Keying infrastructure
First Claim
Patent Images
1. A method comprising:
- setting, by a computing device, an initial application key in a sequence of application keys;
deriving a first application key for the sequence of application keys with a first key derivation function, the first application key being derived based at least in part on the initial application key and based at least in part on a first hash of a first component;
determining that a second component is loaded or executed;
based at least on the second component being loaded or executed;
deriving a second application key for the sequence of application keys with a second key derivation function, the second application key being derived based at least in part on the first application key that directly precedes the second application key in the sequence of application keys and based at least in part on a second hash of the second component; and
deleting the first application key based at least on deriving the second application key;
utilizing, by the computing device, the second application key that remains in the sequence of application keys, after deleting the first application key, to derive an image operation key; and
utilizing the image operation key to at least one of verify an application state of the computing device or encrypt data.
2 Assignments
0 Petitions
Accused Products
Abstract
A keying infrastructure may generate and/or manage cryptographic keys. The cryptographic keys may include identity keys, encryption keys, and a variety of other types of keys. The cryptographic keys may be derived or created with a key derivation function (KDF) or other one-way function. The cryptographic keys may include keys that are accessible to a boot loader, keys that are accessible to particular components of a Trusted Execution Environment (TrEE), and so on. In some examples, a key may be derived from a preceding key in a sequence of keys. The preceding key may be deleted when the key is derived.
-
Citations
19 Claims
-
1. A method comprising:
-
setting, by a computing device, an initial application key in a sequence of application keys; deriving a first application key for the sequence of application keys with a first key derivation function, the first application key being derived based at least in part on the initial application key and based at least in part on a first hash of a first component; determining that a second component is loaded or executed; based at least on the second component being loaded or executed; deriving a second application key for the sequence of application keys with a second key derivation function, the second application key being derived based at least in part on the first application key that directly precedes the second application key in the sequence of application keys and based at least in part on a second hash of the second component; and deleting the first application key based at least on deriving the second application key; utilizing, by the computing device, the second application key that remains in the sequence of application keys, after deleting the first application key, to derive an image operation key; and utilizing the image operation key to at least one of verify an application state of the computing device or encrypt data. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
a processor; and a computer-readable storage medium having computer-executable instructions stored thereupon that, when executed by the processor, cause a computer to; set an initial application key in a sequence of application keys; deriving a first application key for the sequence of application keys with a first key derivation function, the first application key being derived based at least in part on the initial application key and based at least in part on a first hash of a first component; determine that a second component is loaded or executed; based at least on the second component being loaded or executed; derive a second application key for the sequence of application keys with a second key derivation function, the second application key being derived based at least in part on the first application key that directly precedes the second application key in the sequence of application keys and based at least in part on a hash of the second component; and delete the first application key based at least on deriving the second application key; utilize the second application key that remains in the sequence of application keys after deleting the first application key to derive an image operation key; and utilize the image operation key to at least one of verify an application state of the computer or encrypt data. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. An apparatus comprising:
-
a processor; and a computer-readable storage medium having computer-executable instructions stored thereupon that, when executed by the processor, cause the apparatus to perform operations comprising; setting an initial application key in a sequence of application keys; deriving a first application key for the sequence of application keys with a first key derivation function, the first application key being derived based at least in part on the initial application key and based at least in part on a first hash of a first component; determining that a second component is loaded or executed; based at least on the second component being loaded or executed; deriving a second application key for the sequence of application keys with a second key derivation function, the second application key being derived based at least in part on the first application key that directly precedes the second application key in the sequence of application keys and based at least in part on a hash of the second component; and deleting the first application key based at least on deriving the second application key; utilizing the second application key that remains in the sequence of application keys, after deleting the first application key, to derive an image operation key; and utilizing the image operation key to at least one of verify an application state of the apparatus or encrypt data. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification