Associating software with hardware using cryptography
First Claim
1. A method of validating an association of software code with hardware, comprising:
- obtaining a certificate from a code image, wherein;
the code image further including software code, a code signature, and a first identifier associated with a release of the software code,all instances of the software code associated with the software release have the same first identifier such that at least two instances of the software code have the same first identifier,the code signature is generated, using cryptography and a code private key, based on the first identifier, a second identifier for the hardware, and a message code digest obtained by hashing the software code,the code signature is used to validate an association of the software code with the hardware,the certificate includes a code public key corresponding to the code private key, and an authority signature generated over the code public key using cryptography and an authority private key;
authenticating the certificate with an authority public key securely stored in the hardware;
obtaining the first identifier from the code image;
obtaining the second identifier for the hardware, wherein all instances of a particular configuration of the hardware have the same second identifier such that at least two instances of the hardware have the same second identifier;
obtaining the software code from the code image and generating an image code digest by hashing the software code from the code image;
generating a regenerated signature digest by hashing the image code digest, the first identifier, and the second identifier; and
obtaining the code signature from the code image and generating a received signature digest by decrypting the code signature from the code image using the code public key; and
comparing the regenerated signature digest with the received signature digest, wherein the association of the software code with the hardware is validated if the regenerated signature digest matches the received signature digest.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for associating software with hardware using cryptography are described. The software is identified by a software identifier (ID), and the hardware is identified by a hardware ID. The software is hashed to obtain a code digest. A code signature is generated for the code digest, software ID, and hardware ID. A code image is formed with the software, software ID, code signature, and a certificate. The certificate contains cryptographic information used to authenticate the certificate and validate the code signature. The code image is loaded onto a device. The device validates the software to hardware association prior to executing the software. For the validation, the device authenticates the certificate with a certificate authority public key embedded within the device. The device also validates the code signature using the cryptographic information contained in the certificate, information in the code image, and the hardware ID embedded within the device.
-
Citations
20 Claims
-
1. A method of validating an association of software code with hardware, comprising:
-
obtaining a certificate from a code image, wherein; the code image further including software code, a code signature, and a first identifier associated with a release of the software code, all instances of the software code associated with the software release have the same first identifier such that at least two instances of the software code have the same first identifier, the code signature is generated, using cryptography and a code private key, based on the first identifier, a second identifier for the hardware, and a message code digest obtained by hashing the software code, the code signature is used to validate an association of the software code with the hardware, the certificate includes a code public key corresponding to the code private key, and an authority signature generated over the code public key using cryptography and an authority private key; authenticating the certificate with an authority public key securely stored in the hardware; obtaining the first identifier from the code image; obtaining the second identifier for the hardware, wherein all instances of a particular configuration of the hardware have the same second identifier such that at least two instances of the hardware have the same second identifier; obtaining the software code from the code image and generating an image code digest by hashing the software code from the code image; generating a regenerated signature digest by hashing the image code digest, the first identifier, and the second identifier; and obtaining the code signature from the code image and generating a received signature digest by decrypting the code signature from the code image using the code public key; and comparing the regenerated signature digest with the received signature digest, wherein the association of the software code with the hardware is validated if the regenerated signature digest matches the received signature digest. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus having validation of an association of software with the apparatus hardware, comprising:
-
a first storage unit configured to securely store an authority public key; and a processor operative to obtain a certificate from a code image, wherein; the code image further including software code, a code signature, and a first identifier associated with a release of the software code, all instances of the software code associated with the software release have the same first identifier such that at least two instances of the software code have the same first identifier, the code signature is generated, using cryptography and a code private key, based on the first identifier, a second identifier for the hardware, and a message code digest obtained by hashing the software code, the code signature is used to validate an association of the software code with the hardware, the certificate includes a code public key corresponding to the code private key, and an authority signature generated over the code public key using cryptography and an authority private key; authenticate the certificate with the authority public key; obtain the first identifier from the code image; obtain the second identifier for the hardware, wherein all instances of a particular configuration of the hardware have the same second identifier such that at least two instances of the hardware have the same second identifier; obtain the software code from the code image and generate an image code digest by hashing the software code from the code image; generate a regenerated signature digest by hashing the image code digest, the first identifier, and the second identifier; and obtain the code signature from the code image and generate a received signature digest by decrypting the code signature from the code image using the code public key; and compare the regenerated signature digest with the received signature digest, wherein the association of the software code with the hardware is validated if the regenerated signature digest matches the received signature digest. - View Dependent Claims (9, 10, 11, 12)
