公开(公告)号：US20200186357A1

公开(公告)日：2020-06-11

申请号：US16638291

申请日：2017-08-11

Applicant: Pekka LAITINEN ,  Huawei Technologies Co., Ltd.

Inventor： Pekka Laitinen ,  Qiming Li ,  Sampo Sovio ,  Gang Lian ,  Zhihua Shan

IPC: H04L9/32 ,  H04L9/06 ,  H04L9/08 ,  G06F9/54

Abstract: A device with key attestation features comprises an operating system stored in its memory, the operating system comprising a secure environment including a trusted application, and two or more device certificates, each associated with a device key pair, stored in the memory of the device. The trusted application is configured to handle key pair generation requests and key pair attestation requests to read an indication of a preferred device certificate. An attestation certificate that is generated in response to the key pair attestation request is then signed using one of the two or more device certificates with its associated device key pair based on the indication of a preferred device certificate.

公开(公告)号：US20230058046A1

公开(公告)日：2023-02-23

申请号：US17792292

申请日：2020-01-29

Applicant: Sampo SOVIO ,  Huawei Technologies Co., Ltd.

Inventor： Sampo Sovio ,  Qiming Li ,  Gang Lian ,  Kui Wang ,  Santeri Salko ,  Vladimir Ushakov

IPC: G06F21/53

Abstract: An apparatus is configured to protect the privacy of shared objects by loading shared object into a user memory of a rich execution environment. The shared object has an encrypted segment and metadata. A request for decryption is sent to a trusted execution environment and the encrypted segment is decrypted based on the metadata and a predetermined platform key to produce a decrypted segment. The decrypted segment is written into the shared object. A request to lock the shared object is sent and a memory occupied by the shared object is locked or set to execute only. The lock of the memory region occupied by the decrypted shared object maps the memory region to be non-readable and non-writable to applications executing at a first privilege level and to the operating system kernel executing at a second privilege level.

公开(公告)号：US12197563B2

公开(公告)日：2025-01-14

申请号：US17792292

申请日：2020-01-29

Applicant: Huawei Technologies Co., Ltd. ,  Sampo Sovio

Inventor： Sampo Sovio ,  Qiming Li ,  Gang Lian ,  Kui Wang ,  Santeri Salko ,  Vladimir Ushakov

IPC: G06F21/53

Abstract: An apparatus is configured to protect the privacy of shared objects by loading shared object into a user memory of a rich execution environment. The shared object has an encrypted segment and metadata. A request for decryption is sent to a trusted execution environment and the encrypted segment is decrypted based on the metadata and a predetermined platform key to produce a decrypted segment. The decrypted segment is written into the shared object. A request to lock the shared object is sent and a memory occupied by the shared object is locked or set to execute only. The lock of the memory region occupied by the decrypted shared object maps the memory region to be non-readable and non-writable to applications executing at a first privilege level and to the operating system kernel executing at a second privilege level.

公开(公告)号：US20190238342A1

公开(公告)日：2019-08-01

申请号：US16331055

申请日：2016-09-06

Applicant: Huawei Technologies Co., Ltd.

Inventor： Gang Lian ,  Sampo Sovio ,  Taisheng Deng ,  Xiaopu Wang ,  Zongbo Ye

IPC: H04L9/32 ,  H04L9/08 ,  H04L29/06

CPC classification number: H04L9/3263 ,  H04L9/0894 ,  H04L9/321 ,  H04L63/0823 ,  H04L2209/64 ,  H04L2209/80 ,  H04L2463/061

Abstract: An apparatus including a processor and a memory, where the processor and the memory are configured to provide a secure execution environment and the memory stores a hardware unique key and a class key. The processor is configured to recover, in the secure execution environment, a certificate signing key based on the class key, where the certificate signing key is associated with a certificate authority. The processor is further configured to derive a device key pair based on the hardware unique key, where the device key pair includes a device public key and a device private key, and generate a device certificate based on the device public key and the certificate signing key. The generated device certificate is configured to be validated based on a public key associated with the certificate authority.

公开(公告)号：US11374766B2

公开(公告)日：2022-06-28

申请号：US16638291

申请日：2017-08-11

Applicant: Huawei Technologies Co., Ltd.

Inventor： Pekka Laitinen ,  Qiming Li ,  Sampo Sovio ,  Gang Lian ,  Zhihua Shan

IPC: H04L9/32 ,  H04L9/06 ,  H04L9/08 ,  G06F9/54

Abstract: A device with key attestation features comprises an operating system stored in its memory, the operating system comprising a secure environment including a trusted application, and two or more device certificates, each associated with a device key pair, stored in the memory of the device. The trusted application is configured to handle key pair generation requests and key pair attestation requests to read an indication of a preferred device certificate. An attestation certificate that is generated in response to the key pair attestation request is then signed using one of the two or more device certificates with its associated device key pair based on the indication of a preferred device certificate.

公开(公告)号：US11283626B2

公开(公告)日：2022-03-22

申请号：US16331055

申请日：2016-09-06

Applicant: Huawei Technologies Co., Ltd.

Inventor： Gang Lian ,  Sampo Sovio ,  Taisheng Deng ,  Xiaopu Wang ,  Zongbo Ye

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08

Abstract: An apparatus including a processor and a memory, where the processor and the memory are configured to provide a secure execution environment and the memory stores a hardware unique key and a class key. The processor is configured to recover, in the secure execution environment, a certificate signing key based on the class key, where the certificate signing key is associated with a certificate authority. The processor is further configured to derive a device key pair based on the hardware unique key, where the device key pair includes a device public key and a device private key, and generate a device certificate based on the device public key and the certificate signing key. The generated device certificate is configured to be validated based on a public key associated with the certificate authority.

公开(公告)号：US20200374112A1

公开(公告)日：2020-11-26

申请号：US16768501

申请日：2017-12-01

Applicant: Huawei Technologies Co., Ltd.

Inventor： Sampo Sovio ,  Qiming Li ,  Pekka Laitinen ,  Gang Lian ,  Meilun Xie ,  Xiwen Fang ,  Zhihua Shan

IPC: H04L9/08 ,  H04L9/30 ,  H04L29/06

Abstract: In a method for secure provisioning of data to a client device, a non-trusted manufacturing facility is equipped with a secure server device to establish a secure data provisioning channel from the secure server device to trusted hardware in client devices without the secure server device and the client devices needing to have a shared secret.