Method for authorizing and authenticating data

US 9,246,687 B2
Filed: 02/27/2008
Issued: 01/26/2016
Est. Priority Date: 02/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating, by a first device, a first key pair comprising a first public key portion and a first private key portion;

transferring, by the first device, the first public key portion to a second device having a second key pair, the second key pair comprising a second public key portion and a second private key portion, wherein the second key pair is associated with second entitlements comprising second data entitlements and second signing entitlements that are within the second data entitlements, and wherein the second device is configured to;

authorize the first key pair by signing the first public key portion using the second private key portion to produce a first key signature of the first key pair,associate first entitlements with the first public key portion, the first entitlements comprising first data entitlements that are within the second signing entitlements and further comprising first signing entitlements that are within the first data entitlements, andtransfer the first public key portion, the first key signature, and the first entitlements to a digital processing system, wherein upon receipt of the first public key portion, the first key signature, and the first entitlements, the digital processing system is configured to authenticate the first public key portion by using the first public key portion to verify that the first key signature was produced using the second key pair and by using the second entitlements to verify that the first data entitlements are within the second signing entitlements;

signing, by the first device, data with the first private key portion to generate a data signature; and

sending, by the first device, the data and the data signature to the digital processing system, wherein receiving the data and the data signature causes the digital processing system to authenticate the data before processing the data by verifying that the data signature was produced using the first key pair and by verifying that the first entitlements include the first data entitlements for processing the data, and wherein failing to authenticate the data causes the digital processing system to reset to limited operations.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a corresponding apparatus for authenticating data in a digital processing system (DPS) is disclosed, wherein a root/first tier key pair associated with a first tier/root authority may sign data and second tier keys for authorizing data for processing in the DPS. The first tier/root authority may pass entitlements to the authorized second tier key, which may itself authorize third tier keys and pass entitlements to said key.

31 Citations

View as Search Results

23 Claims

1. A method, comprising:
- generating, by a first device, a first key pair comprising a first public key portion and a first private key portion;
  
  transferring, by the first device, the first public key portion to a second device having a second key pair, the second key pair comprising a second public key portion and a second private key portion, wherein the second key pair is associated with second entitlements comprising second data entitlements and second signing entitlements that are within the second data entitlements, and wherein the second device is configured to;
  
  authorize the first key pair by signing the first public key portion using the second private key portion to produce a first key signature of the first key pair,associate first entitlements with the first public key portion, the first entitlements comprising first data entitlements that are within the second signing entitlements and further comprising first signing entitlements that are within the first data entitlements, andtransfer the first public key portion, the first key signature, and the first entitlements to a digital processing system, wherein upon receipt of the first public key portion, the first key signature, and the first entitlements, the digital processing system is configured to authenticate the first public key portion by using the first public key portion to verify that the first key signature was produced using the second key pair and by using the second entitlements to verify that the first data entitlements are within the second signing entitlements;
  
  signing, by the first device, data with the first private key portion to generate a data signature; and
  
  sending, by the first device, the data and the data signature to the digital processing system, wherein receiving the data and the data signature causes the digital processing system to authenticate the data before processing the data by verifying that the data signature was produced using the first key pair and by verifying that the first entitlements include the first data entitlements for processing the data, and wherein failing to authenticate the data causes the digital processing system to reset to limited operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the first data entitlements comprise an entitlement to authorize the data for processing by one or more elements in the digital processing system or an entitlement to authorize a type of data processing by the one or more elements in the digital processing system.
  - 3. The method of claim 1, wherein the second public key portion is a first tier public key, and wherein the second public key portion is transferred to the digital processing system and accepted by the digital processing system without authentication.
  - 4. The method of claim 1, wherein the first key signature covers the first entitlements associated with the first key pair.
  - 5. The method of claim 1, wherein a digital representation of the first entitlements is stored in a one-time programmable memory comprised in the digital processing system.
  - 6. The method of claim 1, wherein the second public key portion and a digital representation of the second entitlements are stored in a one-time programmable memory comprised in the digital processing system.
  - 7. The method of claim 1, wherein the first public key portion is stored in a mask programmed ROM and a digital representation of the first entitlements is stored in a one-time programmable memory comprised in the digital processing system.
  - 8. The method of claim 1, wherein the first public key portion, the first entitlements, and the first key signature are stored in a memory comprised in the digital processing system, and wherein the first public key portion and the second entitlements are authenticated each time the first key pair is used.
  - 9. The method of claim 1, wherein the digital processing system comprises at least two authorization domains.
  - 10. The method of claim 9, wherein there are at least two root/first tier keys, each having an entitlement for authorizing the data for processing in the same domain.
  - 11. The method of claim 10, wherein each of the at least two root/first tier keys has different entitlements for authorizing the data for processing in the same domain.
  - 12. The method of claim 10, wherein each of the at least two root/first tier keys has entitlements for authorizing the data stored in a separate non-volatile memory.
  - 13. The method of claim 1, further comprising:
    - receiving, by the first device, the first entitlements from the second device, wherein the first entitlements enable the first device to use the first key pair to authorize a third key pair for authorizing the data to be processed at the digital processing system.