-
-
13. An apparatus having validation of an association of software code with hardware, comprising:
-
means for obtaining a certificate from a code image, wherein; the code image further including software code, a code signature, and a first identifier associated with a release of the software code, all instances of the software code associated with the software release have the same first identifier such that at least two instances of the software code have the same first identifier, the code signature is generated, using cryptography and a code private key, based on the first identifier, a second identifier for the hardware, and a message code digest obtained by hashing the software code, the code signature is used to validate an association of the software code with the hardware, the certificate includes a code public key corresponding to the code private key, and an authority signature generated over the code public key using cryptography and an authority private key; means for authenticating the certificate with an authority public key securely stored in the hardware; means for obtaining the first identifier from the code image; means for obtaining the second identifier for the hardware, wherein all instances of a particular configuration of the hardware have the same second identifier such that at least two instances of the hardware have the same second identifier; means for obtaining the software code from the code image and generating an image code digest by hashing the software code from the code image; means for generating a regenerated signature digest by hashing the image code digest, the first identifier, and the second identifier; means for obtaining the code signature from the code image and generating a received signature digest by decrypting the code signature from the code image using the code public key; and means for comparing the regenerated signature digest with the received signature digest, wherein the association of the software code with the hardware is validated if the regenerated signature digest matches the received signature digest. - View Dependent Claims (14)
-
-
15. An apparatus operable to validate software for hardware, comprising:
-
a storage device configured to store a code image including the software, a code signature, and a certificate; a secure storage device configured to store a hardware identifier and a certificate authority public key; a processor configured to access the storage device and operative to; authenticate the certificate with the certificate authority public key, obtain a regenerated signature digest based on the software, a first identifier for the software, and the hardware identifier, decrypt the certificate using the certificate authority public key to recover a code public key, decrypt the code signature using the code public key to recover a received signature digest, and compare the regenerated signature digest with the received signature digest to validate the association of the software with the hardware. - View Dependent Claims (16)
-
-
17. A processor associated product, comprising:
computer readable medium, storing; software code for causing a processor to obtain a certificate from a code image, wherein; the code image further including software code, a code signature, and a first identifier associated with a release of the software code, all instances of the software code associated with the software release have the same first identifier such that at least two instances of the software code have the same first identifier, the code signature is generated, using cryptography and a code private key, based on the first identifier, a second identifier for the hardware, and a message code digest obtained by hashing the software code, the code signature is used to validate an association of the software code with the hardware, the certificate includes a code public key corresponding to the code private key, and an authority signature generated over the code public key using cryptography and an authority private key; software code for causing a processor to authenticate the certificate with an authority public key securely stored in the hardware; software code for causing a processor to obtain the first identifier from the code image; software code for causing a processor to obtain the second identifier for the hardware, wherein all instances of a particular configuration of the hardware have the same second identifier such that at least two instances of the hardware have the same second identifier; software cede for causing a processor to obtain the software code from the code image and generate an image code digest by hashing the software code from the code image; software code for causing a processor to generate a regenerated signature digest by hashing the image code digest, the first identifier, and the second identifier; and software code for causing a processor to obtain the code signature from the code image and generate a received signature digest by decrypting the code signature from the code image using the code public key; and software code for causing a processor to compare the regenerated signature digest with the received signature digest, wherein the association of the software code with the hardware is validated if the regenerated signature digest matches the received signature digest. - View Dependent Claims (18)
-
19. A method of validating software for hardware, comprising:
-
storing a code image including the software, a code signature, and a certificate; storing a hardware identifier and a certificate authority public key; authenticating the certificate with the certificate authority public key, obtaining a regenerated signature digest based on the software, a first identifier for the software, and the hardware identifier, decrypting the certificate using the certificate authority public key to recover a code public key, decrypting the code signature using the code public key to recover a received signature digest, and comparing the regenerated signature digest with the received signature digest to validate the association of the software with the hardware. - View Dependent Claims (20)
-
Specification