EP1224766A2 - Appareil et procedes permettant une evolutivite sure sur site - Google Patents

Appareil et procedes permettant une evolutivite sure sur site

Info

Publication number
EP1224766A2
EP1224766A2 EP00973385A EP00973385A EP1224766A2 EP 1224766 A2 EP1224766 A2 EP 1224766A2 EP 00973385 A EP00973385 A EP 00973385A EP 00973385 A EP00973385 A EP 00973385A EP 1224766 A2 EP1224766 A2 EP 1224766A2
Authority
EP
European Patent Office
Prior art keywords
component
recited
communication
bit string
enabling functionality
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00973385A
Other languages
German (de)
English (en)
Inventor
Anders Johnson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Broadcom Corp
Original Assignee
Broadcom Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Broadcom Corp filed Critical Broadcom Corp
Publication of EP1224766A2 publication Critical patent/EP1224766A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Definitions

  • the invention relates to a method and apparatus for selectively and
  • Cryptography is generally defined as the technology of encoding information so that the information itself, upon storage and/or transmission,
  • cryptography can be used to encrypt a
  • cryptography is a type of cryptography where the sender and receiver both have the same key or similar keys, which are used to decode the encrypted
  • public key cryptography is a form of
  • the receiver decrypts the messages through use of the private key.
  • the private key is generally not revealed to anyone other
  • cryptography is symmetric key cryptography, which is often used in computer
  • manufacturers are generally able to manufacture a single product line having a single design and manufacturing cost, wherein the single product is capable
  • Secure for purposes of cryptographic enablement, is generally defined as the point where the cost of obtaining unauthorized access to a
  • the present invention to provide the ability to conduct secure functionality
  • the present invention provides an apparatus for enabling functionality
  • the apparatus includes an identification module
  • a host is provided and is in communication with the identification module, and a guess register in
  • An encryption module is provided
  • a comparator in communication with the encryption module, wherein the public key module has a public key stored therein.
  • the encryption module and the hash function module is provided, such that
  • the comparator may compare a first bit string to a second bit string to
  • the present invention further provides a component for selectively enabling functionality of an electronic device, wherein the component
  • a means for determining if the on board memory has a predefined identification number stored therein.
  • the present invention further provides a method for enabling functionality of an electronic component, wherein the method includes the steps of encrypting a first bit string and a second bit string to generate a third bit string, calculating a fourth bit string, comparing the fourth bit string to the
  • the invention also includes an apparatus for enabling functionality of
  • a host comprising at least one memory, and an encryption module in communication with the at least one memory.
  • processor is in communication with the at least one memory, and a comparing device is in communication with the encryption module and the at least one
  • the comparing device is configured to compare a guess passcode
  • the invention also includes a method for enabling functionality of an
  • bit string and a second bit string to generate an encrypted bit string
  • the guess passcode is compared to the
  • the invention also includes an apparatus for enabling functionality of a component, with the apparatus comprising a comparing device having at
  • the memory has a memory output in communication
  • a guess register is provided for receiving a guess passcode.
  • the guess register has a guess passcode input and a guess passcode output.
  • the guess passcode output is in communication with the comparing device.
  • a host is in communication with the guess register.
  • host is configured to receive and transmit the guess passcode to the guess
  • the memory includes a physical limitation preventing unauthorized extraction of the at least one bit string stored within
  • the invention also includes a method for enabling at least one function
  • the method comprising the steps of storing a component identification number and a key in a non-volatile memory on board the
  • a bit string is then transmitted, composed of the key, to a first
  • the bit string is then compared to the manufacturer's key to generate an enable output.
  • the non-volatile memory is manufactured
  • the invention also includes a method for selectively enabling functionality of an electronic component, with the method comprising the
  • the bit string is compared to the
  • the invention also includes an apparatus for enabling functionality of
  • an electronic component with the apparatus comprising at least one means for storing a bit string, and means for transmitting and receiving information.
  • the means for transmitting and receiving information is in communication with
  • the means for storing are provided for comparing a predefined
  • bit string with a guess bit string The means for comparing being in
  • comparing receives at least two inputs from the at least one means for storing and compares the at least two inputs to determine an enable output for the
  • the invention also includes an apparatus for enabling functionality of a component, with the apparatus comprising a random number generating
  • a host is in communication with the random number generating module, and at least one
  • An encryption module is provided,
  • a comparing device is in communication with the at least one memory.
  • the comparing device compares a first bit string to a second bit string to generate a function enable output for the component.
  • the invention also includes a component for selectably enabling
  • the invention also includes a method for enabling functionality of an electronic component, with the method comprising the steps of generating a
  • the second bit string is then encrypted with a public key to generate a third
