Secure boot with resistance to differential power analysis and other external monitoring attacks

US 9,569,623 B2
Filed: 02/09/2015
Issued: 02/14/2017
Est. Priority Date: 12/04/2009
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

secure storage hardware to store a secret value;

additional storage hardware;

processing hardware coupled to the secure storage hardware, the processing hardware comprising at least one of a cache or a memory; and

an interface between the processing hardware and the additional storage hardware, wherein at least one of the additional storage hardware or the interface is unsecure;

wherein during a secure boot process the processing hardware is to;

receive untrusted data from the additional storage hardware via the interface;

load the untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator;

retrieve the secret value from the secure storage hardware;

derive an initial key using a path through a key tree based at least in part on an identifier associated with the encrypted data segment and the secret value;

verify, using the validator, whether the encrypted data segment has been modified; and

responsive to verifying that the encrypted data segment has not been modified, decrypt the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

96 Citations

View as Search Results

24 Claims

1. A computing device comprising:
- secure storage hardware to store a secret value;
  
  additional storage hardware;
  
  processing hardware coupled to the secure storage hardware, the processing hardware comprising at least one of a cache or a memory; and
  
  an interface between the processing hardware and the additional storage hardware, wherein at least one of the additional storage hardware or the interface is unsecure;
  
  wherein during a secure boot process the processing hardware is to;
  
  receive untrusted data from the additional storage hardware via the interface;
  
  load the untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator;
  
  retrieve the secret value from the secure storage hardware;
  
  derive an initial key using a path through a key tree based at least in part on an identifier associated with the encrypted data segment and the secret value;
  
  verify, using the validator, whether the encrypted data segment has been modified; and
  
  responsive to verifying that the encrypted data segment has not been modified, decrypt the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computing device of claim 1, wherein:
    - the additional storage hardware is an unsecure storage hardware; and
      
      the interface is an unsecure interface.
  - 3. The computing device of claim 1, wherein the processing hardware and the secure storage hardware are components of a system on a chip (SOC).
  - 4. The computing device of claim 1, wherein the encrypted data segment comprises at least one of software or firmware, and wherein the processing hardware is further to:
    - retrieve a minimum acceptable version number for the software or firmware from the secure storage hardware; and
      
      verify that the software or firmware has a version number that is equal to or greater than the minimum acceptable version number.
  - 5. The computing device of claim 4, wherein the untrusted data comprises instructions to update the minimum acceptable version number, and wherein the processing hardware is further to:
    - update the minimum acceptable version number in accordance with the instructions.
  - 6. The computing device of claim 1,wherein the path through the key tree is based on the identifier and identifies a plurality of entropy distribution operations used to derive the initial key.
  - 7. The computing device of claim 6, the processing hardware further to:
    - divide the identifier into a plurality of parts, where each of the plurality of parts determines a leg of the path, and where each leg of the path is associated with a particular entropy distribution operation of the plurality of entropy distribution operations.
  - 8. The computing device of claim 1, wherein the untrusted data comprises a plurality of encrypted data segments, and wherein the processing hardware is further to:
    - apply an entropy distribution operation to the first decryption key to derive a second decryption key; and
      
      decrypt an encrypted data segment from the plurality of encrypted data segments with the second decryption key.
  - 9. The computing device of claim 1, wherein the untrusted data comprises a plurality of encrypted data segments, and wherein the processing hardware is further to:
    - receive and decrypt the plurality of encrypted data segments using hash chaining operations comprising;
      
      decrypting a first encrypted data segment of the plurality of encrypted data segments to produce a first plaintext segment comprising a first decrypted data segment and a first hash value;
      
      validating a second encrypted data segment using the first hash value; and
      
      responsive to validating the second encrypted data segment, decrypting the second encrypted data segment of the plurality of encrypted data segments to produce a second plaintext segment comprising a second decrypted data segment and a second hash value.
  - 10. The computing device of claim 1, wherein to verify that the encrypted data segment has not been modified the processing hardware is to:
    - compute a hash of the encrypted data segment;
      
      generate an expected validator based on performing a plurality of entropy distribution operations on the initial key using the key tree, wherein the hash indicates a path through the key tree, the path identifying the plurality of entropy distribution operations; and
      
      compare the expected validator to the validator.
  - 11. The computing device of claim 1, wherein the untrusted data comprises a plurality of encrypted data segments, and wherein hash chaining operations are performed to decrypt the plurality of encrypted data segments, the hash chaining operations comprising:
    - cryptographically transforming a first encrypted data segment of the plurality of encrypted data segments to produce a first derived value;
      
      comparing the first derived value with a first expected value;
      
      responsive to determining that the first derived value matches the first expected value, decrypting the first derived value using the first decryption key to produce a first decrypted data segment and a second derived value;
      
      comparing the second derived value with a second expected value; and
      
      responsive to determining that the second derived value matches the second expected value, decrypting the second derived value using a second decryption key derived from the initial key to produce a second decrypted data segment.

