Cryptographic configuration enforcement
US-10979403-B1 · Apr 13, 2021 · US
Memory data protection based on authenticated encryption
US11269786B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11269786-B2 |
| Application number | US-201816045393-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 25, 2018 |
| Priority date | Jul 25, 2018 |
| Publication date | Mar 8, 2022 |
| Grant date | Mar 8, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, apparatus, and/or methods to provide memory data protection. In one example, authenticated encryption may be enhanced via a modification to an authentication code that is associated with encrypted data. The authentication code may be modified, for example, with a nonce value generated for a particular write to memory Decrypted data, generated from the encrypted data, may then be validated based on a modified authentication code. Moreover, data freshness control for data stored in the memory may be provided based on iterative authentication and re-encryption. In addition, a counter used to provide a nonce value may be managed to reduce a size of the counter and/or a growth of the counter.
First claim
Opening claim text (preview).
We claim: 1. An electronic processing system comprising: a processor; and logic communicatively coupled to the processor to: modify an authentication code associated with encrypted data to generate a modified authentication code, wherein the modified authentication code is to be based on a new value generated specifically for a corresponding write of data to memory to provide data freshness control including iterative authentication and re-encryption based on a timestamp value, wherein the iterative authentication and re-encryption are to provide data time freshness via a refreshing wave that continuously traverses the memory at a pre-defined pace, and wherein the modified authentication code and the encrypted data are to be stored in memory, and validate decrypted data, to be generated from the encrypted data, based on the modified authentication code, to determine whether a match condition exists between a new authentication code generated on decryption and the modified authentication code stored in the memory, wherein validating the decrypted data includes: when a match condition exists, confirming the match, and when a match does not exist, automatically issuing a security action including generating an updated modified authentication code with updated encrypted data, and issuing a write request to store the updated modified authentication code and the updated encrypted data in the memory. 2. The system of claim 1 , further including logic to construct an initialization value based on a nonce value and one or more of a memory address for the encrypted data, a key identifier for a key used to generate the encrypted data, or a most recent timestamp value from a running sequence of timestamp values. 3. The system of claim 2 , wherein the logic is further to: identify one of a counter value or a pseudorandom value as the nonce value; and construct the initialization value based on the memory address, the key identifier, the timestamp value, and one of the counter value or the pseudorandom value. 4. The system of claim 1 , wherein the logic is further to: determine one or more of a size of a first field for a nonce value in the modified authentication code or a size of a second field for an authentication value in the modified authentication code; truncate the authentication code to the size of the second field to form a truncated authentication code; and concatenate the truncated authentication code with the nonce value to generate the modified authentication code. 5. The system of claim 1 , further including: logic to encrypt the modified authentication code to generate an encrypted modified authentication code; and logic to generate an authenticated encryption key based on two or more of a memory address for the encrypted data, a key used to generate the encrypted data, or a most recent timestamp value from a running sequence of timestamp values. 6. The system of claim 1 , further including logic to: issue a read request for the encrypted data at an address threshold of a refresh wave; determine that the encrypted data is authenticated to allow for an updated modified authentication code to be generated; and issue a write request to store the updated modified authentication code in the memory. 7. The system of claim 1 , further including one or more of: logic to generate a prefix code for the modified authentication code; logic to generate an array of group counters mapped to respective address groups from a memory address space in the memory; logic to reset a counter based on an arrival of a refresh wave at an end of the memory address space in the memory; or logic to generate a value from a virtual counter. 8. A semiconductor package apparatus comprising: one or more substrates; and logic coupled to the one or more substrates, wherein the logic is at least partly implemented in one or more of configurable logic or fixed-functionality hardware logic, the logic coupled to the one or more substrates to: modify an authentication code associated with encrypted data to generate a modified authentication code, wherein the modified authentication code is to be based on a new value generated specifically for a corresponding write of data to memory to provide data freshness control including iterative authentication and re-encryption based on a timestamp value, wherein the iterative authentication and re-encryption are to provide data time freshness via a refreshing wave that continuously traverses the memory at a pre-defined pace, and wherein the modified authentication code and the encrypted data are to be stored in memory, and validate decrypted data, to be generated from the encrypted data, based on the modified authentication code, to determine whether a match condition exists between a new authentication code generated on decryption and the modified authentication code stored in the memory, wherein validating the decrypted data includes: when a match condition exists, confirming the match, and when a match does not exist, automatically issuing a security action including generating an updated modified authentication code with updated encrypted data, and issuing a write request to store the updated modified authentication code and the updated encrypted data in the memory. 9. The apparatus of claim 8 , further including logic to construct an initialization value based on a nonce value and one or more of a memory address for the encrypted data, a key identifier for a key used to generate the encrypted data, or a most recent timestamp value from a running sequence of timestamp values. 10. The apparatus of claim 8 , wherein the logic is further to: determine one or more of a size of a first field for a nonce value in the modified authentication code or a size of a second field for an authentication value in the modified authentication code; truncate the authentication code to the size of the second field to form a truncated authentication code; and concatenate the truncated authentication code with the nonce value to generate the modified authentication code. 11. The apparatus of claim 8 , further including: logic to encrypt the modified authentication code to generate an encrypted modified authentication code; and logic to generate an authenticated encryption key based on two or more of a memory address for the encrypted data, a key used to generate the encrypted data, or a most recent timestamp value from a running sequence of timestamp values. 12. The apparatus of claim 8 , further including logic is to: issue a read request for the encrypted data at an address threshold of a refresh wave; determine that the encrypted data is authenticated to allow for an updated modified authentication code to be generated; and issue a write request to store the updated modified authentication code in the memory. 13. The apparatus of claim 8 , further including one or more of: logic to generate a prefix code for the modified authentication code; logic to generate an array of group counters mapped to respective address groups from a memory address space in the memory; logic to reset a counter based on an arrival of a refresh wave at an end of the memory address space in the memory; or logic to generate a value from a virtual counter. 14. A method comprising: modifying an authentication code associated with encrypted data to generate a modified authentication code, wherein the modified authentication code is to be based on a new value generated specifically for a corresponding write of data to memory to provide data freshness control including iterative authentication and re-encryption based on a t
Assignees
Inventors
Classifications
Security improvement · CPC title
- G06F21/78Primary
to assure secure storage of data (address-based protection against unauthorised use of memory G06F12/14; record carriers for use with machines and with at least a part designed to carry digital markings G06K19/00) · CPC title
- G06F12/1408Primary
by using cryptography (for digital transmission H04L9/00) · CPC title
Program or device authentication · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11269786B2 cover?
- Systems, apparatus, and/or methods to provide memory data protection. In one example, authenticated encryption may be enhanced via a modification to an authentication code that is associated with encrypted data. The authentication code may be modified, for example, with a nonce value generated for a particular write to memory Decrypted data, generated from the encrypted data, may then be valida…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/78. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 08 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).