公开(公告)号：US20080046733A1

公开(公告)日：2008-02-21

申请号：US11558662

申请日：2006-11-10

Applicant: Stephane Rodgers ,  Xuemin Chen

Inventor： Stephane Rodgers ,  Xuemin Chen

IPC: H04L9/00

CPC classification number: H04L63/06 ,  G06F21/31 ,  G06F21/606 ,  G06F2221/2129 ,  H04L63/0428 ,  H04N7/163 ,  H04N21/4143 ,  H04N21/4367 ,  H04N21/443

Abstract: Aspects of a method and system for command authentication to achieve a secure interface are provided. Command authentication between a host and a slave device in a multimedia system may be achieved by on-the-fly pairing or by an automatic one-time-programming via a security processor. In an on-the-fly pairing scheme, the host may generate a host key based on a host root key and host control words while the slave may generate slave key based the host key, a slave root key and slave control words. The slave key may be stored and later retrieved by the slave device to obtain the host key for authenticating host commands. The host may be disabled from generating and/or passing the host key to the slave. In an automatic one-time-programming scheme, the security processor may burn a random number onto a one-time-programmable memory in the host and slave devices for command authentication.

Abstract translation: 提供了用于实现安全接口的命令认证的方法和系统的方面。 多媒体系统中的主机和从设备之间的命令认证可以通过即时配对或通过安全处理器的自动一次编程来实现。 在实时配对方案中，主机可以基于主机根密钥和主机控制字生成主机密钥，而从机​​可以基于主机密钥，从根密钥和从属控制字生成从机密钥。 从属密钥可以被从设备存储和稍后检索以获得用于认证主机命令的主机密钥。 可能禁用主机生成和/或将主机密钥传递到从设备。 在自动一次编程方案中，安全处理器可以将随机数刻录到主机和从设备中的一次性可编程存储器中用于命令认证。

公开(公告)号：US20070233982A1

公开(公告)日：2007-10-04

申请号：US11393164

申请日：2006-03-28

Applicant: Xuemin Chen ,  Stephane Rodgers

Inventor： Xuemin Chen ,  Stephane Rodgers

IPC: G06F12/14

CPC classification number: G06F12/1408 ,  G06F21/78 ,  G06F21/85

Abstract: A system and a method for protecting the security of data stored externally to a data processing engine of a data processor using at least one secure pad memory that is mapped to internal memory of the data processing engine and to the external memory. The memory data protection system and method performs an arithmetic operation, such as a bitwise exclusive OR (“XOR”) operation, on data being read from the data processing engine or written to the external memory using data stored in secure pads of the secure pad memory, which data may be random numbers generated by a random number generator.

Abstract translation: 一种用于使用映射到数据处理引擎的内部存储器和外部存储器的至少一个安全衬垫存储器来保护外部存储在数据处理引擎的数据的安全性的系统和方法。 存储器数据保护系统和方法对从数据处理引擎读取的数据或使用存储在安全垫的安全焊盘中的数据写入外部存储器来执行例如按位异或（“异或”）运算的算术运算 存储器，哪些数据可以是由随机数生成器生成的随机数。

公开(公告)号：US20060268354A1

公开(公告)日：2006-11-30

申请号：US11385468

申请日：2006-03-21

Applicant: Stephane Rodgers ,  Daniel Simon

Inventor： Stephane Rodgers ,  Daniel Simon

IPC: H04N1/00

CPC classification number: H04N21/434 ,  H04N9/7921 ,  H04N21/2389 ,  H04N21/4147 ,  H04N21/426 ,  H04N21/4341 ,  H04N21/4347 ,  H04N21/4385

Abstract: A method and system are provided for sharing AV/record resources in a programmable transport/demultiplexer and personal video recorder (PVR) engine. The method may involve utilizing hardware assist architecture to partially process incoming packets, retrieve information about the packets, and write the retrieved information to a memory. A processor programmed with firmware may then utilize the information in memory to perform further processing on the packet data. The processor programmed with firmware may then set up configuration parameters that may be used by the hardware assist architecture to further process the packet. The parameters may be configured such that they may be independent of the format of the packet, where the hardware assist architecture functions may be utilized for processing packets regardless of their format. The system may comprise the hardware assist architecture, the processor programmed with firmware, and a memory.

