Securely upgrading or downgrading platform components

US 8,667,270 B2
Filed: 02/10/2012
Issued: 03/04/2014
Est. Priority Date: 02/10/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method for securely altering a platform component, comprising:

generating, by an upgrade manager associated with a device, encryption and digital signature key pairs for the device, wherein the device comprises the platform component;

obtaining public encryption and signature verification keys for a provisioning server from a certification authority;

mutually authenticating the device and the provisioning server using the public encryption and signature verification keys for the provisioning server and the device, wherein the provisioning server generates a registration identification associated with the device;

assigning, by the certification authority, certificates for public encryption and signature verification keys for the device;

assigning, by the certification authority, certificates for public encryption and signature verification keys for an upgrade server, wherein the upgrade server comprises an alteration for the platform component;

sending an alteration request from the upgrade manager to the upgrade server, causing the upgrade server to obtain assigned certificates for public encryption and signature verification keys for the upgrade manager from the certification authority, wherein the alteration request comprises the registration identification associated with the device;

mutually authenticating the device and the upgrade server based on the assigned certificates and the registration identification associated with the device;

causing the device and the upgrade server to exchange a session key during the mutual authenticating; and

providing the alteration from the upgrade server to the device using the session key exchanged during the mutual authenticating.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for securely altering a platform component is provided, comprising: assigning certificates for public encryption and signature verification keys for the device; assigning certificates for public encryption and signature verification keys for an upgrade server; mutually authenticating a device containing the platform component and the upgrade server; causing the device and the upgrade server to exchange a session key; and providing an alteration to be made to the platform component from the upgrade server to the device using the session key.

Citations

24 Claims

1. A method for securely altering a platform component, comprising:
- generating, by an upgrade manager associated with a device, encryption and digital signature key pairs for the device, wherein the device comprises the platform component;
  
  obtaining public encryption and signature verification keys for a provisioning server from a certification authority;
  
  mutually authenticating the device and the provisioning server using the public encryption and signature verification keys for the provisioning server and the device, wherein the provisioning server generates a registration identification associated with the device;
  
  assigning, by the certification authority, certificates for public encryption and signature verification keys for the device;
  
  assigning, by the certification authority, certificates for public encryption and signature verification keys for an upgrade server, wherein the upgrade server comprises an alteration for the platform component;
  
  sending an alteration request from the upgrade manager to the upgrade server, causing the upgrade server to obtain assigned certificates for public encryption and signature verification keys for the upgrade manager from the certification authority, wherein the alteration request comprises the registration identification associated with the device;
  
  mutually authenticating the device and the upgrade server based on the assigned certificates and the registration identification associated with the device;
  
  causing the device and the upgrade server to exchange a session key during the mutual authenticating; and
  
  providing the alteration from the upgrade server to the device using the session key exchanged during the mutual authenticating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the alteration is an upgrade.
  - 3. The method of claim 1, wherein the alteration is a downgrade.
  - 4. The method of claim 1, wherein:
    - the alteration is downloaded to a secure partition of the device, wherein the alteration is decrypted and verified using the session key and at least one signature verification key for the device.
  - 5. The method of claim 1, wherein the platform component is one of a processor and a core in a multi-core processor.
  - 6. The method of claim 1, further comprising:
    - registering the device with the provisioning server, wherein the provisioning server generates the registration identification associated with the device upon successful authentication.
  - 7. The method of claim 1, wherein the platform component is one of the following:
    - a discrete or integrated hardware component on the device, or a firmware or software component on the device.
  - 8. The method of claim 1, wherein the method is performed in response to a change in a subscription level, wherein the subscription level defines a component upgrade level and periodic price to be paid for performance matching the component upgrade level.

