performing verification, the encrypted data based on the set of values calculated from the respective software programs at normal boot-up.
  - 12. The non-transitory computer-readable storage medium according to claim 11, further comprising:
    - performing, at a third registration unit, calculation of the set of values from the respective software programs in advance and registering, at the third registration unit, the set of values to configuration registers of the security chip;
      
      performing, at a fourth registration unit, calculation of the set of values from the respective software programs and registering, at the fourth registration unit, the set of values to the configuration registers of the security chip;
      
      generating, by the security chip, a blob encrypting the data based on the set of values registered by the third registration unit; and
      
      decrypting, by the security chip, the data from the blob when the set of values registered by the fourth registration unit at normal boot-up corresponds with the set of values used in the generation of the blob.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ricoh Company Limited
Original Assignee
Ricoh Company Limited
Inventors
Senda, Shigeya
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US12/756,483
Publication Number

US 20100268967A1
Time in Patent Office

1,125 Days
Field of Search

713/187
US Class Current

713/2
CPC Class Codes

G06F 21/575 Secure boot

Information processing apparatus, method and computer-readable storage medium that encrypts and decrypts data using a value calculated from operating-state data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Information processing apparatus, method and computer-readable storage medium that encrypts and decrypts data using a value calculated from operating-state data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links