WO2000019299A1 - An apparatus for providing a secure processing environment - Google Patents

An apparatus for providing a secure processing environment Download PDF

Info

Publication number
WO2000019299A1
WO2000019299A1 PCT/US1998/020083 US9820083W WO0019299A1 WO 2000019299 A1 WO2000019299 A1 WO 2000019299A1 US 9820083 W US9820083 W US 9820083W WO 0019299 A1 WO0019299 A1 WO 0019299A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
memory
key
processor
cipherer
Prior art date
Application number
PCT/US1998/020083
Other languages
English (en)
French (fr)
Inventor
Robert D. Cassagnol
Douglas M. Dillon
David S. Kloper
Sandra J. Weber
Brandon E. Bautz
Original Assignee
Hughes Electronics Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hughes Electronics Corporation filed Critical Hughes Electronics Corporation
Priority to AU10623/99A priority Critical patent/AU743775B2/en
Priority to CA002309627A priority patent/CA2309627A1/en
Priority to PCT/US1998/020083 priority patent/WO2000019299A1/en
Priority to JP2000572741A priority patent/JP2002526822A/ja
Priority to EP98953190A priority patent/EP1032869A1/de
Publication of WO2000019299A1 publication Critical patent/WO2000019299A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/123Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress

Definitions

  • the invention relates generally to security in programmed devices
  • conditional access broadcasting networks such as cable television networks and, more recently, direct satellite broadcasting networks are based on the premise of limiting access to broadcasted information to paying subscribers. Even more recently, the idea of limiting access to broadcasted data has been expanded to the computer networking context by Hughes Network Systems' DirecPCTM product.
  • the DirecPCTM product broadcasts requested information to a requesting computing device (typically, a personal
  • the need to protect the secrecy of information is not limited to the broadcasting context. There are many applications wherein it is important from, for example, a commercial standpoint to maintain the secrecy of
  • hackers has developed. These individuals spend considerable amounts of time attempting to frustrate or "hack” the security measures of these devices in an effort to usurp the commercial value of the secret information. The hackers have had varying levels of success in their
  • the secrecy of information typically include a secure memory of some type for storing key material and other possibly sensitive data.
  • a secure memory of some type for storing key material and other possibly sensitive data.
  • the device upon occurrence of a certain condition or event, the device assumes it is in test mode and permits full read/write access to the memory. If a hacker is
  • one or more mode bits stored in memory, or in an anti-fuse device, or the like define whether the memory
  • This mode bit(s) may be implemented as a simple checksum on the data in memory. In other words, the mode bit(s) may be set to equal some mathematical function(s) of some or all of the data stored in memory. Regardless of which traditional method for defining the mode bit(s) is employed, if a hacker changes the state of the mode bit(s), the hacker can potentially cause the memory to unlock into the testing mode thereby
  • an apparatus for providing a secure processing environment is provided.
  • the apparatus is provided.
  • a read/write memory for storing information
  • the cipherer is configured to selectively decrypt encrypted information into decrypted information and to deliver the decrypted information to the read/write memory for subsequent use by the first processor.
  • the apparatus is further provided with an authenticator for authenticating the decrypted information prior to use by the first processor.
  • the authenticator re-authenticates decrypted information received from the read/ write memory, and the cipherer is
  • the cipherer may optionally return the re-encrypted information to the read/write memory for subsequent exportation to a storage device or may optionally directly export the re-encrypted information.
  • the cipherer preferably re-encrypts the decrypted, re-authenticated information such that it differs from its original encrypted form to mask modification information.
  • the cipherer employs key-cycling and/or cycling of
  • the first processor has a kernel mode of operation and a user mode of operation, and the kernel mode and the user
  • the first processor preferably executes non-secure software in the user mode of operation and secure software in the kernel mode of operation.
  • the apparatus is provided with a second processor.
  • the second processor is in communication with the cipherer and
  • the cipherer comprises the authenticator.
  • the apparatus is further provided with a nonvolatile memory and a logic circuit for controlling access to the data contained in the non-volatile memory, wherein the logic circuit selectively accesses the non-volatile memory to determine whether the data contained in
  • the non-volatile memory comprises confidential data by analyzing a property inherent in the accessed data.
  • the logic circuit
  • each of the data blocks may comprise a bit and the predetermined characteristic may comprise a predefined logic state.
  • each of the data blocks may comprise a bit and the predetermined characteristic may comprise a predefined logic state.