  • the third bit string is compared to the first bit string to determine a match.
  • a function enable signal is output, in accordance with the
  • Figure 1 illustrates an exemplary unique key function enabler
  • FIG. 2 illustrates an exemplary secret key function enabler according to the invention
  • Figure 3 illustrates an exemplary public key encryption enabler
  • Figure 4 illustrates an exemplary public key enabler with a random
  • the present invention is directed to an apparatus and method for
  • process is configured to be secure from attack by an unauthorized party.
  • components manufactures a component, such as a network switch, for
  • the network switch may be a single integrated circuit, or a plurality
  • This component could include the basic
  • customers are interested in purchasing a network switch with each of the above noted functions, as some customers may desire to purchase a network switch having only the ability to conduct network switching and filtering
  • a first embodiment of the present invention shown in Figure 1 , is
  • Figure 1 generally illustrates an exemplary configuration of a function enabler 15 of the present
  • the exemplary function enabler 15 is generally positioned on- board the computer or electronic component for which it is configured to
  • Function enabler 15 includes a non-volatile memory 16, which may be in the form of a 96 bit unique unpredictable non ⁇
  • 16 is generally characterized as a memory and/or register wherein the
  • bits/information contained therein are programmed at the factory and are not visible to the user as a result of a physical limitation implemented at the factory.
  • This type of physical limitation generally comprises manufacturing
  • non-volatile memory 16 can be programmed with, for example, a component identification number at the factory. Additionally, non-volatile memory 16 may
  • Non-volatile memory 16 is in communication with an interface 17 through, for example, a
  • non-volatile memory 16 may send
  • Interface 17 is also in communication
  • interface 17 is in communication with an input of a register 19, which
  • guess register 19 is in communication with a first input 20a of a comparator 20.
  • a second input 20b is in communication with non-volatile memory 16 through a one-way connection in the direction of comparator 20.
  • comparator 20 is in communication with a first input 21a of a multiplexer
  • Second input 21 b of multiplexer 21 is in communication with a selection
  • Selection circuit 22 includes an OR gate 23 having an inverted
  • OR gate 23 is in communication with additional non-volatile logic
  • a third input 21 c of multiplexer 21 is in communication with
  • a bonding option circuit 25 which includes an appropriately sized pull up
  • non-volatile memory 16 of function enabler 15 may be preprogrammed at the factory with both a unique component
  • the component is a network switch
  • identification number may be a 32 bit identification number or serial number of the network switch. Furthermore, assuming that non-volatile memory 16
  • the network switch could be a 64 bit field stored in the register, which is generally generated through a random number-type process.
  • network switch desires to enable additional functions of the network switch, the user first must contact the manufacturer, or other party having
  • contacting the manufacturer is generally accomplished through host 18, which determines the identification number associated with the component/network
  • for a password or key also may include an agreement between the user and the manufacturer for the user to compensate the manufacturer for the
  • compensation arrangement may include a transaction that occurs before the functionality is enabled, or alternatively, a transaction that takes place at the
  • a key may be undertaken, for example, through an internet connection, a direct dial data connection, or through a voice telephone call,
  • Host 18 upon receiving the key from the manufacturer, then sends the manufacturers key to interface 17, which transmits the manufacturer's key to register 19.
  • Register 19
  • non-volatile memory 16 transmits the unique key that was
  • Comparator 20 or other
  • comparator 20 sends an enable signal to multiplexer 21 through a first input
  • a second input 21 b of multiplexer 21 receives an input
  • Selection circuit 22 determines whether multiplexer 21 uses the input from comparator 20 or bonding option circuit 25. For example, if the non-volatile memory 16 is programmed, then the additional
  • non-volatile bits 24 may be programmed to a logical "1" and "0" respectively
  • both additional non-volatile bits 24 may programmed to either logical "1 " or "0" such that the enable signal is selected from the bonding option circuit 25. Therefore, the bonding option in
  • the present invention contemplates that in order to detect any errors that may have occurred in the
  • host 18 may be used to determine
  • host 18 may initiate a testing of the enabled functionality to determine if the enablement process was
  • This configuration may be implemented on a component and tied to
  • a single enabler circuit may enable a single function
  • function enabler 15 provides the flexibility for manufacturers to selectively enable a single
  • the manufacturer may simply store an algorithm configured to generate the unique key stored in non-volatile memory 16 during the manufacturing stage.
  • the manufacturer when the manufacturer receives a request from a host for a manufacturers key, the manufacturer can simply determine an
  • key length selection is important to effective operation of the present invention. In selecting an appropriate key length, manufacturers may
  • a media access controller is generally programmed at the
  • Figure 2 has certain advantages over the embodiment of Figure 1 , the
  • the key length be chosen to be sufficiently long to deter a brute force attack, but the key must also be selected to be sufficiently short such that the
  • Figure 2 illustrates an exemplary implementation of symmetric cipher
  • a secret key function enabler 32 includes
  • memory 28 which is not required to be non-volatile memory as used in the previous embodiment.
