公开(公告)号：US11310227B2

公开(公告)日：2022-04-19

申请号：US16804555

申请日：2020-02-28

Applicant: Cryptography Research, Inc.

Inventor： Michael Hamburg ,  Benjamin Che-Ming Jun ,  Paul C. Kocher ,  Daniel O'Loughlin ,  Denis Alexandrovich Pochuev

IPC: H04L29/06 ,  H04L67/60 ,  H04W12/06 ,  G06F21/60 ,  G06F21/62 ,  G06F21/72 ,  G06F21/73 ,  G06F21/33 ,  H04W12/30 ,  H04W12/0431

Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.

公开(公告)号：US10460084B2

公开(公告)日：2019-10-29

申请号：US16122362

申请日：2018-09-05

Applicant: Cryptography Research, Inc.

Inventor： Paul C. Kocher ,  Helena Handschuh

IPC: G06F21/00 ,  G06F21/10

Abstract: A media storage device includes a media security controller circuit and a memory to store data that relates to a media item to be rendered by a rendering device. The media security controller circuit sends a message to the rendering device that causes the rendering device to obtain a portion of data from memory of the media storage device and provide it to the media security controller circuit. The portion is received and transformed by the media security controller circuit. The media security controller circuit sends the transformed portion to the rendering device.

公开(公告)号：US09367693B2

公开(公告)日：2016-06-14

申请号：US14752677

申请日：2015-06-26

Applicant: Cryptography Research, Inc.

Inventor： Paul C. Kocher ,  Pankaj Rohatgi ,  Joshua M. Jaffe

IPC: H04L9/32 ,  G06F21/57 ,  G06F21/60 ,  H04L9/00 ,  H04L9/08 ,  G06F12/14 ,  H04L9/06 ,  H04L9/16 ,  G06F9/445 ,  G06F21/76 ,  G06F9/44 ,  H04L29/06

CPC classification number: G06F21/575 ,  G06F8/71 ,  G06F9/44505 ,  G06F12/1408 ,  G06F21/556 ,  G06F21/602 ,  G06F21/755 ,  G06F21/76 ,  G06F2212/402 ,  G06F2221/034 ,  G06F2221/2107 ,  G06F2221/2125 ,  G06F2221/2145 ,  H04L9/003 ,  H04L9/0631 ,  H04L9/085 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/0894 ,  H04L9/16 ,  H04L9/3236 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0869 ,  H04L2209/24 ,  H04L2209/38 ,  H04L2209/56 ,  H04L2463/061

Abstract: A bitstream for configuration of a programmable logic device is received, the bitstream comprising a data segment and authentication data associated with the data segment. The programmable logic device computes a hash of the data segment. The programmable logic device compares the computed hash of the data segment with the authentication data. Configuration of the programmable logic device halts responsive to a determination that the computed hash of the data segment does not match the authentication data. Configuration of the programmable logic device using the data segment continues responsive to a determination that the computed hash of the data segment matches the authentication data.

Abstract translation: 接收用于配置可编程逻辑设备的比特流，所述比特流包括与所述数据段相关联的数据段和认证数据。 可编程逻辑器件计算数据段的散列。 可编程逻辑设备将计算出的数据段的散列与认证数据进行比较。 可编程逻辑设备的配置响应于所计算的数据段的散列与认证数据不匹配的确定停止。 使用数据段的可编程逻辑设备的配置继续响应于所计算的数据段的散列与认证数据匹配的确定。

公开(公告)号：US20150178478A1

公开(公告)日：2015-06-25

申请号：US14415568

申请日：2013-07-17

Applicant: CRYPTOGRAPHY RESEARCH, INC.

Inventor： Paul C. Kocher ,  Helena Handschuh

IPC: G06F21/10

CPC classification number: G06F21/10 ,  G06F2221/0724

Abstract: A media storage device includes a media security controller and a memory to store data that relates to a media item to be rendered by a rendering device. The media security controller sends a message in response to the rendering device reading an authorization file. The message being for the rendering device to read a portion of data from the memory and to provide the portion of data to the media security controller. The media security controller receives the portion of the data from the rendering device, trans forms the portion of the data, and sends the transformed portion of the data to the rendering device.

Abstract translation: 媒体存储设备包括媒体安全控制器和用于存储与由呈现设备呈现的媒体项目相关的数据的存储器。 媒体安全控制器响应于渲染设备读取授权文件发送消息。 该消息用于呈现设备从存储器读取一部分数据并将该部分数据提供给媒体安全控制器。 媒体安全控制器从呈现设备接收数据的一部分，转换形成数据的一部分，并将转换后的部分数据发送到呈现设备。

公开(公告)号：US11797683B2

公开(公告)日：2023-10-24

申请号：US17382333

申请日：2021-07-21

Applicant: Cryptography Research, Inc.

Inventor： Paul C. Kocher ,  Pankaj Rohatgi ,  Joshua M. Jaffe

IPC: G06F21/57 ,  G06F21/60 ,  H04L9/08 ,  H04L9/32 ,  G06F21/55 ,  H04L9/00 ,  G06F12/14 ,  H04L9/06 ,  H04L9/16 ,  G06F9/445 ,  G06F21/76 ,  G06F8/71 ,  H04L9/40 ,  G06F21/75

CPC classification number: G06F21/575 ,  G06F8/71 ,  G06F9/44505 ,  G06F12/1408 ,  G06F21/556 ,  G06F21/602 ,  G06F21/76 ,  H04L9/003 ,  H04L9/0631 ,  H04L9/085 ,  H04L9/088 ,  H04L9/0861 ,  H04L9/0894 ,  H04L9/16 ,  H04L9/3236 ,  H04L9/3247 ,  H04L9/3271 ,  G06F21/755 ,  G06F2212/402 ,  G06F2221/034 ,  G06F2221/2107 ,  G06F2221/2125 ,  G06F2221/2145 ,  H04L9/50 ,  H04L63/0428 ,  H04L63/0869 ,  H04L2209/24 ,  H04L2209/56 ,  H04L2463/061

Abstract: A method for performing a security chip protocol comprises receiving, by processing hardware of a security chip, a message from a first device as part of performing the security chip protocol. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware determines a path through a key tree based at least in part on the message. The processing hardware derives a validator at least in part from the secret value using a sequence of entropy redistribution operations associated with the path through the key tree. The processing hardware exchanges the validator between the security chip and the first device as part of the security chip protocol in order to authenticate at least one of the security chip or the first device.

公开(公告)号：US10262141B2

公开(公告)日：2019-04-16

申请号：US15395809

申请日：2016-12-30

Applicant: Cryptography Research, Inc.

Inventor： Paul C. Kocher ,  Pankaj Rohatgi ,  Joshua M. Jaffe

IPC: G06F8/71 ,  H04L9/00 ,  H04L9/06 ,  H04L9/08 ,  H04L9/16 ,  H04L9/32 ,  G06F12/14 ,  G06F21/55 ,  G06F21/57 ,  G06F21/60 ,  G06F21/75 ,  G06F21/76 ,  G06F9/445 ,  H04L29/06

Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

公开(公告)号：US20190018934A1

公开(公告)日：2019-01-17

申请号：US16122362

申请日：2018-09-05

Applicant: Cryptography Research, Inc.

Inventor： Paul C. Kocher ,  Helena Handschuh

IPC: G06F21/10

CPC classification number: G06F21/10 ,  G06F2221/0724

Abstract: A media storage device includes a media security controller circuit and a memory to store data that relates to a media item to be rendered by a rendering device. The media security controller circuit sends a message to the rendering device that causes the rendering device to obtain a portion of data from memory of the media storage device and provide it to the media security controller circuit. The portion is received and transformed by the media security controller circuit. The media security controller circuit sends the transformed portion to the rendering device.

公开(公告)号：US09569623B2

公开(公告)日：2017-02-14

申请号：US14617437

申请日：2015-02-09

Applicant: Cryptography Research, Inc.

Inventor： Paul C. Kocher ,  Pankaj Rohatgi ,  Joshua M. Jaffe

IPC: H04L9/00 ,  G06F21/57 ,  G06F21/60 ,  H04L9/08 ,  H04L9/32 ,  G06F12/14 ,  H04L9/06 ,  H04L9/16 ,  G06F9/445 ,  G06F21/76 ,  G06F9/44 ,  G06F21/55 ,  H04L29/06

CPC classification number: G06F21/575 ,  G06F8/71 ,  G06F9/44505 ,  G06F12/1408 ,  G06F21/556 ,  G06F21/602 ,  G06F21/755 ,  G06F21/76 ,  G06F2212/402 ,  G06F2221/034 ,  G06F2221/2107 ,  G06F2221/2125 ,  G06F2221/2145 ,  H04L9/003 ,  H04L9/0631 ,  H04L9/085 ,  H04L9/0861 ,  H04L9/088 ,  H04L9/0894 ,  H04L9/16 ,  H04L9/3236 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0869 ,  H04L2209/24 ,  H04L2209/38 ,  H04L2209/56 ,  H04L2463/061

Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

Abstract translation: 计算设备包括用于存储秘密值的安全存储硬件和包括高速缓存或存储器中的至少一个的处理硬件。 在安全引导过程期间，处理硬件将不可信数据加载到处理硬件的高速缓存或存储器中的至少一个中，不可信数据包括加密数据段和验证器，从安全存储硬件检索秘密值， 至少部分地基于与加密数据段和秘密值相关联的标识符的初始密钥，使用验证器来验证加密数据段是否已经被修改，并且使用从第一解密密钥导出的第一解密密钥来解密加密数据段 响应于验证加密的数据段未被修改来产生解密的数据段的初始密钥。

公开(公告)号：US09544304B2

公开(公告)日：2017-01-10

申请号：US14535202

申请日：2014-11-06

Applicant: CRYPTOGRAPHY RESEARCH, INC.

Inventor： Michael Hamburg ,  Benjamin Che-Ming Jun ,  Paul C. Kocher ,  Daniel O'Loughlin ,  Denis Alexandrovich Pochuev ,  Ambuj Kumar

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08 ,  H04W12/06 ,  G06F21/60 ,  G06F21/62 ,  G06F21/72 ,  G06F21/73 ,  G06F21/33

Abstract: The embodiments described herein describe technologies for ticketing systems used in consumption and provisioning of data assets, such as a pre-computed (PCD) asset. A ticket may be a digital file or data that enables enforcement of usage count limits and uniqueness issuance ore sequential issuance of target device parameters. On implementation includes an Appliance device of a cryptographic manager (CM) system that receives a Module and a ticket over a network from a Service device. The Module is an application that securely provisions a data asset to a target device in an operation phase of a manufacturing lifecycle of the target device. The ticket is digital data that grants permission to the Appliance device to execute the Module. The Appliance device verifies the ticket to execute the Module. The Module, when executed, results in a secure construction of a sequence of operations to securely provision the data asset to the target device.

公开(公告)号：US20150326567A1

公开(公告)日：2015-11-12

申请号：US14535194

申请日：2014-11-06

Applicant: CRYPTOGRAPHY RESEARCH, INC.

Inventor： Michael Hamburg ,  Benjamin Che-Ming Jun ,  Paul C. Kocher ,  Daniel O'Loughlin ,  Denis Alexandrovich Pochuev

IPC: H04L29/06 ,  H04W12/06

CPC classification number: H04L63/0853 ,  G06F21/335 ,  G06F21/602 ,  G06F21/6209 ,  G06F21/72 ,  G06F21/73 ,  G06F2221/2107 ,  G06F2221/2135 ,  G06F2221/2145 ,  G06F2221/2149 ,  G06F2221/2153 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/123 ,  H04L67/32 ,  H04W12/06

Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a command to create a Module and executes a Module Template to generate the Module in response to the command. The Module is deployed to an Appliance device. A set of instructions of the Module, when executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device. The Appliance device is configured to distribute the data asset to a cryptographic manager (CM) core of the target device.

Abstract translation: 本文描述的实施例描述了用于模块管理的技术，包括在加密管理器（CM）环境中的目标设备的制造生命周期的操作阶段中的模块创建和模块部署到目标设备。 一个实现包括根授权（RA）设备，其接收创建模块的命令并执行模块模板以响应于该命令生成模块。 模块部署到设备设备。 当由设备设备执行时，该模块的一组指令导致一系列操作的安全构造，以将数据资产安全地提供给目标设备。 设备设备被配置为将数据资产分发到目标设备的加密管理器（CM）核心。