Apparatus and method for distributing private keys to an entity with minimal secret, unique information

US 8,639,915 B2
Filed: 03/30/2010
Issued: 01/28/2014
Est. Priority Date: 02/18/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

programming a chip secret key into a manufactured chip;

sending the manufactured chip to a system original equipment manufacturer (OEM); and

generating at least one private key for the manufactured chip in response to a received key update request, wherein generating the at least one private key comprises;

generating cipher text including the at least one private key using an initialization vector (IV) by generating a key vector including the at least one private key; and

sending the cipher text to the system OEM including the IV used to form the cipher text; and

authenticating the received key update request, wherein authenticating the received key update request comprises;

verifying a digital signature of the system OEM included within the key update request;

decrypting the key update request to form a decrypted chip ID if the digital signature of the OEM is verified;

verifying that a chip ID of the manufactured chip matches the decrypted chip ID; and

disregarding the received key update request if the decrypted chip ID is not verified.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, a method and apparatus for distributing private keys to an entity with minimal secret, unique information are described. In one embodiment, the method includes the storage of a chip secret key within a manufactured chip. Once the chip secret key is stored or programmed within the chip, the chip is sent to a system original equipment manufacturer (OEM) in order to integrate the chip within a system or device. Subsequently, a private key is generated for the chip by a key distribution facility (KDF) according to a key request received from the system OEM. In one embodiment, the KDF is the chip manufacturer. Other embodiments are described and claimed.

Citations

20 Claims

1. A method comprising:
- programming a chip secret key into a manufactured chip;
  
  sending the manufactured chip to a system original equipment manufacturer (OEM); and
  
  generating at least one private key for the manufactured chip in response to a received key update request, wherein generating the at least one private key comprises;
  
  generating cipher text including the at least one private key using an initialization vector (IV) by generating a key vector including the at least one private key; and
  
  sending the cipher text to the system OEM including the IV used to form the cipher text; and
  
  authenticating the received key update request, wherein authenticating the received key update request comprises;
  
  verifying a digital signature of the system OEM included within the key update request;
  
  decrypting the key update request to form a decrypted chip ID if the digital signature of the OEM is verified;
  
  verifying that a chip ID of the manufactured chip matches the decrypted chip ID; and
  
  disregarding the received key update request if the decrypted chip ID is not verified.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein prior to programming the chip, the method comprises:
    - gathering unique identification (ID) information of the manufactured chip;
      
      encrypting the identification information using a first key to form a chip ID for the manufactured chip; and
      
      encrypting the chip ID using a second key to form a chip secret key.
  - 3. The method of claim 2, wherein the unique identification information includes a wafer serial number of a wafer from which the chip is formed and an X,Y coordinate location of the manufactured chip within the wafer.
  - 4. The method of claim 1, wherein a key size of the chip secret key is less than a key size of an asymmetric crypto-system private key.
  - 5. The method of claim 1, wherein programming the chip secret key comprises:
    - storing the chip secret key within chip fuses of the manufactured chip; and
      
      blowing selected fuses of the manufactured chip to prevent unauthorized access to the chip secret key.
  - 6. The method of claim 1, wherein generating the key vector comprises:
    - encrypting a unique secret value using the chip secret key to form the key vector;
      
      removing all revoked keys from the key vector to form a private key vector; and
      
      encrypting the private key vector, the chip ID and a digital certificate of the private key vector using the chip secret key and an initialization vector to form the cipher text.
  - 7. The method of claim 1, wherein the key update request is issued by the manufactured chip in response to chip initialization.

8. An article of manufacture including a non-transitory machine readable medium having stored thereon instructions which may be used to program a system to perform a method, comprising:
- programming a chip secret key into a manufactured chip;
  
  sending the manufactured chip to a system original equipment manufacturer (OEM); and
  
  generating at least one private key for the manufactured chip in response to a received key update request, wherein the key update request is issued by the manufactured chip in response to chip initialization, and further wherein generating the at least one private key comprises;
  
  generating cipher text including the at least one private key using an initialization vector (IV); and
  
  sending the cipher text to the system OEM including the IV used to form the cipher text; and
  
  authenticating the received key update request, wherein authenticating the received key update request comprises;
  
  verifying a digital signature of the system OEM included within the key update request;
  
  decrypting the key update request to form a decrypted chip ID if the digital signature of the OEM is verified;
  
  verifying that a chip ID of the manufactured chip matches the decrypted chip ID; and
  
  disregarding the received key update request if the decrypted chip ID is not verified.
- View Dependent Claims (9)
- - 9. The article of manufacture of claim 8, wherein prior to programming the chip, the method comprises:
    - gathering unique identification (ID) information of the manufactured chip;
      
      encrypting the identification information using a first key to form a chip ID for the manufactured chip; and
      
      encrypting the chip ID using a second key to form the chip secret key.