  • blocks may comprise a plurality of bits, and the predetermined characteristic may comprise a binary value falling within a range of binary values.
  • a key isolation circuit is provided directly connecting the logic circuit to the cipherer. In some such embodiments, the non- volatile
  • the memory stores a key
  • the key isolation circuit delivers the key to the cipherer.
  • the logic circuit, the key isolation circuit and the cipherer preferably define a closed system.
  • the non-volatile memory, the first processor, the read/ write memory, and the cipherer are embedded on an integrated circuit
  • the integrated circuit includes pins for
  • the apparatus further comprises a watchdog circuit adapted to monitor the integrated circuit for tampering.
  • the apparatus includes a memory management unit cooperating with the first processor for mamtaining a plurality of security cells.
  • the cipherer comprises a crypto-module.
  • the authentication may be any of the foregoing embodiments.
  • the encrypted information may comprise encrypted processor instructions and/or encrypted data.
  • the encrypted information may comprise encrypted processor instructions and/or encrypted data.
  • the segments are
  • an integrated circuit for providing a secure processing environment for use with an external memory.
  • the apparatus includes a volatile memory having a storage capacity which is less than the storage capacity of the external memory.
  • the apparatus further comprises import/export means for selectively importing and exporting encrypted information between the
  • the apparatus includes a processor for processing the decrypted
  • the processor cooperates with
  • the import/export means to selectively import and export decrypted information from the external memory to the volatile memory and vice versa to avoid exceeding the second storage capacity.
  • the cipher means encrypts information such that encrypted information corresponding to decrypted information has a first
  • the cipher means decrypts encrypted information using a first whitening key and encrypts decrypted information using a second whitening
  • the apparatus is provide with a cryptographicaUy strong pseudo random number
  • the apparatus includes means for authenticating the decrypted information within the secure environment.
  • the authenticating means authenticates the decrypted information after importation from the external memory and re- authenticates the decrypted information prior to encryption and exportation to the external memory.
  • the method comprises the steps of: detecting an event; executing a built in
  • the method also includes the steps of: holding a processor associated with the integrated circuit in a reset state such that a
  • predefined memory storing key material cannot be accessed; if the at least one element passes the built in self test, releasing the processor from the
  • the processor in the reset state.
  • element comprises the predetermined memory, and/or the at least one
  • element comprises a logic circuit.
  • the detected event may be any of the foregoing embodiments.
  • FIG. 1 is an illustration of an apparatus constructed in accordance
  • FIG. 2 is a schematic illustration of the apparatus of FIG. 1.
  • FIG. 3 is a more detailed schematic illustration of the apparatus of
  • FIG. 4 is a schematic illustration of the software architecture
  • FIG. 5 is a schematic illustration of an exemplary system for
  • FIG. 6 is a ladder diagram illustrating the programming of the apparatus.
  • FIG. 7 is a flow chart illustrating the startup operation of the
  • FIG. 8 is a flow chart illustrating the interrupt handling process
  • FIG. 9 is a flow chart illustrating the process used by the apparatus to swap applets between an external memory and the DMEM.
  • FIG. 1 in one possible environment
  • the apparatus 10 is constructed
  • the apparatus 10 is capable of use in the DirecPCTM product
  • the illustrated apparatus 10 can be used in any application or environment which would benefit from the enhanced processing security it provides. For example, it would be especially advantageous in smart card applications. Further, although the apparatus 10 is illustrated in FIG. 1 as being implemented as an application specific integrated circuit (ASIC), persons of ordinary skill in the art will readily appreciate that the apparatus 10 need not
  • the illustrated apparatus 10 is adapted to provide a secure environment in which sensitive information can be decrypted
  • decrypted means at least one layer of encryption is removed.
  • decrypted information as used herein may optionally still be encrypted, but will be at least one step closer to its
  • the illustrated apparatus 10 achieves
  • the illustrated apparatus 10 is very valuable in conditional data access applications such as a television subscriber broadcast system, the full capabilities of the apparatus 10 are more fully utilized in conditional software access applications. In such applications, the illustrated apparatus 10 can decrypt, execute and re-encrypt sensitive software (or firmware) without exposing the decrypted instructions outside the secure environment.
  • the encrypted software (or firmware) may optionally be stored in the
  • apparatus 10 may be stored outside the apparatus 10 and selectively imported (either collectively or in segments)
  • the illustrated apparatus 10 is provided with significant on-board processing capacity, the execution of the decrypted software (or firmware) can occur
  • the apparatus 10 to output information to an external device (e.g., a monitor, a printer, a storage device, etc.) in a form where it can be read by a user
  • the software generating the output information would not ordinarily be exposed outside the secure environment provided by the apparatus 10 (absent, of course, instructions in the executed software (or firmware) to export the instructions in decrypted form).
