Data processing method based on blockchain network and related product
US-2024419537-A1 · Dec 19, 2024 · US
Generating signatures using a secure device
US9323950B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9323950-B2 |
| Application number | US-201213553388-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 19, 2012 |
| Priority date | Jul 19, 2012 |
| Publication date | Apr 26, 2016 |
| Grant date | Apr 26, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An integrated circuit device comprises a processor and a secure protection zone with security properties that can be verified by a remote device communicating with the integrated circuit device. The secure protection zone includes a persistent storage that is configured for storing cryptographic keys and data. The secure protection zone also includes instructions that are configured for causing the processor to perform cryptographic operations using the cryptographic keys. In addition, the secure protection zone includes an ephemeral memory that is configured for storing information associated with the cryptographic operations. The instructions are configured for causing the processor to perform the cryptographic operations on the data stored in the persistent storage and the information in the ephemeral memory as part of a secure communication exchange with the remote device.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: storing, in persistent storage included in a first device, a parent public key, a certificate corresponding to the parent public key and a parent private key corresponding to the parent public key, wherein the first device is associated with a client device and wherein the parent public key and the corresponding certificate are sent to a host device that is in communication with the client device; generating, by the first device, a child private key based on a random number produced within the first device, and a child public key corresponding to the child private key, the child private and public keys being generated within the first device; combining, by the first device, a nonce with the child public key and configuration information corresponding to the first device to generate a hashed digest, wherein the nonce is generated by the first device; generating, by the first device, a first signature by performing signature computation on the hashed digest, the first signature being generated within the first device, wherein generating the first signature comprises: determining, by the first device, that the hashed digest is generated internally by the first device; in response to determining that the hashed digest is generated internally by the first device, signing, by the first device, the hashed digest using a first cryptographic operation that is configured to be performed on data generated internally by the first device, wherein the first device is configured to use a second cryptographic operation different from the first cryptographic operation to operate on data generated external to first device; and sending the child public key and the first signature to the host device. 2. The method of claim 1 , wherein generating the first signature comprises: generating, by the first device, the first signature by performing signature computation on the hashed digest using the parent private key. 3. The method of claim 2 , wherein the nonce is generated by a random number generator included in the first device. 4. The method of claim 2 , wherein combining the nonce with the child public key and the configuration information corresponding to the first device to generate the hashed digest comprises: combining, by the first device, the nonce with the child public key to generate a first hashed digest; combining, by the first device, the first hashed digest with the configuration information corresponding to the first device to generate a second hashed digest; and generating, by the first device, the first signature by performing signature computation on the second hashed digest using the parent private key. 5. The method of claim 1 , wherein the configuration information corresponding to the first device includes at least one of key storage configuration information, key storage state information or command parameters. 6. The method of claim 1 , wherein generating the first signature further comprises: tracking, by the first device, state information associated with data values stored in memory included in the first device; based on tracking the state information, determining, by the first device, whether a hashed digest to be signed is generated by the first device; and in response to determining that the hashed digest is generated by the first device, signing, by the first device, the hashed digest using one of the parent private key or the child private key. 7. The method of claim 1 , comprising: receiving, at the first device, a random challenge from the host device in response to sending the child public key and the first signature to the host device; generating, by the first device, a second signature based on the random challenge using the child private key; and sending the second signature to the host device. 8. The method of claim 7 , wherein at least one of the first signature or the second signature is generated using a hardware cryptographic engine included in the first device. 9. The method of claim 7 , wherein generating the second signature comprises using the second cryptographic operation to generate the second signature. 10. The method of claim 1 , further comprising: receiving, by the host device, the parent public key and the corresponding certificate from the client device; authenticating, by the host device, the parent public key based on the corresponding certificate; receiving, by the host device, the child public key and the first signature from the client device; verifying, by the host device, the first signature using the authenticated parent public key, wherein verifying the first signature includes verifying the configuration information corresponding to the first device; and authenticating, by the host device, the child public key based on verifying the first signature. 11. The method of claim 1 , wherein the certificate corresponding to the parent public key is generated by a certificate authority at a time of manufacture of the first device, the certificate authority being trusted by the host device and the client device. 12. The method of claim 1 , wherein the configuration information corresponding to the first device includes information associated with a state of a physical input pin of the first device. 13. The method of claim 1 , wherein the configuration information corresponding to the first device includes data generated by a sensor that is coupled to the first device. 14. The method of claim 13 , wherein the sensor is selected from the group consisting of a temperature sensor, a pressure sensor and a voltage sensor. 15. An apparatus comprising: a processor; a first device; a persistent storage included in the first device; and a storage medium coupled to the processor and configured for storing instructions, which, when executed by the processor, are configured to cause the processor to perform operations comprising: storing, in the persistent storage, a parent public key, a certificate corresponding to the parent public key and a parent private key corresponding to the parent public key, wherein the first device is associated with a client device and wherein the parent public key and the corresponding certificate are sent to a host device that is in communication with the client device; generating, by the first device, a child private key based on a random number produced within the first device, and a child public key corresponding to the child private key, the child private and public keys being generated within the first device; combining, by the first device, a nonce with the child public key and configuration information corresponding to the first device to generate a hashed digest, wherein the nonce is generated by the first device; generating, by the first device, a first signature by performing signature computation on the hashed digest, the first signature being generated within the first device, wherein generating the first signature comprises: determining, by the first device, that the hashed digest is generated internally by the first device; in response to determining that the hashed digest is generated internally by the first device, signing, by the first device the hashed digest using a first cryptographic operation that is configured to be performed on data generated internally by the first device, wherein the first device is configured to use a second cryptographic operation different from the first cryptographic operation to operate on data generated external to first device; and sending the child public key and the first signature to the host device.
Assignees
Inventors
Classifications
using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM] · CPC title
- G06F21/64Primary
Protecting data integrity, e.g. using checksums, certificates or signatures · CPC title
using challenge-response · CPC title
in cryptographic circuits · CPC title
using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9323950B2 cover?
- An integrated circuit device comprises a processor and a secure protection zone with security properties that can be verified by a remote device communicating with the integrated circuit device. The secure protection zone includes a persistent storage that is configured for storing cryptographic keys and data. The secure protection zone also includes instructions that are configured for causing…
- Who is the assignee on this patent?
- Maletsky Kerry, Durant David, Badam Balaji, and 2 more
- What technology area does this patent fall under?
- Primary CPC classification G06F21/64. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Apr 26 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).