9. A method for securely altering a platform component, comprising:
- generating, by an upgrade manager associated with a device, encryption and digital signature key pairs for the device, wherein the device includes the platform component;
  
  obtaining public encryption and signature verification keys for a provisioning server from a certification authority;
  
  mutually authenticating the device and the provisioning server using the public encryption and signature verification keys for the provisioning server and the device, wherein the provisioning server generates a registration identification associated with the device;
  
  contacting, by the upgrade manager, the certification authority for assigned certificates for public encryption and signature verification keys for the device;
  
  contacting, by the upgrade manager, the certification authority for assigned certificates for public encryption and signature verification keys for an upgrade server, wherein the upgrade server comprises a secure alteration for the platform component;
  
  sending an alteration request from the upgrade manager to the upgrade server, causing the upgrade server to obtain assigned certificates for public encryption and signature verification keys for the upgrade manager from the certification authority, wherein the alteration request comprises the registration identification associated with the device;
  
  mutually authenticating the device and the upgrade server based on the assigned certificates and the registration identification associated with the device;
  
  causing the device and the upgrade server to exchange a session key during the mutual authenticating; and
  
  providing the secure alteration from the upgrade server to the device via the upgrade manager using the session key.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, wherein:
    - the secure alteration is downloaded to a secure partition of the device, wherein the secure alteration is decrypted and verified using the session key and at least one signature verification key for the device;
      
      the provisioning server generates the registration identification associated with the device upon successful authentication of the device with the provisioning server; and
      
      the platform component is altered on-demand and in-field.
  - 11. The method of claim 9, wherein the method is performed in response to a change in a subscription level, wherein the subscription level defines a component upgrade level and periodic price to be paid for performance matching the component upgrade level.

12. A system comprising:
- a device comprising a platform component;
  
  an upgrade manager;
  
  a certification authority;
  
  a provisioning server; and
  
  an upgrade server comprising an alteration for the platform component;
  
  wherein the upgrade manager is configured to;
  
  generate encryption and digital signature key pairs for the device;
  
  obtain public encryption and signature verification keys for the provisioning server from the certification authority;
  
  perform one side of mutual authentication between the device and the provisioning server using the public encryption and signature verification keys for the provisioning server and the device;
  
  contact the certification authority for assigned certificates for public encryption and signature verification keys for the device;
  
  contact the certification authority for assigned certificates for public encryption and signature verification keys for the upgrade server;
  
  send an alteration request from the upgrade manager to the upgrade server, causing the upgrade server to obtain assigned certificates for public encryption and signature verification keys for the upgrade manager from the certification authority, wherein the alteration request comprises a registration identification associated with the device;
  
  perform one side of mutual authentication between the device and the upgrade server based on the assigned certificates and the registration identification associated with the device;
  
  send a session key to the upgrade server; and
  
  receive the alteration from the upgrade server to the device using the session key;
  
  wherein the certification authority is configured to;
  
  provide the encryption and signature verification keys for the provisioning server to the upgrade manager;
  
  assign certificates for public encryption and signature verification keys for the device; and
  
  assign certificates for public encryption and signature verification keys for the upgrade server;
  
  wherein the provisioning server is configured to;
  
  perform the other side of mutual authentication between the device and the provisioning server using the public encryption and signature verification keys for the provisioning server and the device; and
  
  verify device information for the device; and
  
  wherein the upgrade server is configured to;
  
  obtain assigned certificates for public encryption and signature verification keys for the upgrade manager from the certification authority;
  
  perform the other side of mutual authentication between the device and the upgrade server using the public encryption and signature verification keys for the upgrade server and the device;
  
  exchange the session key with the upgrade manager; and
  
  send the alteration to the upgrade manager using the session key.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12, wherein the upgrade manager is located on the device.
  - 14. The system of claim 12, wherein the device further comprises:
    - a secure partition including a secure key store, a secure data store, and native cryptographic functions;
      
      wherein the alteration is downloaded to the secure partition for decryption and verification using the session key and at least one signature verification key.
  - 15. The system of claim 14, wherein the native cryptographic functions include:
    - a random number generator;
      
      a hash generator;
      
      a cryptographic key generator; and
      
      a digital signature and encryption/decryption engine.
  - 16. The system of claim 14, wherein the secure partition is only accessible in a privileged mode.
  - 17. The system of claim 16, wherein the device further contains a secure monitor designed to determine if the device is in a privileged mode.