  • Memory 28 is again used to store a component
  • memory 28 does not store a key of any sort in the present
  • the identification number which, for example, can be a 32 bit number, is transmitted from memory 28 to a hash function module 29.
  • Hash function module 29 is configured to receive the input from memory
  • hash function module 29 is shown as a one-way hash function module, which is also known generally as a
  • cryptographic compression function cryptographic contraction function, a cryptographic message digest, and/or a cryptographic checksum.
  • a one-way hash function is designed to compute a hash value from pre-image inputs.
  • the strength of a one-way hash function is that
  • a one-way hash function is generally
  • hash function module
  • hash function module 29 is
  • hash function module 29 may be utilized to reduce the length
  • hash value generated by hash function module 29 is transmitted to a symmetric
  • cipher encryption module 31 as an input. Another input to a symmetric cipher encryption module 31 is a secret key, which is transmitted to a symmetric
  • the symmetric cipher encryption module 31 is termed the clear text.
  • the encrypted output of the symmetric cipher encryption module 31 is termed the cipher text.
  • encryption module 31 is transmitted to the second input 20b of comparator
  • the first input 20a of comparator 20 is in communication with guess
  • the cipher text generated by symmetric cipher encryption module 31 is compared to the cipher text generated by symmetric cipher encryption module 31
  • comparator 20 to OR gate 23.
  • gate 23 conducts a logical "OR" operation with inputs from comparator 20 and bonding option 25, which was
  • OR gate 23 which is used to initiate the enabling of the desired functionality.
  • a MAC is generally programmed with a unique identification number, which is often the address of the MAC
  • present embodiment can be, for example, a 48 bit MAC address. This 48 bit
  • the unique identification number is
  • the secret key which is generally
  • programmed into the component or MAC at the factory and generally hardcoated can be, for example, 64 bits long, or another length as required
  • This cipher text can be transmitted
  • guess passcode to guess register 19 generally involves the user contacting
  • this process of contacting the manufacturer may be undertaken via the internet, direct dial communications link, or other communications methods. If the guess
  • Public key configurations generally rely on one key for encryption, and a different, but related key for decryption. This
  • the manufacturer can, for example, keep one of the keys secure within the manufacturing facility, while the second key may be stored on
  • Memory 28 communicates the component identification
  • Hash function module 29 which is a necessary component in public key system 31 , unlike
  • secret key function enabler 32 processes the pre-image input and generates
  • hash function module 29 as a module for executing a one way hash function
  • hash value generated by hash function module 29 is transmitted to the second
  • public key module 34 which contains the previously discussed
  • public key for the device therein transmits a public key to public key
  • public key encryption module 35 receives both
  • This cipher text at the output of public key encryption module 35. This cipher text
  • comparator 20 in similar fashion to the previously discussed embodiment,
  • Figure 4 utilizes a random sequence generator 36, which is configured to
  • the encryption process is unavailable for an attacker to utilize in an attack on the component.
  • Figure 4 illustrates the use of a linear feedback
  • the exemplary random sequence generator 36 is configured to
  • generator is to output a random number for use by the random id based
  • the run signal received by random sequence generator 36 is received at a first input of NAND gate 38.
  • the output of NAND gate 38 is transmitted to an input of linear feedback shift
  • LFSR LFSR register
  • the output of the series bank of inverters 39 is in communication with a
  • LFSR 37 generate a random number at the output of random sequence
  • random id based enabler 41 first receives a run signal at
  • the random sequence generator 36 which operates to initiate the generation of the desired random identification number.
  • Hash function module 29 which is once again shown as a one way hash function for exemplary purposes, receives the random number as pre-
  • This hash value is communicated to a second input 20b of
  • random sequence generator 36 The manufacturer, having the private key
  • function module 29 is then transmitted to the first input 20a of comparator 20.
  • Comparator 20 compares the calculated cipher text to the hash value generated by hash function module 29. If the cipher text matches the hash value, an enable signal is transmitted from the output of comparator 20 to an
  • OR gate 23 Another input of OR gate 23 is again connected to a bonding option circuit 25 to generate a manual override of random id based
  • OR gate 23 outputs an enable functionality signal that is
  • enabler of the present invention may be applicable to various electronic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention porte sur un appareil et des procédés d'activation d'un composant. Ledit appareil comporte des éléments tels que: un module d'identification contenant un N° d'identification, un module de hachage communiquant avec le module d'identification, un hôte communiquant avec le module d'identification, un registre d'estimation communiquant avec l'hôte, un module de cryptage communiquant avec le registre d'estimation, un module de code public communiquant avec le module de cryptage et contenant un code publique, et un comparateur communiquant avec le module de cryptage et avec la fonction de hachage et pouvant comparer une première chaîne de bits à une deuxième chaîne de bits pour produire un signal de validation de fonction du composant. L'invention porte également sur différents procédé et sur d'autres exécutions de l'appareil permettant l'évolutivité sûre de composants électroniques sur site.
EP00973385A 1999-10-29 2000-10-24 Appareil et procedes permettant une evolutivite sure sur site Withdrawn EP1224766A2 (fr)

