公开(公告)号：US10581838B2

公开(公告)日：2020-03-03

申请号：US16004715

申请日：2018-06-11

Applicant: Cryptography Research, Inc.

Inventor： Michael Hamburg ,  Benjamin Che-Ming Jun ,  Paul C. Kocher ,  Daniel O'Loughlin ,  Denis Alexandrovich Pochuev

IPC: H04L29/06 ,  H04L29/08 ,  H04W12/06 ,  G06F21/60 ,  G06F21/62 ,  G06F21/72 ,  G06F21/73 ,  G06F21/33

Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.

公开(公告)号：US10120985B2

公开(公告)日：2018-11-06

申请号：US14415568

申请日：2013-07-17

Applicant: CRYPTOGRAPHY RESEARCH, INC.

Inventor： Paul C. Kocher ,  Helena Handschuh

IPC: G06F21/10

Abstract: A media storage device includes a media security controller and a memory to store data that relates to a media item to be rendered by a rendering device. The media security controller sends a message in response to the rendering device reading an authorization file. The message being for the rendering device to read a portion of data from the memory and to provide the portion of data to the media security controller. The media security controller receives the portion of the data from the rendering device, trans forms the portion of the data, and sends the transformed portion of the data to the rendering device.

公开(公告)号：US10015164B2

公开(公告)日：2018-07-03

申请号：US14535194

申请日：2014-11-06

Applicant: CRYPTOGRAPHY RESEARCH, INC.

Inventor： Michael Hamburg ,  Benjamin Che-Ming Jun ,  Paul C. Kocher ,  Daniel O'Loughlin ,  Denis Alexandrovich Pochuev

IPC: H04L29/06 ,  H04L29/08 ,  H04W12/06 ,  G06F21/60 ,  G06F21/62 ,  G06F21/72 ,  G06F21/73 ,  G06F21/33

CPC classification number: H04L63/0853 ,  G06F21/335 ,  G06F21/602 ,  G06F21/6209 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2135 ,  G06F2221/2145 ,  G06F2221/2149 ,  G06F2221/2153 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/123 ,  H04L67/32 ,  H04W12/0023 ,  H04W12/04031 ,  H04W12/06

Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a command to create a Module and executes a Module Template to generate the Module in response to the command. The Module is deployed to an Appliance device. A set of instructions of the Module, when executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device. The Appliance device is configured to distribute the data asset to a cryptographic manager (CM) core of the target device.

公开(公告)号：US09923890B2

公开(公告)日：2018-03-20

申请号：US14535197

申请日：2014-11-06

Applicant: CRYPTOGRAPHY RESEARCH, INC.

Inventor： Michael Hamburg ,  Benjamin Che-Ming Jun ,  Paul C. Kocher ,  Daniel O'Loughlin ,  Denis Alexandrovich Pochuev

IPC: H04L29/06 ,  H04L29/08 ,  H04W12/06 ,  G06F21/60 ,  G06F21/62 ,  G06F21/72 ,  G06F21/73 ,  G06F21/33

CPC classification number: H04L63/0853 ,  G06F21/335 ,  G06F21/602 ,  G06F21/6209 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2135 ,  G06F2221/2145 ,  G06F2221/2149 ,  G06F2221/2153 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/123 ,  H04L67/32 ,  H04W12/06

Abstract: The embodiments described herein describe technologies for pre-computed data (PCD) asset generation and secure deployment of the PCD asset to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to generate a unique PCD asset for a target device. In response, the RA device generates the PCD asset and packages the PCD asset for secure deployment of the PCD asset to the target device and to be used exclusively by the target device. The RA device deploys the packaged PCD asset in a CM system for identification and tracking of the target device.

公开(公告)号：US09444623B2

公开(公告)日：2016-09-13

申请号：US14567954

申请日：2014-12-11

Applicant: CRYPTOGRAPHY RESEARCH, INC.

Inventor： Paul C. Kocher ,  Michael A. Hamburg ,  Ambuj Kumar

IPC: H04L9/30

CPC classification number: H04L9/302 ,  H04L2209/12

Abstract: A processing device, such as logic on an integrated circuit may identify a cryptographic message stored in a first register. The processing device may determine a plurality of components for a second power of the cryptographic message using a plurality of components of the cryptographic message. The processing device may determine the plurality of components for the second power of the cryptographic message without storing the entire second power of the cryptographic message. Further, the processing device may determine a third power of the cryptographic message using modular arithmetic. The processing device may determine the third power by transforming the plurality of components for the second power of the cryptographic message and the plurality of components of the cryptographic message.

Abstract translation: 诸如集成电路上的逻辑的处理设备可以标识存储在第一寄存器中的密码消息。 处理设备可以使用密码消息的多个组件来确定密码消息的第二功率的多个组件。 处理设备可以确定用于加密消息的第二功率的多个组件，而不存储密码消息的整个第二功率。 此外，处理装置可以使用模数运算来确定密码消息的第三功率。 处理设备可以通过对密码消息的第二功率的多个组件和密码消息的多个组件进行变换来确定第三功率。

公开(公告)号：US20160048684A1

公开(公告)日：2016-02-18

申请号：US14617437

申请日：2015-02-09

Applicant: Cryptography Research, Inc.