  • the security of the software (or firmware) is always maintained by the illustrated apparatus 10.
  • apparatus 10 is the ability to implement software (or firmware) metering
  • the apparatus 10 can be adapted to monitor the amount of time any portion of the subject software (or firmware) is maintained in decrypted form. The data collected by this monitoring can
  • the apparatus 10 For the purpose of storing programmed instructions that define some of the operations of the apparatus 10 (i.e., "the secure kernel"), the apparatus
  • non- volatile memory 14 is in charge of resource management within the apparatus 10. It enforces many of the security limitations discussed below.
  • code stored in the non- volatile memory 14 is preferably not encrypted, persons of ordinary skill in the art will appreciate that encrypted information (e.g., data or programmed instructions) can be stored in the non- volatile memory 14 without departing from the scope or spirit of the invention.
  • non- volatile memory 14 can be implemented in many ways without departing from the scope of the invention, in the presently preferred embodiment the memory 14 is implemented by a read only
  • ROM read-only memory
  • apparatus 10 runs secure software which is preferably segmented into
  • the apparatus 10 is provided with a processor
  • one function of the processor 16 is to enforce at least two security cells.
  • security cells which is referred to herein as the kernel mode cell
  • the second security cell which is referred to herein as the user mode cell, is enforced wherein no access to sensitive data is permitted.
  • the processor 16 places no restrictions on access to the hardware and software resources within the apparatus 10. As explained
  • the apparatus 10 and/or of the information being processed by the apparatus are the apparatus 10 and/or of the information being processed by the apparatus
  • the apparatus 10 is further provided with a volatile read/write
  • the read/ write memory 18 is addressable by the processor 16
  • the apparatus 10 is provided with cipher means for decrypting encrypted information into decrypted information and for re-encrypting decrypted information into encrypted information. Both of these functions are performed within the secure environment.
  • the cipher means can be implemented in many different ways without departing from the scope or spirit of the invention.
  • the cipher means can be implemented by a cipherer 20 such as a dedicated hardware circuit or a processor executing software or firmware.
  • a cipherer 20 such as a dedicated hardware circuit or a processor executing software or firmware.
  • the cipherer 20 can be adapted to perform a wide variety of well known cryptographic techniques and/or
  • the cipherer 20 is implemented by a dedicated hardware circuit 20 referred to herein as a crypto-module which is capable of performing both (1) triple key, triple DES/ECB encryption and
  • decryption triple key, triple Data Encryption Standard/Electronic Code Book Mode encryption/decryption
  • triple key triple DES outer CBC (triple key, triple Data Encryption Standard with outer Cipher Block Chaining) encryption and decryption
  • DVB Digital Video
  • the cipherer 20 is in communication with the read/write memory 18.
  • encrypted information written to the read/write memory 18 is transferred to the cipherer 20 for decryption as
  • the decrypted information is then written from the cipherer 20 to
  • the read/ write memory 18 for subsequent use by the processor 16.
  • the processor 16 is not permitted to process information which has been decrypted by the cipherer 20 until the decrypted information has been authenticated.
  • the apparatus 10 is provided with an authenticator 22.
  • authenticator 22 could employ any of a large
  • the authenticator performs a
  • CBC-MAC Cipher Block Chain Message Authentication Code
  • MAC values are imported into the read/ write memory 18 at start-up,
  • the authenticator utilizes the MAC values from the memory 18 to perform CBC-MAC authentication on all decrypted information prior to usage by the processor 16.
  • the contents of the read/write memory 18 may have been updated by the processor 16, or by other means, in the course of executing the VersaCrypt applet.
  • the authenticator 22 re-
  • the new CBC-MAC value is written to the read/write memory 18 for subsequent use in authenticating the subject information block should it
  • Re- authentication is necessary because, at least in some instances, the processor 16 will change the content of the decrypted information during processing. Since any change in the content of the decrypted information will (with high
  • the cipherer 20 After re-authentication, the cipherer 20 re-encrypts the decrypted, re- authenticated information in the read/ write memory 18 into re-encrypted
  • the apparatus 10 is provided with import/export means for selectively importing and
  • the encrypted information could be imported and exported over an internal bus in the system, over a Lan or Wan network connection, to a hard drive, or to another storage media or communications device without departing from the scope or spirit of the invention.