Abstract translation: 提供了一种用于在可编程传输/解复用器和个人录像机（PVR）引擎中共享AV /记录资源的方法和系统。 该方法可以涉及利用硬件辅助架构来部分地处理传入分组，检索关于分组的信息，以及将检索到的信息写入存储器。 用固件编程的处理器然后可以利用存储器中的信息来对分组数据执行进一步的处理。 用固件编程的处理器然后可以设置可由硬件辅助架构使用以进一步处理分组的配置参数。 参数可以被配置为使得它们可以独立于分组的格式，其中硬件辅助架构功能可以被用于处理分组，而不管其格式如何。 该系统可以包括硬件辅助架构，用固件编程的处理器和存储器。

公开(公告)号：US09338009B2

公开(公告)日：2016-05-10

申请号：US11743533

申请日：2007-05-02

Applicant: Stephane Rodgers ,  Andrew Dellow

Inventor： Stephane Rodgers ,  Andrew Dellow

IPC: H04L9/32 ,  H04L29/06 ,  G06F21/64 ,  G06F21/10 ,  H04L9/08 ,  G06F21/62 ,  H04L9/28

Abstract: Methods and systems for preventing revocation denial of service attacks are disclosed and may include receiving and decrypting a command for revoking a secure key utilizing a hidden key, and revoking the secure key upon successful verification of a signature. The command may comprise a key ID that is unique to a specific set-top box. A key corresponding to the command for revoking the secure key may be stored in a one-time programmable memory, compared to a reference, and the security key may be revoked based on the comparison. The command for revoking the secure key may be parsed from a transport stream utilizing a hardware parser. The method and system may also comprise generating a command for revoking a secure key. The command may be encrypted and signed utilizing a hidden key and may comprise a key ID that is unique to a specific set-top box.

公开(公告)号：US09232268B2

公开(公告)日：2016-01-05

申请号：US13170764

申请日：2011-06-28

Applicant: Xuemin Chen ,  Stephane Rodgers ,  Rajesh Mamidwar

Inventor： Xuemin Chen ,  Stephane Rodgers ,  Rajesh Mamidwar

IPC: H04N21/4402 ,  H04L29/06 ,  H04L9/08 ,  H04L9/14 ,  H04N21/266 ,  H04N21/436 ,  H04N21/4408 ,  H04N21/442 ,  H04N21/462 ,  H04N21/4623 ,  H04N21/6334 ,  H04N21/643 ,  H04N21/845

CPC classification number: H04N21/4402 ,  H04L9/083 ,  H04L9/14 ,  H04L63/0428 ,  H04L63/062 ,  H04L2209/60 ,  H04N21/26613 ,  H04N21/43615 ,  H04N21/4408 ,  H04N21/44231 ,  H04N21/4621 ,  H04N21/4623 ,  H04N21/63345 ,  H04N21/64322 ,  H04N21/8456

Abstract: A home gateway may be used to handle at least a portion of processing of content obtained for consumption by client devices serviced via the home gateway. The home gateway may receive a single copy of content having a first format, and may convert the received content to one or more other formats suitable for presentation by at least one of the client devices based on knowledge of the client devices. The home gateway may maintain secure and/or protected access of the content handled via the home gateway. During protected access the home gateway may partition the content into a plurality of encrypted segments that are forwarded separately to the client devices. The client devices may utilize a corresponding plurality of encryption keys for decrypting the encrypted segments. The encryption keys may be obtained from an external key server. The home gateway may also generate the encryption keys.

Abstract translation: 家庭网关可以用于处理通过家庭网关服务的客户端设备获得的用于消费的内容的处理的至少一部分。 家庭网关可以接收具有第一格式的内容的单个副本，并且可以基于客户端设备的知识将接收的内容转换成适合于至少一个客户端设备呈现的一个或多个其他格式。 家庭网关可以保持通过家庭网关处理的内容的安全和/或受保护的访问。 在受保护的访问期间，家庭网关可以将内容分割成分别转发到客户端设备的多个加密段。 客户端设备可以利用相应的多个加密密钥来解密加密的段。 可以从外部密钥服务器获得加密密钥。 家庭网关也可以生成加密密钥。