Applications Claiming Priority (7)

Application Number Priority Date Filing Date Title
US16220999P 1999-10-29 1999-10-29
US16215799P 1999-10-29 1999-10-29
US162209P 1999-10-29
US19337800P 2000-03-21 2000-03-21
US193378P 2000-03-21
PCT/US2000/026275 WO2001033768A2 (fr) 1999-10-29 2000-10-24 Appareil et procedes permettant une evolutivite sure sur site
US162157P 2009-03-20

Publications (1)

Publication Number Publication Date
EP1224766A2 true EP1224766A2 (fr) 2002-07-24

Family

ID=27388727

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00973385A Withdrawn EP1224766A2 (fr) 1999-10-29 2000-10-24 Appareil et procedes permettant une evolutivite sure sur site

Country Status (3)

Country Link
EP (1) EP1224766A2 (fr)
AU (1) AU1189701A (fr)
WO (1) WO2001033768A2 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7284127B2 (en) 2002-10-24 2007-10-16 Telefonktiebolaget Lm Ericsson (Publ) Secure communications
DE102007062915A1 (de) * 2007-12-21 2009-06-25 Endress + Hauser Process Solutions Ag Verfahren zum Betreiben einer speicherprogrammierbaren Steuerung
US10453535B2 (en) 2015-10-26 2019-10-22 Intel Corporation Segmented erase in memory

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE1472500A1 (de) 1965-05-11 1969-05-14 German Gresser Blendfreier Scheinwerfer
DE3620789C2 (de) 1986-06-20 1993-12-23 Bosch Gmbh Robert Abgeblendeter Kraftfahrzeugscheinwerfer
JPH05183828A (ja) * 1991-12-27 1993-07-23 Sony Corp 電子機器
US5499295A (en) * 1993-08-31 1996-03-12 Ericsson Inc. Method and apparatus for feature authorization and software copy protection in RF communications devices

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0133768A2 *

Also Published As

Publication number Publication date
WO2001033768A2 (fr) 2001-05-10
AU1189701A (en) 2001-05-14
WO2001033768A9 (fr) 2002-11-14
WO2001033768A3 (fr) 2002-01-10

Similar Documents

Publication Publication Date Title
US7634665B2 (en) Apparatus and method for secure field upgradability with unpredictable ciphertext
US7131001B1 (en) Apparatus and method for secure filed upgradability with hard wired public key
US7596704B2 (en) Partition and recovery of a verifiable digital secret
RU2399087C2 (ru) Безопасное хранение данных с защитой целостности
US5142578A (en) Hybrid public key algorithm/data encryption algorithm key distribution method based on control vectors
US4386233A (en) Crytographic key notarization methods and apparatus
US7502467B2 (en) System and method for authentication seed distribution
US6400823B1 (en) Securely generating a computer system password by utilizing an external encryption algorithm
US6950523B1 (en) Secure storage of private keys
RU2284569C2 (ru) Разблокирование и блокирование признаков программного обеспечения
US7711122B2 (en) Method and apparatus for cryptographic key storage wherein key servers are authenticated by possession and secure distribution of stored keys
US9247024B2 (en) Controlled activation of function
US20060036857A1 (en) User authentication by linking randomly-generated authentication secret with personalized secret
US7100048B1 (en) Encrypted internet and intranet communication device
US10650373B2 (en) Method and apparatus for validating a transaction between a plurality of machines
US20130101120A1 (en) Method for secure data exchange between two devices
CN109981562B (zh) 一种软件开发工具包授权方法及装置
EP1151369A1 (fr) Jeton d'acces et d'authentification securise avec fonction de transport de cle privee
EP1362274A2 (fr) Procede et appareil assurant une commande d'acces a des fonctions selon differents niveaux de securite
WO1998045975A9 (fr) Systeme bilateral a jeton d'authentification et de cryptage d'informations et procede associe
WO2006053304A9 (fr) Clés de dispositifs volatiles, et leurs applications
WO2007103906A2 (fr) Transmission sécurisée de données utilisant des données non découvrables 'noires'
WO1997023972A1 (fr) Systeme de securite a niveaux d'application et procede associe
WO1996008092A1 (fr) Circuit de protection electronique garantissant l'utilisation d'un logiciel itinerant selon une licence accordee
EP1224766A2 (fr) Appareil et procedes permettant une evolutivite sure sur site

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20020510

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: BROADCOM CORPORATION

17Q First examination report despatched

Effective date: 20080425

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20120503