  • the storage capacity of the external memory 24 preferably exceeds the storage capacity of the read/write memory 18.
  • the import/export means cooperates
  • the encrypted information is decrypted by the cipherer 20 and authenticated by the authenticator 22 as explained above.
  • the processor 16 can then process the decrypted information.
  • the decrypted information (with any processing changes that were effectuated) is re-authenticated by the authenticator 22, re-encrypted by the cipherer 20 and exported to the external memory 24 via the import/export means.
  • whitening performs a mathematical operation (such as an exclusive-or operation) to combine a whitening key with an information block to, in effect, further strengthen key material.
  • the whitening process can be performed on an encrypted information block and the corresponding decrypted information block (i.e. , both before and after encryption occurs).
  • a benefit of using this technique in the illustrated apparatus 10 is that encrypted blocks of information will always look different when exported (from previous import/export sequences) regardless of whether the content of the decrypted information has been changed.
  • the cipherer 20 re-encrypts the decrypted, re- authenticated information such that it differs from its original encrypted form
  • the cipherer 20 encrypts information such that encrypted information corresponding to the decrypted information
  • the cipherer 20 is adapted to perform key cycling with respect to the whitening key. More specifically, the cipherer 20 is arranged to use a new whitening
  • the cipherer 20 uses a new whitening key to perform the whitening portion of the encryption process.
  • the cipherer 20 must be provided with the whitening key.
  • an encrypted version of the whitening key is written to a predetermined location in the corresponding whitened, encrypted information block and, thus, is exported and stored with the
  • the cipherer 20 retrieves
  • the whitening key from the known predetermined location in the block and uses the whitening key in the decryption process. Since the encrypted whitening key is resident inside the block, it is explicitly covered by the authentication with the rest of the block. Although in the illustrated embodiment the whitening keys are stored externally to the apparatus 10 to
  • the CBC-MAC values in the memory 18 will be lost. If the CBC-MAC values
  • the CBC-MAC values for the encrypted information blocks in their original form are permanently stored in an external memory (e.g., ROM 142 in FIG. 3) and are loaded from the memory 14 to the read/write memory 18 as part of a start-up process.
  • an external memory e.g., ROM 142 in FIG. 3
  • the CBC-MAC values in the read/write memory 18 are likewise restored to their original values.
  • processing always begins with the original encrypted
  • non-volatile storage storing data modified in previous uses of the apparatus 10 can be stored in permanent storage devices off the apparatus
  • This non-volatile storage can store information
  • the illustrated apparatus 10 encrypts all of the encrypted information
  • the information blocks are encrypted via a triple DES process keyed with the session key.
  • the session key is required to decrypt any of the information blocks processed by the system.
  • To obtain the session key one must have access to the master key.
  • To obtain the master key one must have access to the
  • the unencrypted forms of the device, master and session keys are available only in the cipherer 20 and the cipherer's key facility. They preferably are not accessible by the
  • processor 16 at any time. It is also preferable to store the device key in a
  • DK refers to the device key
  • MK refers to the master key
  • SK refers to the session key'
  • EK refers to the encrypted master key (i.e., the master key encrypted with the device key)
  • EK refers to the encrypted session key (i.e., the session key encrypted with the master key).
  • the apparatus 10 is provided with a device 30 including a non-volatile memory 32 for storing data and means for controlling access to the data contained in the memory 34.
  • the nonvolatile memory 32 is implemented as an EEPROM in the illustrated apparatus 30.
  • control means could be implemented by a logic circuit 34 such
  • logic circuit 34 could be implemented in many ways without departing from the scope or spirit of the invention.
  • the logic circuit 34 is implemented by the programmed processor 16.
  • the logic circuit 34 is adapted to access the memory 32 to determine
  • the logic circuit 34 makes this determination by analyzing a property inherent in the data. More specifically, in the illustrated device 10, the logic circuit 34 identifies and counts any data blocks in the memory 32 having a predetermined characteristic. It then compares the counted number of data blocks to a threshold value. The logic circuit 34 uses the results of this comparison as an indication of the presence
  • data stored in the memory 32 is
  • the logic circuit 34 is constructed to count the number of bits in the memory 32 having the logic
  • the counted number is then compared to a predetermined threshold number. If that comparison indicates that there are more than the threshold number of bits with logic state "1" in the memory 32, the logic circuit 34 assumes confidential data is stored in the memory and limits access thereto. If the comparison indicates that less than the threshold
  • the determination as to whether or not confidential data is present in the memory 32 is based on an inherent property of the data in the memory 34 itself.