公开(公告)号：US08683212B2

公开(公告)日：2014-03-25

申请号：US11753338

申请日：2007-05-24

Applicant: Stephane Rodgers ,  Andrew Dellow ,  Xuemin Chen ,  Iue-Shuenn Chen

Inventor： Stephane Rodgers ,  Andrew Dellow ,  Xuemin Chen ,  Iue-Shuenn Chen

IPC: G05B19/00

CPC classification number: G06F21/6209 ,  G06F21/77

Abstract: Securely loading code in a security processor may include autonomous fetching an encrypted security data set, which may comprise security code and/or root keys, by a security processor integrated within a chip. The encrypted security data set may be decrypted via the on-chip security processor and the decrypted code set may be validated on-chip using an on-chip locked value. The on-chip locked value may be stored in a one-time programmable read-only memory (OTP ROM) and may include security information generated by applying one or more security algorithms, for example SHA-based algorithms, to the security data set. The encryption of the security data set may utilize various security algorithms, for example AES-based algorithms. The on-chip locked value may be created and locked after a virgin boot of a device that includes the security processor. The security data set may be authenticated during the virgin boot of the device.

Abstract translation: 在安全处理器中安全地加载代码可以包括通过集成在芯片内的安全处理器来自主地获取可以包括安全代码和/或根密钥的加密安全数据集。 加密的安全数据集可以经由片上安全处理器解密，并且解码的代码集可以使用片上锁定值在片上进行验证。 片上锁定值可以存储在一次性可编程只读存储器（OTP ROM）中，并且可以包括通过将一个或多个安全算法（例如基于SHA的算法）应用于安全数据集而生成的安全信息。 安全数据集的加密可以利用各种安全算法，例如基于AES的算法。 在包含安全处理器的设备的初始引导之后，可以创建和锁定片上锁定值。 安全数据集可以在设备的初始启动期间被认证。

公开(公告)号：US08572399B2

公开(公告)日：2013-10-29

申请号：US11746769

申请日：2007-05-10

Applicant: Stephane Rodgers ,  Andrew Dellow ,  Xuemin Chen ,  Iue-Shuenn Chen

Inventor： Stephane Rodgers ,  Andrew Dellow ,  Xuemin Chen ,  Iue-Shuenn Chen

IPC: H04L29/06

CPC classification number: H04N21/818 ,  G06F21/572 ,  H04N21/4432 ,  H04N21/4586

Abstract: A stored predefined unmodifiable bootable code set may be verified during code reprogramming of a device, and executed as a first stage of code reprogramming of the device. The predefined unmodifiable bootable code set may be stored in a locked memory such as a locked flash memory and may comprise code that enables minimal communication functionality of the device. The predefined unmodifiable bootable code set may be verified using a security algorithm, for example, a SHA-based algorithm. Information necessary for the security algorithm may be stored in a memory, for example, a one-time programmable read-only memory (OTP ROM). The stored information necessary for the security algorithm may comprise a SHA digest, a signature, and/or a key. A second stage code set may be verified and executed during the code reprogramming of the device subsequent to the verification of the stored predefined unmodifiable bootable code set.

Abstract translation: 可以在设备的代码重新编程期间验证存储的预定义的不可修改的可引导代码集，并且作为设备的代码重新编程的第一级被执行。 预定义的不可修改的可引导代码集可以存储在诸如锁定的闪存的锁定存储器中，并且可以包括能够实现设备的最小通信功能的代码。 可以使用安全算法（例如，基于SHA的算法）来验证预定义的不可修改的可引导代码集。 安全算法所需的信息可以存储在存储器中，例如，一次性可编程只读存储器（OTP ROM）。 安全算法所需的存储信息可以包括SHA摘要，签名和/或密钥。 可以在验证存储的预定义的不可修改的可引导代码集之后的设备的代码重新编程期间验证和执行第二阶段代码集。

公开(公告)号：US08032761B2

公开(公告)日：2011-10-04

申请号：US11558630

申请日：2006-11-10

Applicant: Stephane Rodgers ,  Xuemin Chen

Inventor： Stephane Rodgers ,  Xuemin Chen

IPC: G06F11/30

CPC classification number: H04N7/1675 ,  G06F21/79 ,  G06F2221/2107 ,  H04N21/4181 ,  H04N21/4367

Abstract: Aspects of a method and system for memory attack protection to achieve a secure interface are provided. An integrated memory within a slave device may be configured into a plurality of memory portions or regions by commands from a host device. The memory regions may be utilized during operations associated with authentication of subsequent commands from the host device. A first memory region may enable storage of encrypted host commands and data. A second region may enable storage of decrypted host commands and data. A third region may enable storage of internal variables and/or intermediate results from operations performed by the slave device. Another region may comprise internal registers that enable storage of information only accessible to the slave device. Access to some of the memory regions may be controlled by a bus controller and/or a memory interface integrated within the slave device.

