News Column

"Secure Storage and Signature" in Patent Application Approval Process

February 11, 2014



By a News Reporter-Staff News Editor at Information Technology Newsweekly -- A patent application by the inventors Maletsky, Kerry (Monument, CO); Durant, David (Colorado Springs, CO); Badam, Balaji (Colorado Springs, CO); Seymour, Michael (Colorado Springs, CO), filed on July 19, 2012, was made available online on January 30, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application is assigned to Atmel Corporation.

The following quote was obtained by the news editors from the background information supplied by the inventors: "In some systems, devices connected to one another may be configured to work correctly under certain circumstances. Such information may be embedded in the devices. For correct operation, a device, such as a host, may want to verify that the information being provided by a connected client device, such as a peripheral component, is accurate."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "In one general aspect, an integrated circuit device comprises a processor and a secure protection zone with security properties that can be verified by a remote device communicating with the integrated circuit device. The secure protection zone includes a persistent storage that is configured for storing cryptographic keys and data. The secure protection zone also includes instructions that are configured for causing the processor to perform cryptographic operations using the cryptographic keys. In addition, the secure protection zone includes an ephemeral memory that is configured for storing information associated with the cryptographic operations. The instructions are configured for causing the processor to perform the cryptographic operations on the data stored in the persistent storage and the information in the ephemeral memory as part of a secure communication exchange with the remote device.

"Particular implementations of the integrated circuit device may include one or more of the following features. The device may be configured to be included in a client device that is coupled to a remote device acting as a host of the client device. At least one of the data stored in the persistent storage and the information stored in the ephemeral memory may include information associated with the client device. The device may be configured to authenticate the information to the remote host device. The processor may include a digital processing element.

"The device may be configured to authenticate only information that is included in the secure protection zone. The authentication may be based on performing the cryptographic operations on the information using the cryptographic keys stored in the persistent storage.

"The persistent storage may be configured for securely storing the cryptographic keys and the data such that modifications to at least one of the cryptographic keys and the data is restricted. The persistent storage may be configured for securely storing the cryptographic keys and the data such that modifications to at least one of the cryptographic keys and the data is detectable by the remote device.

"The cryptographic operations may be selected from a group consisting of random number generation, key generation, signature computation, digest computation, usage authorization, signature verification, encrypted read, encrypted write and general purpose input output (GPIO) access. The cryptographic keys may include an asymmetric private key stored in the persistent storage. The key generation may include at least one of an asymmetric public key generation based on the asymmetric private key, and a symmetric key or an additional asymmetric private key generation based on a random number produced within the secure zone using the cryptographic operations performed by the processor.

"The instructions may be configured for causing the processor to perform a first set of cryptographic operations on the data that is stored in the persistent storage, and a second set of cryptographic operations that is different from the first set on data external to the secure protection zone. The ephemeral memory is configured for storing at least one of results of the cryptographic operations on the data using the cryptographic keys, and information received from the remote device as part of a secure communication exchange.

"The device may comprise an information generation module that is configured for generating information internal to the device. The instructions may be configured for causing the processor to perform cryptographic operations on the generated information using the cryptographic keys. The information generation module may be configured for generating information associated with a state of an input pin of the device. The information generation module may include a sensor. The generated information may include data generated by the sensor. The sensor may be selected from the group consisting of a temperature sensor, a pressure sensor and a voltage sensor.

"In another general aspect, a client device sends a parent public key and an associated certificate to a host device coupled to the client device. The parent public key, the certificate and a corresponding parent private key are stored in secure persistent storage included in a secure device associated with the client device. The client device generates a child private key based on a random number produced within the secure device, and a child public key associated with the child private key. The child private and public keys are generated within the secure device. The client device generates a first signature based on the child public key and information associated with the secure device. The first signature is generated within the secure device. The client device sends the child public key and the first signature, to the host device.

"Particular implementations may include one or more of the following features. Generating the first signature may comprise combining, by the secure device, a nonce with the child public key to generate a digest. The digest may include information associated with the secure device. The secure device may generate the first signature by performing an asymmetric signature computation on the digest using the parent private key.

"The nonce may be generated by a random number generator included in the secure device. Combining the nonce with the child public key to generate the digest may comprise combining, by the secure device, the nonce with the child public key to generate a first digest. The secure device may combine the first digest with the information associated with the secure device to generate a second digest. The secure device may generate the first signature by performing an asymmetric signature computation on the second digest using the parent private key.

"The information associated with the secure device may include at least one of state information of the secure device, key storage configuration information, key storage state information and command parameters. At least one of the parent private key and the child private key may be restricted to signing data that is generated by the secure device.

"The client device may receive a random challenge from the host device. The client device may generate a second signature based on the random challenge using the child private key. The client device may send the second signature to the host device.

"At least one of the first signature and the second signature may be generated using a hardware cryptographic engine included in the secure device. Generating the first signature may comprise using a first cryptographic operation, and generating the second signature may comprise using a second cryptographic operation that is different from the first cryptographic operation. The first cryptographic operation may be configured to be operable on data generated internally by the secure device. The second cryptographic operation may be configured to be operable on data generated external to the secure device.

"The host device may receive the parent public key and the associated certificate from the client device. The host device may authenticate the parent public key based on the associated certificate. The host device may receive the child public key and the first signature from the client device. The host device may verify the first signature using the authenticated parent public key. Verifying the first signature may include verifying the information associated with the secure device. The host device may authenticate the child public key based on verifying the first signature. The associated certificate may be generated by a certificate authority at a time of manufacture of the secure device. The certificate authority may be trusted by the host device and the client device.

"The details of one or more disclosed implementations are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages will become apparent from the description, the drawings and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

"FIG. 1 is a conceptual block diagram of an exemplary device that may be used for secure storage and signature.

"FIG. 2 is a conceptual block diagram of sections within a secure zone of a device for secure storage and signature.

"FIG. 3 illustrates an exemplary system in which a device for providing secure storage and signature may be applied.

"FIG. 4 is a flow chart illustrating an exemplary process for secure communication from a client that includes a secure device to a host.

"FIG. 5 is a flow chart illustrating an exemplary process for secure communication from a host to a client that includes a secure device."

URL and more information on this patent application, see: Maletsky, Kerry; Durant, David; Badam, Balaji; Seymour, Michael. Secure Storage and Signature. Filed July 19, 2012 and posted January 30, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=335&p=7&f=G&l=50&d=PG01&S1=20140123.PD.&OS=PD/20140123&RS=PD/20140123

Keywords for this news article include: Atmel Corporation, Information Technology, Information and Cryptography.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Information Technology Newsweekly


Story Tools