PatentsDB

Technologies for memory replay prevention using compressive encryption

US11275603B2 · US · B2

Patent metadata
FieldValue
Publication numberUS-11275603-B2
Application numberUS-202016748176-A
CountryUS
Kind codeB2
Filing dateJan 21, 2020
Priority dateJul 1, 2017
Publication dateMar 15, 2022
Grant dateMar 15, 2022

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

  1. Title

    What the patent document calls the invention.

  2. Abstract

    A short plain-language summary of the technical disclosure.

  3. Assignees and inventors

    Who owns or filed the patent and who is credited as inventor.

  4. Key dates

    Filing, priority, publication, and grant dates set the timeline.

  5. First independent claim

    The legal scope of protection — read this for what is actually claimed.

  6. CPC / IPC classifications

    Technology tags used to group this patent with similar filings.

  7. Citations and related patents

    Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to generate a compressed line in response to determining that the data line is compressible, where the compressed line includes compression metadata and compressed data, adding encryption metadata to the compressed line, where the encryption metadata is indicative of the encryption key, encrypting a part of the compressed line with the encryption key to generate an encrypted line in response to adding the encryption metadata, and writing the encrypted line to a memory device at the physical memory address. Other embodiments are described and claimed.

First claim

Opening claim text (preview).

The invention claimed is: 1. A computing device comprising: a first processor circuitry to: receive a request to read an encrypted line from a physical memory address of the computing device, wherein the physical memory address comprises a key identifier; select a decryption key from a key table based on the key identifier of the physical memory address; determine whether a start of the encrypted line matches a compression indicator, wherein the compression indicator comprises a predetermined bit pattern; (i) decrypt a part of the encrypted line with the decryption key to generate a compressed line in response to a determination that the start of the encrypted line matches the compression indicator, wherein the compressed line comprises compression metadata, encryption metadata, and compressed data, and (ii) determine whether the encryption metadata is verified against the decryption key, wherein the encryption metadata includes the key identifier and a hash of the decryption key; decompress the compressed data to generate a data line in response to a determination that the encryption metadata is verified; and forward the data line to a second processor circuitry. 2. The computing device of claim 1 , wherein to select the decryption key from the key table comprises to index the key table with the key identifier to retrieve the decryption key, wherein the first processor circuitry is further to generate a verification error in response to a determination that the encryption metadata is not verified. 3. The computing device of claim 1 , wherein the first processor circuitry is further to: determine whether the start of the encrypted line matches a conflict indicator in response to a determination that the start of the encrypted line does not match the compression indicator, wherein the conflict indicator comprises a predetermined bit pattern different from the compression indicator; and decrypt the entire encrypted line with the decryption key to generate the data line in response to a determination that the start of the encrypted line does not match the conflict indicator. 4. The computing device of claim 3 , wherein the first processor circuitry is further to: replace the start of the encrypted line with the compression indicator based on a value from a conflict table that corresponds to the physical memory address of the encrypted line in response to a determination that the start of the encrypted line matches the conflict indicator; decrypt the entire encrypted line in response to replacement of the start of the encrypted line, wherein the first processor circuitry includes one or more of application processor circuitry or graphics processor circuitry. 5. A method comprising: receiving, by a first computing device, a request to read an encrypted line from a physical memory address of the first computing device, wherein the physical memory address comprises a key identifier; selecting, by the first computing device, a decryption key from a key table based on the key identifier of the physical memory address; determining, by the first computing device, whether a start of the encrypted line matches a compression indicator, wherein the compression indicator comprises a predetermined bit pattern; decrypting, by the first computing device, a part of the encrypted line with the decryption key to generate a compressed line in response to determining that the start of the encrypted line matches the compression indicator, wherein the compressed line comprises compression metadata, encryption metadata, and compressed data; determining, by the first computing device, whether the encryption metadata is verified against the decryption key, wherein the encryption metadata includes the key identifier and a hash of the decryption key; decompressing, by the first computing device, the compressed data to generate a data line in response to determining that the encryption metadata is verified; and forwarding, by the first computing device, the data line to a second computing device. 6. The method of claim 5 , wherein selecting the decryption key from the key table comprises indexing the key table with the key identifier to retrieve the decryption key. 7. The method of claim 5 , further comprising generating, by the first computing device, a verification error in response to determining that the encryption metadata is not verified. 8. The method of claim 5 , further comprising: determining, by the first computing device, whether the start of the encrypted line matches a conflict indicator in response to determining that the start of the encrypted line does not match the compression indicator, wherein the conflict indicator comprises a predetermined bit pattern different from the compression indicator; and decrypting the entire encrypted line with the decryption key to generate the data line in response to determining that the start of the encrypted line does not match the conflict indicator. 9. The method of claim 8 , further comprising: replacing, by the first computing device, the start of the encrypted line with the compression indicator based on a value from a conflict table that corresponds to the physical memory address of the encrypted line in response to determining that the start of the encrypted line matches the conflict indicator; wherein decrypting the entire encrypted line further comprises decrypting the entire encrypted line in response to replacing the start of the encrypted line. 10. At least one computer-readable medium having stored thereon instructions which, when executed, cause a first computing device to perform operations comprising: receiving a request to read an encrypted line from a physical memory address of the first computing device, wherein the physical memory address comprises a key identifier; selecting a decryption key from a key table based on the key identifier of the physical memory address; determining whether a start of the encrypted line matches a compression indicator, wherein the compression indicator comprises a predetermined bit pattern; decrypting a part of the encrypted line with the decryption key to generate a compressed line in response to determining that the start of the encrypted line matches the compression indicator, wherein the compressed line comprises compression metadata, encryption metadata, and compressed data; determining whether the encryption metadata is verified against the decryption key, wherein the encryption metadata includes the key identifier and a hash of the decryption key; decompressing the compressed data to generate a data line in response to determining that the encryption metadata is verified; and forwarding the data line to a second computing device. 11. The computer-readable medium of claim 10 , wherein selecting the decryption key from the key table comprises indexing the key table with the key identifier to retrieve the decryption key. 12. The computer-readable medium of claim 10 , wherein the operations further comprise generating a verification error in response to determining that the encryption metadata is not verified. 13. The computer-readable medium of claim 10 , wherein the operations further comprise: determining whether the start of the encrypted line matches a conflict indicator in response to determining that the start of the encrypted line does not match the compression indicator, wherein the conflict indicator comprises a predetermined bit pattern different from the compression indicator; and decrypting the entire encrypted line with the decryption key to generate the data line in response to determining that the start of the encrypted line does no

Assignees

Inventors

Classifications

  • G06F12/1408Primary

    by using cryptography (for digital transmission H04L9/00) · CPC title

  • H04L63/0435

    wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for symmetric key encryption H04L9/06) · CPC title

  • G06F21/53

    by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title

  • G06F21/78Primary

    to assure secure storage of data (address-based protection against unauthorised use of memory G06F12/14; record carriers for use with machines and with at least a part designed to carry digital markings G06K19/00) · CPC title

  • H04L69/04

    Protocols for data compression, e.g. ROHC · CPC title

Patent family

Related publications grouped by family.

View patent family 64661928

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11275603B2 cover?
Systems and methods for memory isolation are provided. The methods include receiving a request to write a data line to a physical memory address, where the physical memory address includes a key identifier, selecting an encryption key from a key table based on the key identifier of the physical memory address, determining whether the data line is compressible, compressing the data line to gener…
Who is the assignee on this patent?
Intel Corp
What technology area does this patent fall under?
Primary CPC classification G06F12/1408. Mapped technology areas include Physics.
When was this patent published?
Publication date Tue Mar 15 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?
We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).