18. A system for securely altering a platform component, comprising:
- an upgrade manager configured for;
  
  generating encryption and digital signature key pairs for a device associated with the upgrade manager, wherein the device includes the platform component;
  
  obtaining public encryption and signature verification keys for a provisioning server from a certification authority;
  
  mutually authenticating the device and the provisioning server using the public encryption and signature verification keys for the provisioning server and the device;
  
  contacting the certification authority for assigned certificates for public encryption and signature verification keys for the device;
  
  contacting the certification authority for assigned certificates for public encryption and signature verification keys for an upgrade server, wherein the upgrade server comprises a secure alteration for the platform component;
  
  sending an alteration request from the upgrade manager to the upgrade server, causing the upgrade server to obtain assigned certificates for public encryption and signature verification keys for the upgrade manager from the certification authority, wherein the alteration request comprises a registration identification associated with the device;
  
  mutually authenticating the device and the upgrade server based on the assigned certificates and the registration identification associated with the device;
  
  causing the device and the upgrade server to exchange a session key during the mutual authenticating; and
  
  providing the secure alteration from the upgrade server to the device using the session key.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein:
    - the secure alteration is downloaded to a secure partition of the device, wherein the secure alteration is decrypted and verified using the session key and at least one signature verification key for the device;
      
      the provisioning server generates the registration identification associated with the device upon successful authentication of the device with the provisioning server; and
      
      the platform component is a computer processor.

20. A program storage device readable by a machine tangibly embodying a program of instructions executable by the machine to perform a method for securely altering a platform component, the method comprising:
- generating, by an upgrade manager associated with a device, encryption and digital signature key pairs for the device, wherein the device includes the platform component;
  
  obtaining public encryption and signature verification keys for a provisioning server from a certification authority;
  
  mutually authenticating the device and the provisioning server using the public encryption and signature verification keys for the provisioning server and the device;
  
  contacting, by the upgrade manager, the certification authority for assigned certificates for public encryption and signature verification keys for the device;
  
  contacting, by the upgrade manager, the certification authority for assigned certificates for public encryption and signature verification keys for an upgrade server, wherein the upgrade server comprises a secure alteration for the platform component;
  
  sending an alteration request from the upgrade manager to the upgrade server, causing the upgrade server to obtain assigned certificates for public encryption and signature verification keys for the upgrade manager from the certification authority, wherein the alteration request comprises a registration identification associated with the device;
  
  mutually authenticating the device and the upgrade server based on the assigned certificates and the registration identification associated with the device;
  
  causing the device and the upgrade server to exchange a session key during the mutual authenticating; and
  
  providing the secure alteration from the upgrade server to the device via the upgrade manager using the session key.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The program storage device of claim 20, wherein:
    - the secure alteration is downloaded to a secure partition of the device, wherein the secure alteration is decrypted and verified using the session key and at least one signature verification key for the device;
      
      the provisioning server generates the registration identification associated with the device upon successful authentication of the device with the provisioning server; and
      
      the platform component is a feature of a hardware component.
  - 22. The program storage device of claim 21, wherein the feature is hyperthreading.
  - 23. The program storage device of claim 21, wherein the feature is virtualization technology.
  - 24. The program storage device of claim 21, wherein the feature is remote management.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Aciicmez, Onur, Brutch, Tasneem
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US13/371,195
Publication Number

US 20130212380A1
Time in Patent Office

753 Days
Field of Search

713/155, 713/156, 713168-171, 717168-173, 709/203, 709219-222
US Class Current

713/156
CPC Class Codes

G06F 8/65   Updates security arrangemen...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Securely upgrading or downgrading platform components

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Securely upgrading or downgrading platform components

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links