Secure software and hardware association technique

US 8,843,764 B2
Filed: 07/15/2011
Issued: 09/23/2014
Est. Priority Date: 07/15/2011
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating and associating a program code with an equipment, the method comprising:

associating critical security information with an original equipment manufacturer (OEM) of the equipment by encrypting the critical security information using a unique secret value, the unique secret value identifying the OEM of the equipment associated with the critical security information, the critical security information programmed in a memory during equipment manufacturing, the critical security information including a device authentication key, a redundant device authentication key, a chip encryption key, and one or more image authentication keys;

loading critical security information associated with the OEM of the equipment from the memory at an initial startup time;

retrieving the chip encryption key and the one or more image authentication keys stored in the critical security information associated with the OEM of the equipment in the memory by decrypting the critical security information using the unique secret value;

authenticating the program code using the chip encryption key and the one or more image authentication keys; and

transferring ownership of the equipment to a new owner by updating at least one of the device authentication key of the critical security information and the redundant device authentication key of the critical security information with at least one public key of the new owner.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authenticated hardware and authenticated software are cryptographically associated using symmetric and asymmetric cryptography. Cryptographically binding the hardware and software ensures that original equipment manufacturer (OEM) hardware will only run OEM software. Cryptographically binding the hardware and software protects the OEM binary code so it will only run on the OEM hardware and cannot be replicated or altered to operate on unauthorized hardware. In one embodiment, critical security information associated with the equipment is loaded from a memory at startup time. The critical security information is stored in the memory, in encrypted form, using a unique secret value. The secret value is used to retrieve a chip encryption key and one or more image authentication keys that can be used to associate program code with an original equipment manufacturer. These keys are used to authenticate the program code.

Citations

40 Claims

1. A method for authenticating and associating a program code with an equipment, the method comprising:
- associating critical security information with an original equipment manufacturer (OEM) of the equipment by encrypting the critical security information using a unique secret value, the unique secret value identifying the OEM of the equipment associated with the critical security information, the critical security information programmed in a memory during equipment manufacturing, the critical security information including a device authentication key, a redundant device authentication key, a chip encryption key, and one or more image authentication keys;
  
  loading critical security information associated with the OEM of the equipment from the memory at an initial startup time;
  
  retrieving the chip encryption key and the one or more image authentication keys stored in the critical security information associated with the OEM of the equipment in the memory by decrypting the critical security information using the unique secret value;
  
  authenticating the program code using the chip encryption key and the one or more image authentication keys; and
  
  transferring ownership of the equipment to a new owner by updating at least one of the device authentication key of the critical security information and the redundant device authentication key of the critical security information with at least one public key of the new owner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 wherein the unique secret value is a master encryption key.
  - 3. The method of claim 1 wherein the memory is at least one of a main storage memory, a temporary storage memory, non-volatile memory on system-on-chip, and an external non-volatile memory.
  - 4. The method of claim 1 wherein the equipment is at least one of a network processor, a general purpose processor system-on-chip and a mother board.
  - 5. The method of claim 1 wherein the critical security information further includes at least one of a memory protection key and a secure storage key.
  - 6. The method of claim 1 further including establishing ownership of the equipment using at least one of the device authentication key and the redundant device authentication key.
  - 7. The method of claim 1 further including associating the equipment with the OEM using at least one of the device authentication key and the redundant device authentication key.
  - 8. The method of claim 7 wherein the at least one of the device authentication key and the redundant device authentication key is a public key associated with a private key of the OEM.
  - 9. The method of claim 7 wherein the at least one of the device authentication key and the redundant device authentication key is an Elliptic Curve Cryptography public key or an RSA public key associated with a private key of the OEM.
  - 10. The method of claim 1 further including updating at least one of the device authentication key and the redundant device authentication key using the chip encryption key.
  - 11. The method of claim 1 further including authenticating critical security information update messages for disaster recovery using the redundant device authentication key.
  - 12. The method of claim 1 further including authenticating update messages of the critical security information using at least one of the device authentication key or redundant device authentication key to ensure restriction of updating the critical security information to an owner of the device.
  - 13. The method of claim 1 wherein the unique secret value is at least one of a master encryption key, a symmetric key permanently programmed in the equipment or a secret key derived from equipment physical characteristics.
  - 14. The method of claim 13 wherein the secret key is derived from the equipment physical characteristics using a physically unclonable function.
  - 15. The method of claim 13 further including generating the master encryption key using a cryptographically secure random number generator.
  - 16. The method of claim 1 further including retrieving the one or more image authentication keys using a master encryption key.
  - 17. The method of claim 1 further including protecting the program code using the chip encryption key.
  - 18. The method of claim 1 further including controlling encryption of the program code.
  - 19. The method of claim 1 wherein authenticating the program code further includes decrypting the program code using the chip encryption key and the one or more image authentication keys.

20. A method for authenticating and associating a program code with an equipment, the method comprising:
- associating critical security information with an original equipment manufacturer (OEM) of the equipment by encrypting the critical security information using a unique secret value, the unique secret value identifying the OEM of the equipment associated with the critical security information, the critical security information programmed in a memory during equipment manufacturing, the critical security information including a chip encryption key and one or more image authentication keys;
  
  loading the critical security information associated with the OEM of the equipment from the memory at an initial startup time;
  
  retrieving the chip encryption key and the one or more image authentication keys stored in the critical security information associated with the OEM of the equipment in the memory by decrypting the critical security information using the unique secret value;
  
  authenticating the program code using the chip encryption key and the one or more image authentication keys; and
  
  assigning the one or more image authentication keys to corresponding vendors to allow running of program code associated with other vendors under limited trusted ownership.

