System and method for hardware based security

US 8,631,247 B2
Filed: 11/24/2009
Issued: 01/14/2014
Est. Priority Date: 11/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method of programming features on a device, the method comprising:

providing a hardware module on said device, said hardware module comprising non volatile memory (NVM) for storing feature activation information, at least a portion of said NVM being protected, and a cryptographic controller for performing cryptographic operations;

said hardware module receiving a first command for establishing a secure session with an agent connected to said hardware module;

said hardware module generating one or more public keys using said cryptographic controller, and providing said one or more public keys to said agent to enable said agent to provide said public keys to an appliance to generate a shared secret key;

said hardware module obtaining an encrypted set of features from said agent;

said hardware module using said shared secret to decrypt said set of features; and

said hardware module programming one or more features on said NVM of said device according to said set of features.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An asset management system is provided, which includes a hardware module operating as an asset control core. The asset control core generally includes a small hardware core embedded in a target system on chip that establishes a hardware-based point of trust on the silicon die. The asset control core can be used as a root of trust on a consumer device by having features that make it difficult to tamper with. The asset control core is able to generate a unique identifier for one device and participate in the tracking and provisioning of the device through a secure communication channel with an appliance. The appliance generally includes a secure module that caches and distributes provisioning data to one of many agents that connect to the asset control core, e.g. on a manufacturing line or in an after-market programming session.

120 Citations

18 Claims

1. A method of programming features on a device, the method comprising:
- providing a hardware module on said device, said hardware module comprising non volatile memory (NVM) for storing feature activation information, at least a portion of said NVM being protected, and a cryptographic controller for performing cryptographic operations;
  
  said hardware module receiving a first command for establishing a secure session with an agent connected to said hardware module;
  
  said hardware module generating one or more public keys using said cryptographic controller, and providing said one or more public keys to said agent to enable said agent to provide said public keys to an appliance to generate a shared secret key;
  
  said hardware module obtaining an encrypted set of features from said agent;
  
  said hardware module using said shared secret to decrypt said set of features; and
  
  said hardware module programming one or more features on said NVM of said device according to said set of features.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1 wherein said shared secret key is generated using Elliptic Curve Menezes-Qu-Vanstone protocol.
  - 3. The method according to claim 1 wherein said NVM comprises a test state for allowing tests to be run on said hardware module, an initialization state for generating a static key and a unique identifier, and a functional state for participating in said secure session.
  - 4. The method according to claim 3 wherein upon detecting a predetermined number of illegal commands, said hardware module transitions into a locked-out state to protect further access to said NVM.
  - 5. The method according to claim 1 wherein said hardware module is incorporated into a wafer, chip, printed circuit board or electronic device.

6. A non-transitory computer readable medium comprising computer executable instructions that include instructions for performing operations comprising:
- providing a hardware module on said device, said hardware module comprising non volatile memory (NVM) for storing feature activation information, at least a portion of said NVM being protected, and a cryptographic controller for performing cryptographic operations;
  
  said hardware module receiving a first command for establishing a secure session with an agent connected to said hardware module;
  
  said hardware module generating one or more public keys using said cryptographic controller, and providing said one or more public keys to said agent to enable said agent to provide said public keys to an appliance to generate a shared secret key;
  
  said hardware module obtaining an encrypted set of features from said agent;
  
  said hardware module using said shared secret to decrypt said set of features; and
  
  said hardware module programming one or more features on said NVM of said device according to said set of features.

7. A method of programming features on a device, the method comprising:
- providing a connection to a hardware module on said device through an agent in communication with said hardware module, said hardware module comprising non volatile memory for storing feature activation information;
  
  obtaining from said agent, one or more public keys generated by said hardware module using a cryptographic controller;
  
  using said one or more public keys to generate a shared secret key;
  
  using said shared secret key to encrypt a set of features;
  
  providing an encrypted set of features to said hardware module through said agent; and
  
  metering a credit pool indicative of a quantity of hardware modules to be programmed.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method according to claim 7 wherein said shared secret key is generated using Elliptic Curve Menezes-Qu-Vanstone protocol.
  - 9. The method according to claim 7 wherein said shared secret and said metering are performed with a hardware security module.
  - 10. The method according to claim 7 further comprising logging an event pertaining to said metering of said credit pool.
  - 11. The method according to claim 10 further comprising obtaining one or more logs from said agent and upon receiving a request from a controller, providing said logs from said agent and logs generated for said metering to said controller.