Abstract translation: 提供了一种用于内存攻击保护以实现安全接口的方法和系统。 从设备中的集成存储器可以通过来自主机设备的命令被配置成多个存储器部分或区域。 可以在与来自主机设备的后续命令的认证相关联的操作期间利用存储器区域。 第一存储器区域可以实现加密的主机命令和数据的存储。 第二区域可以实现解密的主机命令和数据的存储。 第三区域可以实现从设备执行的操作的内部变量和/或中间结果的存储。 另一区域可以包括内部寄存器，其能够存储只能由从设备访问的信息。 访问某些存储区域可以由集成在从设备中的总线控制器和/或存储器接口来控制。

公开(公告)号：US20110197054A1

公开(公告)日：2011-08-11

申请号：US13034176

申请日：2011-02-24

Applicant: Stephane Rodgers ,  Andrew Dellow ,  Xuemin Chen ,  Iue-Shuenn Chen ,  Qiang Ye

Inventor： Stephane Rodgers ,  Andrew Dellow ,  Xuemin Chen ,  Iue-Shuenn Chen ,  Qiang Ye

IPC: G06F15/177

CPC classification number: G06F21/575 ,  G06F21/572

Abstract: A boot code may be segmented to allow separate and independent storage of the code segments in a manner that may enable secure system boot by autonomous fetching and assembling of the boot code by a security sub-system. The code fetching may need to be done without the main CPU running on the chip for security reasons. Because the boot code may be stored in memory devices that require special software application to account for non-contiguous storage of data and/or code, for example a NAND flash memory which would require such an application as Bad Block Management, code segments stored in areas guaranteed to be usable may enable loading remaining segment separately and independently. Each of the code segments may be validated, wherein validation of the code segments may comprise use of hardware-based signatures.

Abstract translation: 引导代码可以被分段以允许以可以通过安全子系统自主地取出和组合引导代码来实现安全系统引导的方式来分离和独立地存储代码段。 出于安全考虑，代码获取可能需要完成，而主CPU不会在芯片上运行。 由于引导代码可能存储在需要特殊软件应用程序的存储器件中以解决数据和/或代码的不连续存储，例如需要诸如坏块管理的应用的NAND闪存，存储在 保证可用的区域可以分开和独立地加载剩余段。 可以验证每个代码段，其中代码段的验证可以包括使用基于硬件的签名。

公开(公告)号：US07900032B2

公开(公告)日：2011-03-01

申请号：US11746773

申请日：2007-05-10

Applicant: Stephane Rodgers ,  Andrew Dellow ,  Xuemin Chen ,  Iue-Shuenn Chen ,  Qiang Ye

Inventor： Stephane Rodgers ,  Andrew Dellow ,  Xuemin Chen ,  Iue-Shuenn Chen ,  Qiang Ye

IPC: G06F9/00 ,  H04L9/00 ,  H04L9/32

CPC classification number: G06F21/575 ,  G06F21/572

Abstract: Segmenting a boot code to allow separate and independent storage and validation of the segments in a manner that enable secure system boot by autonomous fetching and assembling of the boot code by a security sub-system. The code fetching may need to be done without the main CPU running on the chip for security reasons. Because the boot code may be stored in memory devices that require special software application to account for non-contiguous storage of data and/or code, for example a NAND flash memory which would require such an application as Bad Block Management, code segments stored in areas guaranteed to be usable may enable loading and validating remaining segment separately and independently.

Abstract translation: 分段引导代码，以允许通过安全子系统自主获取和组合引导代码来实现安全系统引导的方式，对段进行单独和独立的存储和验证。 出于安全考虑，代码获取可能需要完成，而主CPU不会在芯片上运行。 由于引导代码可能存储在需要特殊软件应用程序的存储器件中以解决数据和/或代码的不连续存储，例如将要求诸如坏块管理的应用的NAND闪存，存储在 保证可用的区域可以分别且独立地加载和验证剩余段。