10. An article of manufacture including a non-transitory computer readable storage medium having stored thereon instructions which may be used to program a system to perform a method, comprising:
- initializing an integrated chip to generate a key update request using a preprogrammed chip secret key stored within the integrated chip, wherein initializing the integrated chip comprises;
  
  providing random cipher text to the integrated chip;
  
  requesting the integrated chip to generate the key update request, by;
  
  decrypting, by the integrated chip, the random cipher text using the chip secret key to form a random ID, a random key and a random digital certificate; and
  
  encrypting, by the integrated chip, the random ID, the chip secret key and a pad value using a public key of the KDF to form the key update request; and
  
  attaching a digital signature of the random cipher text to the key update request;
  
  transmitting the key update request to a key distribution facility (KDF); and
  
  storing received cipher text including at least one private key from the KDF.
- View Dependent Claims (11, 12)
- - 11. The article of manufacture of claim 10, further comprising:
    - providing, during initial boot, the received cipher text to the integrated chip; and
      
      decrypting, by the integrated chip, the received cipher text using the chip secret key to form a chip ID and the at least one private key; and
      
      authenticating, by the integrated chip, with a content protection application to receive protected content.
  - 12. The article of manufacture of claim 10, wherein the method further comprises:
    - providing the received cipher text to the integrated chip, the cipher text including the at least one private key, a key certificate and a chip ID assigned to the integrated chip in encrypted format using the chip secret key;
      
      requesting the integrated chip to generate a key update request;
      
      encrypting, by the integrated chip, the chip ID, the chip secret key and a random pad value using a public key of the KDF to form a second key update request; and
      
      transmitting the second key update request to the KDF.

13. A method comprising:
- initializing an integrated chip within a system to generate a key update request using a preprogrammed chip secret key stored within the integrated chip, wherein initializing the integrated chip comprises;
  
  providing, during initial boot, random cipher text to the integrated chip;
  
  requesting the integrated chip to generate the key update request; and
  
  decrypting, by the integrated chip, the received cipher text using the chip secret key to form a chip ID and the at least one private key; and
  
  authenticating, by the integrated chip, with a content protection application to receive protected contentattaching a digital signature of the random cipher text to the key update request;
  
  transmitting the key update request to a key distribution facility (KDF); and
  
  storing received cipher text including at least one private key from the KDF.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein requesting the integrated chip further comprises:
    - decrypting, by the integrated chip, the random cipher text using the chip secret key to form a random ID, a random key and a random digital certificate; and
      
      encrypting, by the integrated chip, the random ID, the chip secret key and a pad value using a public key of the KDF to form the key update request.
  - 15. The method of claim 13, wherein storing the received cipher text comprises:
    - receiving an initialization vector (IV) with the received cipher text from the KDF; and
      
      saving the received cipher text and the IV within off-chip persistent storage.
  - 16. The method of claim 13, wherein authenticating further comprises:
    - using, by the integrated chip, a private key digital certificate to authenticate with the content protection application.
  - 17. The method of claim 13, wherein providing further comprises:
    - disabling access to the received cipher text following the initial boot.
  - 18. The method of claim 13, wherein the KDF is a manufacturer of the chip.
  - 19. The method of claim 13, further comprising:
    - providing the received cipher text to the integrated chip, the received cipher text including the at least one private key, a private key digital certificate and a chip ID assigned to the integrated chip in encrypted format using the chip secret key;
      
      requesting the chip to generate a key update request;
      
      encrypting, by the integrated chip, the chip ID, the chip secret key and a pad value using a public key of the KDF to form a second key update request; and
      
      transmitting the second key update request to the KDF.
  - 20. The method of claim 19, wherein the received cipher text includes a key vector including a series of non-unique private keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Graunke, Gary L.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US12/750,128
Publication Number

US 20100183154A1
Time in Patent Office

1,400 Days
Field of Search

713/1, 713/2, 713/194, 726/34, 380/279
US Class Current

713/1
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 9/0827   involving distinctive inter...

H04L 9/0877   using additional device, e....

H04L 9/0891   Revocation or update of sec...

H04L 9/3278   using physically unclonable...

Apparatus and method for distributing private keys to an entity with minimal secret, unique information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for distributing private keys to an entity with minimal secret, unique information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links