System for and method of cryptographic provisioning

US 9,824,239 B2
Filed: 09/22/2014
Issued: 11/21/2017
Est. Priority Date: 11/26/2007
Status: Active Grant

First Claim

Patent Images

1. A method of provisioning a memory card with cryptographic parameters, wherein the memory card comprises a field programmable gate array (FPGA), a first nonvolatile memory, a second nonvolatile memory, and a cryptographic coprocessor, the method comprising:

storing a key generating programming fabric in the FPGA;

storing a module identification and a random seed in the first nonvolatile memory;

executing the key generation program to generate a bootstrap key and a memory protection key when the key generating program fabric is determined to be secure, wherein the bootstrap key and the memory protection key are generated using at least one of;

the module identification and the random seed;

encrypting, using the key generating programming fabric, the memory protection key with the bootstrap key using the cryptographic coprocessor to produce an encrypted memory protection key and an encryption authentication tag, wherein the encrypted memory protection key and the encryption authentication tag are stored in the second nonvolatile memory, wherein the encryption authentication tag is compared to a decrypted authentication tag that is generated from decrypting the encrypted memory protection key to determine disablement of one or more operations of the memory card; and

passing the encrypted memory protection key outside the memory card using the key generating programming fabric.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for and method of securely provisioning a module with cryptographic parameters, such as cryptographic keys and key tables, is presented. Such modules may be used to enable encrypted communications between mobile phones to which they are coupled. The system and method prevent a malevolent individual involved in manufacturing the modules from compromising the security of the module. In particular, the modules are provisioned by an entity different from the manufacturer.

Citations

24 Claims

1. A method of provisioning a memory card with cryptographic parameters, wherein the memory card comprises a field programmable gate array (FPGA), a first nonvolatile memory, a second nonvolatile memory, and a cryptographic coprocessor, the method comprising:
- storing a key generating programming fabric in the FPGA;
  
  storing a module identification and a random seed in the first nonvolatile memory;
  
  executing the key generation program to generate a bootstrap key and a memory protection key when the key generating program fabric is determined to be secure, wherein the bootstrap key and the memory protection key are generated using at least one of;
  
  the module identification and the random seed;
  
  encrypting, using the key generating programming fabric, the memory protection key with the bootstrap key using the cryptographic coprocessor to produce an encrypted memory protection key and an encryption authentication tag, wherein the encrypted memory protection key and the encryption authentication tag are stored in the second nonvolatile memory, wherein the encryption authentication tag is compared to a decrypted authentication tag that is generated from decrypting the encrypted memory protection key to determine disablement of one or more operations of the memory card; and
  
  passing the encrypted memory protection key outside the memory card using the key generating programming fabric.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the stored key generating programming fabric includes:
    - an externally encrypted key generating programming fabric, wherein the encrypted key generation programming fabric includes a header with a key generation authentication tag, and a key generation programming fabric key.
  - 3. The method of claim 2, wherein determining that the key generating programming fabric is secure comprises:
    - decrypting the encrypted key generation programming fabric using the cryptographic coprocessor and the stored key generation programming fabric key to generate a key generation decryption authentication tag;
      
      comparing the key generation authentication tag and the key generation decryption authentication tag; and
      
      determining that the key generating program fabric is secure when the key generation authentication tag and the key generation decryption authentication tag match.
  - 4. The method of claim 1, wherein the first nonvolatile memory resides in an integrated circuit within the memory card and the second nonvolatile memory resides outside of the integrated circuit within the memory card.
  - 5. The method of claim 1 further comprising:
    - receiving the passed encrypted memory protection key; and
      
      storing the received encrypted memory protection key in the first nonvolatile memory.
  - 6. The method of claim 1 further comprising:
    - storing an encrypted general operating programming fabric in the FPGA;
      
      storing a general operating programming fabric key in the FPGA;
      
      determining that the encrypted general operating programming fabric is secure;
      
      decrypting the general operation programming fabric when it is determined that the encrypted general operating programming fabric is secure; and
      
      storing the decrypted general operating programming fabric in the FPGA.
  - 7. The method of claim 6, wherein determining that the encrypted general operating programming fabric is secure comprises:
    - decrypting the encrypted general operation programming fabric using the cryptographic coprocessor and the stored general operation programming fabric key to generate a general operation decryption authentication tag;
      
      comparing a general operation authentication tag and the general operation decryption authentication tag; and
      
      determining that the general operation program fabric is secure when the general operation authentication tag and the general operation decryption authentication tag match.
  - 8. The method of claim 6, further comprising:
    - encrypting a general operation programming executable using the memory protection key; and
      
      storing the encrypted general operation programming executable in the second nonvolatile memory.
  - 9. The method of claim 8, further comprising:
    - encrypting a boot programming executable associated with the general operation programming fabric using the memory protection key; and
      
      storing the encrypted boot programming executable in the second nonvolatile memory.
  - 10. The method of claim 9, wherein the encrypted boot programming executable is stored in a boot portion of the second nonvolatile memory.
  - 11. The method of claim 6, further comprising:
    - validating that the general operation programming fabric is operational; and
      
      securing the data stored in the FPGA in a permanent manner.
  - 12. The method of claim 11, wherein the data stored in the FPGA is secured in a permanent manner by blowing antifuses.