12. A non-transitory computer readable medium comprising computer executable instructions that include instructions for performing operations comprising:
- providing a connection to a hardware module on said device through an agent in communication with said hardware module, said hardware module comprising non volatile memory for storing feature activation information;
  
  obtaining from said agent, one or more public keys generated by said hardware module using a cryptographic controller;
  
  using said one or more public keys to generate a shared secret key;
  
  using said shared secret key to encrypt a set of features;
  
  providing an encrypted set of features to said hardware module through said agent; and
  
  metering a credit pool indicative of a quantity of hardware modules to be programmed.

13. A server appliance comprising a processor, memory, and a connection to an agent, said server appliance being configured to perform operations comprising:
- providing a connection to a hardware module on said device through an agent in communication with said hardware module, said hardware module comprising non volatile memory for storing feature activation information;
  
  obtaining from said agent, one or more public keys generated by said hardware module using a cryptographic controller;
  
  using said one or more public keys to generate a shared secret key;
  
  using said shared secret key to encrypt a set of features;
  
  providing an encrypted set of features to said hardware module through said agent; and
  
  metering a credit pool indicative of a quantity of hardware modules to be programmed.

14. A method of programming features on a device, the method comprising:
- providing a first connection to a hardware module on said device and a second connection to an appliance, said appliance comprising sets of features to be programmed on said device, said hardware module comprising non volatile memory for storing feature activation information;
  
  sending a command to said hardware module to initiate a secure session therewith;
  
  obtaining, from said hardware module, one or more public keys generated by said hardware module;
  
  providing said public keys to said appliance;
  
  obtaining, from said appliance, an encrypted set of features;
  
  providing said encrypted set of features by establishing a feature programming session with said hardware module; and
  
  obtaining a response from said hardware module pertaining to application of said set of features.
- View Dependent Claims (15, 16, 17)
- - 15. The method according to claim 14 wherein said shared secret key is generated using Elliptic Curve Menezes-Qu-Vanstone protocol.
  - 16. The method according to claim 14, wherein said method is performed by an agent comprising a software library.
  - 17. The method according to claim 14 further comprising generating a log upon delivery of said encrypted set of features, and providing said log to said appliance.

18. A non-transitory computer readable medium comprising computer executable instructions that include instructions for performing operations comprising:
- providing a first connection to a hardware module on said device and a second connection to an appliance, said appliance comprising sets of features to be programmed on said device, said hardware module comprising non volatile memory for storing feature activation information;
  
  sending a command to said hardware module to initiate a secure session therewith;
  
  obtaining, from said hardware module, one or more public keys generated by said hardware module;
  
  providing said public keys to said appliance;
  
  obtaining, from said appliance, an encrypted set of features;
  
  providing said encrypted set of features by establishing a feature programming session with said hardware module; and
  
  obtaining a response from said hardware module pertaining to application of said set of features.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Certicom Corporation (Blackberry Limited)
Inventors
O'Loughlin, Daniel, Smith, Keelan, Fuller, Jay Scott, Ku, Joseph, Lattin, William, Struik, Marinus, Poeluev, Yuri, Campagna, Matthew J., Stiemerling, Thomas
Primary Examiner(s)
Chai, Longbit

Application Number

US13/131,019
Publication Number

US 20120102334A1
Time in Patent Office

1,512 Days
Field of Search

713/189
US Class Current

713/189
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/123   by using dedicated hardware...

G06F 21/57   Certifying or maintaining t...

G06F 21/606   by securing the transmissio...

G06F 21/72   in cryptographic circuits

G06F 21/73   by creating or determining ...

G06F 21/76   in application-specific int...

G06F 21/80   in storage media based on m...

G06F 2212/1052   Security improvement

G06F 2221/2101   Auditing as a secondary aspect

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0877   using additional device, e....

H04L 9/3066   involving algebraic varieti...

H04L 9/3252   using DSA or related signat...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

System and method for hardware based security

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

120 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for hardware based security

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links