公开(公告)号：US20020051538A1

公开(公告)日：2002-05-02

申请号：US09897670

申请日：2001-07-02

Applicant: SafeNet, Inc.

Inventor： Michael M. Kaplan ,  Timothy Ober ,  Peter Reed

IPC: H04L001/00

CPC classification number: G06F21/72 ,  G06F8/60 ,  G06F9/46 ,  G06F12/1491 ,  G06F21/74 ,  G06F21/79 ,  G06F21/82 ,  H04L9/00 ,  H04L2209/12

Abstract: A kernel mode protection circuit includes a processor, a program counter, a kernel program fetch supervisor circuit, a kernel data fetch supervisor circuit, a program memory, a data memory, a flip-flop circuit and two AND circuits. The data memory includes two user memories, protected registers and random access memory (RAM). The program memory includes two user memories and a kernel read only memory (ROM). The circuit may operate in either a user mode (kernel ROM is not accessible) or a kernel mode (kernel ROM is accessible). When in the kernel mode the kernel RAM and certain protected registers are accessible only by a secure kernel. The kernel mode control circuit will reset the processor should a security violation occur, such as attempting to access the kernel RAM while in the user mode. The kernel program fetch supervisor circuit monitors and compares an address within the program counter to a predetermined address, stored within the kernel program fetch supervisor circuit, to determine if a security violation has occurred. The kernel data fetch supervisor circuit monitors and compares the data address to addresses defining a protected memory area. A security violation will occur if the data address is within the protected memory address range and the processor will be reset. A method of kernel mode protection includes the step of fetching a program opcode. If the program opcode is from the kernel memory, the processor is reset. If the program opcode is from a user memory, then the processor may fetch the data operand. If the data operand is fetched from the kernel memory, the processor is reset. If the data operand is fetched from a user memory, the processor is permitted to enter the kernel memory. If a program opcodes is fetched from the kernel memory the processor may continue to fetch operands from either the kernel memory or the data memory. The processor remains in kernel mode and continues to fetch program opcodes until all of the opcodes have been fetched, or until an opcode fetched is from the user memory. If an opcode fetched is from the user memory, the processor switches back to user mode.

公开(公告)号：US20020080958A1

公开(公告)日：2002-06-27

申请号：US09897666

申请日：2001-07-02

Applicant: SafeNet, Inc.

Inventor： Timothy Ober ,  Peter Reed

IPC: H04L009/00

CPC classification number: G06F21/72 ,  G06F8/60 ,  G06F9/46 ,  G06F21/74 ,  G06F21/79 ,  G06F21/82 ,  H04L9/0836 ,  H04L9/0841 ,  H04L9/088

Abstract: A key management scheme for managing encryption keys in a cryptographic co-processor includes the first step of selecting a key from one of a symmetrical key type and an asymmetrical key type. Then, the key bit length is selected. The key is then generated and, lastly, the key is represented in either an external form or an internal form.

Abstract translation: 用于管理加密协处理器中的加密密钥的密钥管理方案包括从对称密钥类型和非对称密钥类型之一选择密钥的第一步骤。 然后，选择键位长度。 然后生成密钥，最后，密钥以外部形式或内部形式表示。

公开(公告)号：US20010036276A1

公开(公告)日：2001-11-01

申请号：US09897251

申请日：2001-07-02

Applicant: SafeNet, Inc.

Inventor： Timothy Ober ,  Peter Reed

IPC: H04L009/00

CPC classification number: G06F21/72 ,  G06F8/60 ,  G06F9/46 ,  G06F21/74 ,  G06F21/79 ,  G06F21/82 ,  H04L9/083 ,  H04L9/0844 ,  H04L9/0894

Abstract: A method of generating a recovery key encryption key (RKEK) in a secure manner by an integrated circuit (IC) and a key recovery escrow agent includes the steps of generating by the IC a first number having a private component and a public component, and generating by the escrow agent a second number having a private component and a public component. The public component of the first number is provided to the escrow agent, and the public component of the second number is provided to the integrated circuit. A Diffie-Hellman modulo-exponentiation mathematical operation is performed by the integrated circuit using the private component of the first number, the public component of the first number and the public component of the second number to create the RKEK. A similar operation is performed by the escrow agent using the private component of the second number, the public number of the second number and the public component of the first number to create the RKEK at its end.