13. A system for provisioning a memory card with cryptographic parameters, wherein the memory card comprises a field programmable gate array (FPGA), a first nonvolatile memory, a second nonvolatile memory, and a cryptographic coprocessor, the system comprising:
- a processor that performs the following steps;
  
  storing a key generating programming fabric in the FPGA;
  
  storing a module identification and a random seed in the first nonvolatile memory;
  
  executing the key generation program to generate a bootstrap key and a memory protection key when the key generating program fabric is determined to be secure, wherein the bootstrap key and the memory protection key are generated using at least one of;
  
  the module identification and the random seed;
  
  encrypting, using the key generating programming fabric, the memory protection key with the bootstrap key using the cryptographic coprocessor to produce an encrypted memory protection key and an encryption authentication tag, wherein the encrypted memory protection key and the encryption authentication tag are stored in the second nonvolatile memory, wherein the encryption authentication tag is compared to a decrypted authentication tag that is generated from decrypting the encrypted memory protection key to determine disablement of one or more operations of the memory card; and
  
  passing the encrypted memory protection key outside the memory card using the key generating programming fabric.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the stored key generating programming fabric includes:
    - an externally encrypted key generating programming fabric, wherein the encrypted key generation programming fabric includes a header with a key generation authentication tag, and a key generation programming fabric key.
  - 15. The system of claim 14, wherein determining that the key generating programming fabric is secure comprises:
    - decrypting the encrypted key generation programming fabric using the cryptographic coprocessor and the stored key generation programming fabric key to generate a key generation decryption authentication tag;
      
      comparing the key generation authentication tag and the key generation decryption authentication tag; and
      
      determining that the key generating program fabric is secure when the key generation authentication tag and the key generation decryption authentication tag match.
  - 16. The system of claim 13, wherein the first nonvolatile memory resides in an integrated circuit within the memory card and the second nonvolatile memory resides outside of the integrated circuit within the memory card.
  - 17. The system of claim 13, wherein the process further performs the following steps:
    - receiving the passed encrypted memory protection key; and
      
      storing the received encrypted memory protection key in the first nonvolatile memory.
  - 18. The system of claim 13 wherein the process further performs the following steps:
    - storing an encrypted general operating programming fabric in the FPGA;
      
      storing a general operating programming fabric key in the FPGA;
      
      determining that the encrypted general operating programming fabric is secure;
      
      decrypting the general operation programming fabric when it is determined that the encrypted general operating programming fabric is secure; and
      
      storing the decrypted general operating programming fabric in the FPGA.
  - 19. The system of claim 18, wherein determining that the encrypted general operating programming fabric is secure comprises:
    - decrypting the encrypted general operation programming fabric using the cryptographic coprocessor and the stored general operation programming fabric key to generate a general operation decryption authentication tag;
      
      comparing a general operation authentication tag and the general operation decryption authentication tag; and
      
      determining that the general operation program fabric is secure when the general operation authentication tag and the general operation decryption authentication tag match.
  - 20. The system of claim 18, f wherein the process further performs the following steps:
    - encrypting a general operation programming executable using the memory protection key; and
      
      storing the encrypted general operation programming executable in the second nonvolatile memory.
  - 21. The system of claim 20, wherein the process further performs the following steps:
    - encrypting a boot programming executable associated with the general operation programming fabric using the memory protection key; and
      
      storing the encrypted boot programming executable in the second nonvolatile memory.
  - 22. The system of claim 21, wherein the encrypted boot programming executable is stored in a boot portion of the second nonvolatile memory.
  - 23. The system of claim 18, wherein the process further performs the following steps:
    - validating that the general operation programming fabric is operational; and
      
      securing the data stored in the FPGA in a permanent manner.
  - 24. The system of claim 23, wherein the data stored in the FPGA is secured in a permanent manner by blowing antifuses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KoolSpan, Inc.
Original Assignee
KoolSpan, Inc.
Inventors
Fascenda, Anthony C., Sturniolo, Emil, Cichielo, Robert, Benware, Paul
Primary Examiner(s)
EDWARDS, LINGLAN E

Application Number

US14/493,100
Publication Number

US 20170300720A1
Time in Patent Office

1,156 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/72   in cryptographic circuits

G06F 21/76   in application-specific int...

G06F 21/78   to assure secure storage of...

H04L 2209/80   Wireless

H04L 9/0897   involving additional device...

System for and method of cryptographic provisioning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System for and method of cryptographic provisioning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links