14. A digital processing system, comprising:
- a memory;
  
  a processor coupled to the memory, the processor configured to;
  
  receive, from a device having a second key pair comprising a second public key portion and a second private key portion, the second public key portion and second entitlements associated with the second public key portion, wherein the second entitlements comprise second data entitlements and second signing entitlements that are within the second data entitlements, and wherein the device having the second key pair is configured to receive a first public key portion from a device having a first key pair comprising the first public key portion and a first private key portion,receive, from the device having the second key pair, the first public key portion, first entitlements associated with the first public key portion, and a first key signature associated with the first public key portion, wherein the first key signature was produced by the device having the second key pair when signing the first public key portion using the second private key portion to authorized the first key pair, and wherein the first entitlements comprise first data entitlements that are within the second signing entitlements and further comprise first signing entitlements that are within the first data entitlements,store the first and second public key portions, the first and second entitlements, and the second key signature in the memory,authenticate the first public key portion by using the second public key portion to verify that the first key pair signature was produced using the second key pair and by using the second entitlements to verify that the first data entitlements are within the second signing entitlements,receive, from the device having the first key pair, data and a data signature generated by signing the data with the first private key portion,authenticate the data before processing the data by verifying that the data signature was produced using the first key pair and by verifying that the first entitlements include the first data entitlements for processing the data; and
  
  reset the digital processing system to limited operations when failing to authenticate the data.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The digital processing system of claim 14, wherein the first data entitlements comprise an entitlement to authorize the data for processing by one or more elements in the digital processing system or an entitlement to authorize a type of data processing by the one or more elements in the digital processing system.
  - 16. The digital processing system of claim 14, wherein the second public key portion is a first tier public key accepted by the digital processing system without authentication.
  - 17. The digital processing system of claim 14, wherein the first key signature covers the first entitlements associated with the first key pair.
  - 18. The digital processing system of claim 14, wherein the memory is a one-time programmable memory.
  - 19. The digital processing system of claim 14, wherein the first public key portion, the first entitlements, and the first key signature are stored in the memory, and wherein the first public key portion and the first entitlements are authenticated each time the first key pair is used.
  - 20. The digital processing system of claim 14, further comprising at least two authorization domains.
  - 21. The digital processing system of claim 20, wherein there are at least two root/first tier keys, each having an entitlement for authorizing the data for processing in the same domain.
  - 22. The system of claim 14, wherein the first entitlements received by the device having the first key pair enable the device having the first key pair to use the first key pair to authorize a third key pair for authorizing the data to be processed at the digital processing system.

23. A method, comprising:
- receiving, by a digital processing system, from a device having a second key pair comprising a second public key portion and a second private key portion, the second public key portion and second entitlements associated with the second public key portion, wherein the second entitlements comprise second data entitlements and second signing entitlements that are within the second data entitlements, and wherein the device having the second key pair is configured to receive a first public key portion from a device having a first key pair comprising the first public key portion and a first private key portion;
  
  receiving, by the digital processing system, from the device having the second key pair, the first public key portion, first entitlements associated with the first public key portion, and a first key signature associated with the first public key portion, wherein the first key signature was produced by the device having the second key pair when signing the first public key portion using the second private key portion to authorize the first key pair, and wherein the first entitlements comprise first data entitlements that are within the second signing entitlements and further comprise first signing entitlements that are within the first data entitlements;
  
  authenticating, by the digital processing system, the first public key portion by using the second public key portion to verify that the first key signature was produced using the second key pair and by using the second entitlements to verify that the first data entitlements are within the second signing entitlements;
  
  receiving, by the digital processing system, from the device having the first key pair, data and a data signature generated by signing the data with the first private key portion;
  
  authenticating, by the digital processing system, the data before processing the data by verifying that the data signature was produced using the first key pair and by verifying that the first entitlements include the first data entitlements for processing the data; and
  
  resetting, by the digital processing system, the digital processing system to limited operations when failing to authenticate the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Dellow, Andrew
Primary Examiner(s)
GOLDBERG, ANDREW C

Application Number

US12/038,509
Publication Number

US 20080267410A1
Time in Patent Office

2,890 Days
Field of Search

705/59, 707/100
US Class Current

1/1
CPC Class Codes

H04L 9/3247 involving digital signatures

H04L 9/50 using hash chains, e.g. blo...

Method for authorizing and authenticating data

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method for authorizing and authenticating data

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links