12. A method comprising:
- during a boot process, loading, by a processing device, untrusted data into at least one of a cache or a memory of the processing device, the untrusted data comprising an encrypted data segment and a validator;
  
  deriving, by the processing device, an initial key using a path through a key tree based at least in part on an identifier associated with the encrypted data segment, a secret value and a plurality of entropy distribution operations;
  
  verifying, using the validator, whether the encrypted data segment has been modified; and
  
  responsive to verifying that the encrypted data segment has not been modified, decrypting the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 13. The method of claim 12, further comprising:
    - executing the decrypted data segment by the processing device, wherein the decrypted data segment comprises at least one of software or firmware.
  - 14. The method of claim 12, further comprising:
    - responsive to a failure to successfully verify that the encrypted data segment has not been modified, removing the untrusted data from at least one of the cache or the memory.
  - 15. The method of claim 14, further comprising:
    - after removing the untrusted data from at least one of the cache or the memory, repeating the loading of the untrusted data, the deriving of the initial key, and the verifying of whether the encrypted data segment has been modified.
  - 16. The method of claim 12, wherein the encrypted data segment comprises at least one of software or firmware, the method further comprising:
    - determining a minimum acceptable version number for the software or firmware; and
      
      verifying that the software or firmware has a version number that is equal to or greater than the minimum acceptable version number.
  - 17. The method of claim 16, wherein the untrusted data comprises instructions to update the minimum acceptable version number, the method further comprising:
    - updating the minimum acceptable version number in accordance with the instructions.
  - 18. The method of claim 12,wherein the path through the key tree is based on the identifier and identifies the plurality of entropy distribution operations.
  - 19. The method of claim 18, further comprising:
    - dividing the identifier into a plurality of parts, where each of the plurality of parts determines a leg of the path, and where each leg of the path is associated with a particular entropy distribution operation of the plurality of entropy distribution operations.
  - 20. The method of claim 12, wherein the untrusted data comprises a plurality of encrypted data segments, further comprising:
    - applying an entropy distribution operation to the first decryption key to derive a second decryption key; and
      
      decrypting an encrypted data segment from the plurality of encrypted data segments with the second decryption key.
  - 21. The method of claim 12, wherein the untrusted data comprises a plurality of encrypted data segments, the method further comprising:
    - receiving and decrypting the plurality of encrypted data segments using hash chaining operations comprising;
      
      decrypting a first encrypted data segment of the plurality of encrypted data segments to produce a first plaintext segment comprising a first decrypted data segment and a first hash value;
      
      validating a second encrypted data segment using the first hash value; and
      
      responsive to validating the second encrypted data segment, decrypting the second encrypted data segment of the plurality of encrypted data segments to produce a second plaintext segment comprising a second decrypted data segment and a second hash value.
  - 22. The method of claim 12, wherein verifying whether the encrypted data segment has been modified comprises:
    - computing a hash of the encrypted data segment;
      
      generating an expected validator based on performing an additional plurality of entropy distribution operations on the initial key using the key tree, wherein the hash indicates a path through the key tree, the path identifying the additional plurality of entropy distribution operations; and
      
      comparing the expected validator to the validator.
  - 23. The method of claim 12, wherein the untrusted data comprises a plurality of encrypted data segments, and wherein hash chaining operations are performed to decrypt the plurality of encrypted data segments, the hash chaining operations comprising:
    - cryptographically transforming a first encrypted data segment of the plurality of encrypted data segments to produce a first derived value;
      
      comparing the first derived value with a first expected value;
      
      responsive to determining that the first derived value matches the first expected value, decrypting the first derived value using the first decryption key to produce a first decrypted data segment and a second derived value;
      
      comparing the second derived value with a second expected value; and
      
      responsive to determining that the second derived value matches the second expected value, decrypting the second derived value using a second decryption key derived from the initial key to produce a second decrypted data segment.

24. A computing device comprising:
- secure storage hardware to store a secret value; and
  
  processing hardware coupled to the secure storage hardware, the processing hardware comprising at least one of a cache or a memory, wherein during a secure boot process the processing hardware is to;
  
  load untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator;
  
  retrieve the secret value from the secure storage hardware;
  
  derive an initial key using a path through a key tree based at least in part on an identifier associated with the encrypted data segment and the secret value;
  
  verify, using the validator, whether the encrypted data segment has been modified;
  
  responsive to verifying that the encrypted data segment has not been modified, decrypt the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment; and
  
  responsive to a failure to successfully verify that the encrypted data segment has not been modified, remove the untrusted data from at least one of the cache or the memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptography Research, Inc. (Rambus Inc.)
Original Assignee
Cryptography Research, Inc. (Rambus Inc.)
Inventors
Kocher, Paul C., Rohatgi, Pankaj, Jaffe, Joshua M.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Lynch, Sharon

Application Number

US14/617,437
Publication Number

US 20160048684A1
Time in Patent Office

736 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/556   involving covert channels, ...

G06F 21/575   Secure boot

G06F 21/602   Providing cryptographic fac...

G06F 21/755   with measures against power...

G06F 21/76   in application-specific int...

G06F 2212/402   Encrypted data

G06F 2221/034   Test or assess a computer o...

G06F 2221/2107   File encryption

G06F 2221/2125   Just-in-time application of...

G06F 2221/2145   Inheriting rights or proper...

G06F 8/71   Version control security ar...

G06F 9/44505   Configuring for program ini...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/56   Financial cryptography, e.g...

H04L 2463/061   applying further key deriva...

H04L 63/0428   wherein the data content is...

H04L 63/0869   for achieving mutual authen...

H04L 9/003   for power analysis, e.g. di...

H04L 9/0631   Substitution permutation ne...

H04L 9/085 : Secret sharing or secret sp...

H04L 9/0861 : Generation of secret inform...

H04L 9/088 : Usage controlling of secret...

H04L 9/0894 : Escrow, recovery or storing...

H04L 9/16 : the keys or algorithms bein...

H04L 9/3236 : using cryptographic hash fu...

H04L 9/3247 : involving digital signatures

H04L 9/3271 : using challenge-response

H04L 9/50 : using hash chains, e.g. blo...

View All

Secure boot with resistance to differential power analysis and other external monitoring attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

96 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Secure boot with resistance to differential power analysis and other external monitoring attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others