Inventor： Paul C. Kocher ,  Pankaj Rohatgi ,  Joshua M. Jaffe

IPC: G06F21/57 ,  G06F9/44 ,  H04L9/08 ,  H04L9/00

CPC classification number: G06F21/575 ,  G06F8/71 ,  G06F9/44505 ,  G06F12/1408 ,  G06F21/556 ,  G06F21/602 ,  G06F21/755 ,  G06F21/76 ,  G06F2212/402 ,  G06F2221/034 ,  G06F2221/2107 ,  G06F2221/2125 ,  G06F2221/2145 ,  H04L9/003 ,  H04L9/0631 ,  H04L9/085 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/0894 ,  H04L9/16 ,  H04L9/3236 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0869 ,  H04L2209/24 ,  H04L2209/38 ,  H04L2209/56 ,  H04L2463/061

Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

Abstract translation: 计算设备包括用于存储秘密值的安全存储硬件和包括高速缓存或存储器中的至少一个的处理硬件。 在安全引导过程期间，处理硬件将不可信数据加载到处理硬件的高速缓存或存储器中的至少一个中，不可信数据包括加密数据段和验证器，从安全存储硬件检索秘密值， 至少部分地基于与加密数据段和秘密值相关联的标识符的初始密钥，使用验证器来验证加密数据段是否已经被修改，并且使用从第一解密密钥导出的第一解密密钥来解密加密数据段 响应于验证加密的数据段未被修改来产生解密的数据段的初始密钥。

公开(公告)号：US20150180652A1

公开(公告)日：2015-06-25

申请号：US14567954

申请日：2014-12-11

Applicant: CRYPTOGRAPHY RESEARCH, INC.

Inventor： Paul C. Kocher ,  Michael A. Hamburg ,  Ambuj Kumar

IPC: H04L9/06 ,  H04L9/14

CPC classification number: H04L9/302 ,  H04L2209/12

Abstract: A processing device, such as logic on an integrated circuit may identify a cryptographic message stored in a first register. The processing device may determine a plurality of components for a second power of the cryptographic message using a plurality of components of the cryptographic message. The processing device may determine the plurality of components for the second power of the cryptographic message without storing the entire second power of the cryptographic message. Further, the processing device may determine a third power of the cryptographic message using modular arithmetic. The processing device may determine the third power by transforming the plurality of components for the second power of the cryptographic message and the plurality of components of the cryptographic message.

Abstract translation: 诸如集成电路上的逻辑的处理设备可以标识存储在第一寄存器中的密码消息。 处理设备可以使用密码消息的多个组件来确定密码消息的第二功率的多个组件。 处理设备可以确定用于加密消息的第二功率的多个组件，而不存储密码消息的整个第二功率。 此外，处理装置可以使用模数运算来确定密码消息的第三功率。 处理设备可以通过对密码消息的第二功率的多个组件和密码消息的多个组件进行变换来确定第三功率。

公开(公告)号：US11895109B2

公开(公告)日：2024-02-06

申请号：US17722226

申请日：2022-04-15

Applicant: Cryptography Research, Inc.

Inventor： Michael Hamburg ,  Benjamin Che-Ming Jun ,  Paul C. Kocher ,  Daniel O'Loughlin ,  Denis Alexandrovich Pochuev

IPC: H04L9/40 ,  H04W12/06 ,  G06F21/60 ,  G06F21/62 ,  G06F21/72 ,  G06F21/73 ,  G06F21/33 ,  H04W12/30 ,  H04W12/0431 ,  H04L67/60

CPC classification number: H04L63/0853 ,  G06F21/335 ,  G06F21/602 ,  G06F21/6209 ,  G06F21/72 ,  G06F21/73 ,  H04L63/0428 ,  H04L63/062 ,  H04L67/60 ,  H04W12/0431 ,  H04W12/06 ,  H04W12/35 ,  G06F2221/2107 ,  G06F2221/2135 ,  G06F2221/2145 ,  G06F2221/2149 ,  G06F2221/2153 ,  H04L63/123

Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.

公开(公告)号：US20220083665A1

公开(公告)日：2022-03-17

申请号：US17382333

申请日：2021-07-21

Applicant: Cryptography Research, Inc.

Inventor： Paul C. Kocher ,  Pankaj Rohatgi ,  Joshua M. Jaffe

IPC: G06F21/57 ,  G06F21/60 ,  H04L9/08 ,  H04L9/32 ,  G06F21/55 ,  H04L9/00 ,  G06F12/14 ,  H04L9/06 ,  H04L9/16 ,  G06F9/445 ,  G06F21/76 ,  G06F8/71

Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

公开(公告)号：US11074349B2

公开(公告)日：2021-07-27

申请号：US16240671

申请日：2019-01-04

Applicant: Cryptography Research, Inc.

Inventor： Paul C. Kocher ,  Pankaj Rohatgi ,  Joshua M. Jaffe

IPC: G06F21/57 ,  G06F21/60 ,  H04L9/08 ,  H04L9/32 ,  G06F21/55 ,  H04L9/00 ,  G06F12/14 ,  H04L9/06 ,  H04L9/16 ,  G06F9/445 ,  G06F21/76 ,  G06F8/71 ,  H04L29/06 ,  G06F21/75

Abstract: A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree. The first device then sends the validator to the second device.