Systems, methods and apparatuses for secure storage of data using a security-enhancing chip

US 10,528,767 B2
Filed: 03/28/2014
Issued: 01/07/2020
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. A computer processor of one computing device, the processor comprising:

a storage of the processor for storing one or more encryption keys;

a central processing unit (CPU) of the processor, the CPU being configured to run one or more software programs; and

a circuit of the processor configured to;

calculate a hash function to generate a hash value for first data loaded into the computer processor, the first data comprising executable code for at least one of the one or more software programs; and

generate an authentication token, using at least one encryption key stored in the storage, for a request for a chip to perform an operation initiated by a software program running on the CPU, wherein to generate the authentication token includes to generate a message authentication code (MAC) of the request using a secret key in the at least one encryption key corresponding to a second secret key of the chip, and wherein the request contains the hash value for the first data loaded into the computer processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer processor and a security enhancing chip may be provided. In one aspect, the computer processor may comprise a storage for storing an encryption key, a central processing unit (CPU) configured to execute one or more software programs, and a circuit configured to calculate a hash function to generate a hash value for data loaded into the computer processor and generate an authentication token for a request initiated by a software program running on the CPU. In another aspect, the security enhancing chip may comprise a first storage for storing an encryption key, a second storage for storing a certificate, a hash storage and circuit components configured to validate, using the first certificate, command(s) adding the encryption key to the first storage and storing a first hash to the hash storage, and to process a request if a second hash in the request is equal to the first hash.

11 Citations

24 Claims

1. A computer processor of one computing device, the processor comprising:
- a storage of the processor for storing one or more encryption keys;
  
  a central processing unit (CPU) of the processor, the CPU being configured to run one or more software programs; and
  
  a circuit of the processor configured to;
  
  calculate a hash function to generate a hash value for first data loaded into the computer processor, the first data comprising executable code for at least one of the one or more software programs; and
  
  generate an authentication token, using at least one encryption key stored in the storage, for a request for a chip to perform an operation initiated by a software program running on the CPU, wherein to generate the authentication token includes to generate a message authentication code (MAC) of the request using a secret key in the at least one encryption key corresponding to a second secret key of the chip, and wherein the request contains the hash value for the first data loaded into the computer processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21, 22)
- - 2. The computer processor of claim 1, wherein the operation of the request comprises one of for the chip to retrieve second data, for the chip to store the first data, and for the chip to perform a service.
  - 3. The computer processor of claim 1, wherein the at least one encryption key is a private key of a public and private key pair and the authentication token further includes a signature of the request.
  - 4. The computer processor of claim 3, wherein the CPU is further configured to:
    - generate the public and private key pair;
      
      store the private key of the public and private key pair in the storage as the at least one encryption key of the one or more encryption keys;
      
      report the public key of the public and private key pair; and
      
      use the private key to sign the request to include with the authentication token for the request.
  - 5. The computer processor of claim 1, wherein the CPU is further configured to receive a nonce;
    - and add the nonce to the request.
  - 6. The computer processor of claim 1, wherein to generate the authentication token comprises at least one of to encrypt the request and to sign the request.
  - 7. The computer processor of claim 1, further comprising a memory cache, wherein the first data loaded into the computer processor is loaded into the memory cache, and wherein the hash value for the first data is calculated after the first data is loaded into the memory cache.
  - 8. The computer processor of claim 1, further comprising a memory cache, wherein the first data loaded into the computer processor is loaded into the memory cache, and wherein the hash value for the first data is calculated when the first data is loaded into the memory cache.
  - 9. The computer processor of claim 1, wherein the CPU is further configured to authenticate at least some portion of the first data when reading the first data into the computer processor.
  - 10. The computer processor of claim 1, wherein the circuit comprises one of:
    - a microprocessor, a microcontroller, a field programmable gate array (FPGA) and an application specific integrated circuit (ASIC).
  - 21. The computer processor of claim 1, wherein processor is further configured to transmit the authentication token and the request to the chip of the computing device to check the hash value and verify the MAC.
  - 22. The computer processor of claim 21, wherein the circuit of the processor is further configured to:
    - receive a reply from the chip in response to the request, the reply containing a second hash value; and
      
      authenticate the reply based on determining whether the second hash value of the reply is equivalent to the hash value transmitted with the request.

11. A method for operating a computer processor of one computing device, the method comprising:
- calculating a hash function using a circuit in the computer processor to generate a hash value for first data loaded into the computer processor, the first data comprising executable code to be executed on a central processing unit (CPU) of the computer processor;
  
  initiating a request for a chip to perform an operation by a software program executing on the CPU, the request comprising the hash value; and
  
  generating an authentication token for the request using the circuit and at least one encryption key stored in a storage of the computer processor, wherein generating the authentication token includes generating a message authentication code (MAC) of the request using a secret key in the at least one encryption key corresponding to a second secret key of the chip, and wherein the request contains the hash value for the first data loaded into the computer processor.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 23, 24)
- - 12. The method claim 11, wherein the operation of the request comprises one of for the chip to retrieve second data, for the chip to store the first data, and for the chip to perform a service.
  - 13. The method claim 11, wherein the at least one encryption key is a private key of a public and private key pair and the authentication token further includes a signature of the request.
  - 14. The method of claim 13, further comprising:
    - generating the public and private key pair;
      
      storing the private key of the public and private key pair in the storage as the at least one encryption key;
      
      reporting the public key of the public and private key pair; and
      
      using the private key to sign the request to include with the authentication token for the request.
  - 15. The method of claim 11, further comprising receiving a nonce;
    - and adding the nonce to the request.
  - 16. The method of claim 11, wherein generating the authentication token comprises at least one of encrypting the request and signing the request.
  - 17. The method of claim 11, wherein the computer processor comprises a memory cache and the first data loaded into the computer processor is loaded into the memory cache, and wherein the hash value for the first data is calculated after the first data is loaded into the memory cache.
  - 18. The method of claim 11, wherein the computer processor comprises a memory cache and the first data loaded into the computer processor is loaded into the memory cache, and wherein the hash value for the first data is calculated when the first data is loaded into the memory cache.
  - 19. The method of claim 11, further comprising authenticating at least some portion of the first data when reading the first data into the computer processor.
  - 20. The method of claim 11, wherein the circuit comprises one of:
    - a microprocessor, a microcontroller, a field programmable gate array (FPGA) and an application specific integrated circuit (ASIC).
  - 23. The method of claim 11, further comprising transmitting the authentication token and the request to the chip of the computing device to check the hash value and verify the MAC.
  - 24. The method of claim 23, further comprising:
    - receiving a reply from the chip in response to the request, the reply containing a second hash value; and
      
      authenticating the reply based on determining whether the second hash value of the reply is equivalent to the hash value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OLogN Technologies AG
Original Assignee
OLogN Technologies AG
Inventors
Ignatchenko, Sergey, Ivanchykhin, Dmytro
Primary Examiner(s)
Henderson, Esther B.

Application Number

US14/229,531
Publication Number

US 20140298040A1
Time in Patent Office

2,111 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575 Secure boot

G06F 21/72 in cryptographic circuits

Systems, methods and apparatuses for secure storage of data using a security-enhancing chip

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems, methods and apparatuses for secure storage of data using a security-enhancing chip

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links