21. A system for authenticating and associating a program code with an equipment, the system comprising:
- a memory;
  
  an associater that associates critical security information with an original equipment manufacturer (OEM) of the equipment by encrypting the critical security information using a unique secret value, the unique secret value identifying the OEM of the equipment associated with the critical security information, the critical security information programmed in the memory during equipment manufacturing, the critical security information including a device authentication key, a redundant device authentication key, a chip encryption key, and one or more image authentication keys;
  
  a loader that loads the critical security information associated with the OEM of the equipment from the memory at an initial a startup time;
  
  a retriever that retrieves the chip encryption key and the one or more image authentication keys stored in the critical security information associated with the OEM of the equipment in the memory by decrypting the critical security information using the unique secret value; and
  
  an authenticator that authenticates the program code using the chip encryption key and the one or more image authentication keys; and
  
  a transferor that transfers ownership of the equipment to a new owner by updating at least one of the device authentication key of the critical security information and the redundant device authentication key of the critical security information with public keys of the new owner.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 22. The system of claim 21 wherein the unique secret value is a master encryption key.
  - 23. The system of claim 21 wherein the memory is at least one of a main storage memory, a temporary storage memory, non-volatile memory on system-on-chip, and an external non-volatile memory.
  - 24. The system of claim 21 wherein the equipment is at least one of a network processor, a general purpose processor system-on-chip and a mother board.
  - 25. The system of claim 21 wherein the critical security information includes at least one of a memory protection key and a secure storage key.
  - 26. The system of claim 21 further including a verifier that establishes ownership of the equipment using at least one of the device authentication key and the redundant device authentication key.
  - 27. The system of claim 21 further including an identifier that associating the equipment with the OEM using at least one of the device authentication key and the redundant device authentication key.
  - 28. The system of claim 27 wherein the at least one of the device authentication key and the redundant device authentication key is a public key associated with a private key of the OEM.
  - 29. The system of claim 27 wherein the at least one of the device authentication key and the redundant device authentication key is an Elliptic Curve Cryptography public key or an RSA public key associated with a private key of the OEM.
  - 30. The system of claim 21 further including an updater that updates at least one of the device authentication key and the redundant device authentication key using the chip encryption key.
  - 31. The system of claim 21 further wherein the authenticator authenticates critical security information update messages for disaster recovery using the redundant device authentication key.
  - 32. The system of claim 21 further wherein the authenticator authenticates update messages of the critical security information using at least one of the device authentication key or redundant device authentication key to ensure restriction of updating the critical security information to an owner of the device.
  - 33. The system of claim 21 wherein the unique secret value is at least one of a symmetric key permanently programmed in the equipment or a secret key derived from equipment physical characteristics.
  - 34. The system of claim 33 wherein the secret key is derived from the equipment physical characteristics using a physically unclonable function.
  - 35. The system of claim 33 further including a generator that generates the master encryption key using a cryptographically secure random number generator.
  - 36. The system of claim 21 wherein the retriever retrieves the one or more image authentication keys using a master encryption key.
  - 37. The system of claim 21 further including a protector that protects the program code using the chip encryption key.
  - 38. The system of claim 21 further including a controller that controls encryption of the program code.
  - 39. The system of claim 21 wherein the authenticator authenticates the program code further includes decrypting the program code using the chip encryption key and the one or more image authentication keys.

40. A system for authenticating and associating a program code with an equipment, the system comprising:
- a memory;
  
  an associater that associates critical security information with an original equipment manufacturer (OEM) of the equipment by encrypting the critical security information using a unique secret value, the unique secret value identifying the OEM of the equipment associated with the critical security information, the critical security information programmed in the memory during equipment manufacturing, the critical security information including a chip encryption key and one or more image authentication keys;
  
  a loader that loads the critical security information associated with the OEM of the equipment from the memory at an initial a startup time;
  
  a retriever that retrieves the chip encryption key and the one or more image authentication keys stored in the critical security information associated with the OEM of the equipment in the memory by decrypting the critical security information using the unique secret value; and
  
  an authenticator that authenticates the program code using the chip encryption key and the one or more image authentication keys; and
  
  an assigner that assigns the one or more image authentication keys to corresponding vendors to allow running of program code associated with other vendors under limited trusted ownership.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Marvell Asia Pte Limited (Marvell Technology Group Limited)
Original Assignee
Cavium, LLC (Marvell Technology Group Limited)
Inventors
Hussain, Muhammad Raghib
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US13/184,199
Publication Number

US 20130019105A1
Time in Patent Office

1,166 Days
Field of Search

713/189, 713/191, 713/193, 726/16
US Class Current

713/189
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/31   User authentication

G06F 21/575   Secure boot

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/30   Public key, i.e. encryption...

H04L 9/32   including means for verifyi...

Secure software and hardware association technique

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Secure software and hardware association technique

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links