  • the determination of whether or not confidential data is present in a memory was often performed by reading the state of one or more flag bit(s) stored in the memory.
  • the flag bit(s) are set to a first state when no confidential data is present and to a second state
  • the memory to thereby obtain access to the confidential data.
  • confidential data is stored in the memory 32 substantially destroys the data in the memory 32. As a result, if the thresholds are properly set for the application, there should be insufficient confidential data in memory to mount a successful attack. Another way to look at this is, the detection of confidential data is tied to the presence of confidential data itself, rather than
  • diffused checksum process described above may be performed on either the entire memory 32 or on a section of the memory 32 without departing from
  • the threshold value can be set to any desired value without departing from the scope or spirit of the invention, preferably the threshold value is set to a relatively low level. In an ideal
  • the threshold would be set to one such that all confidential data would have to be destroyed before the apparatus would unlock. But to permit
  • the threshold value is selected based on a determination as to what would be an acceptable level of disclosure without
  • the data blocks counted by the logic circuit 34 are bits having a logic state of "1"
  • the logic circuit 34 could be implemented to count bits having logic states "0”, or to count data blocks comprising a plurality of bits having some property such as a binary value
  • testing can only be conducted after the diffused checksum test discussed above indicates that no confidential data is present in the memory 32.
  • testing can only be performed by first
  • the apparatus 10 is provided with a means to
  • the erasure method can also be used as a tamper response if so desired by the application.
  • the logic circuit 34 is constructed to respond to an erasure trigger to erase
  • the intermediate value(s) are selected to ensure that the number of data blocks with the inherent property stored in the memory 32 remains at a level which causes the logic circuit 34 to indicate the presence of confidential data until after all of the confidential data is destroyed.
  • the logic circuit 34 erases the memory 32 to the final state by replacing the intermediate date blocks stored in the memory with final data blocks having one or more final values.
  • the logic circuit 34 erases the memory 32 in three stages. In a first stage, the logic circuit 34 writes a first intermediate value to a first group of locations in the memory 32. In a second stage, the logic circuit 34 writes a second intermediate value to a second group of intermediate locations in the memory 32. In a third stage, the logic circuit 34 writes a final value to both the first and second
  • the first intermediate value is
  • the counted number of data blocks with the inherent property in the memory 32 will indicate the presence of confidential data.
  • the intermediate values are selected to be non-confidential data that have the inherent property.
  • Each half of the confidential information is selected to have the inherent property to ensure that the presence of either half is sufficient to classify the information as confidential under the diffused
  • checksum process This selection is made because, when performing a bulk erase, some memories enter an undefined state which might falsely classify
  • the first and second intermediate values are identical. They are set to the hexadecimal value 0x55. Also in the illustrated apparatus 10, the first stage is performed by writing the hexadecimal value 0x55 to all even addresses in the memory 32; the second stage is preformed by writing the hexadecimal value 0x55 to all odd addresses in the memory 32; and the final stage is performed by writing the
  • various security measures can be employed (e.g., a protective layer can be physically secured to the memory 32).
  • diffused checksum procedures discussed above can be utilized to define the security state of the memory 32 or a system containing the memory. If the diffused checksum process indicates the presence of confidential data, the memory 32 is defined as being in a first security state. If no confidential data is present, the memory 32 is defined as being in a second security state. In the illustrated apparatus 10, 30, testing of the memory 32 is only enabled when the memory 32 is in its second security state.
  • the illustrated apparatus 10 enforces at least two
  • security cells namely, a kernel mode cell and a user mode cell.
  • the processor 16 preferably operates non-secure software in the user mode and
  • secure software in the kernel mode For many applications, two security cells is sufficient. However, in some instances, it is desirable to have more than two security cells. For example, it might be desirable to permit multitasking between multiple secure tasks, it might be desirable to provide protection between two or more cells running software simultaneously (e.g.,
  • the illustrated apparatus 10 may optionally be provided with a memory management unit 38 to facilitate the enforcement of multiple security cells through separate address spaces and demand paging between the secure internal memory 18 and the external memory SDRAM 24.
  • the memory management unit 38 is implemented as a co-processor that assists the processor 16 in apportioning memory resources between the multiple security cells as needed.
  • each page is a separate, independently encrypted and authenticated block.
  • some or all of the security cells can be ranning in a user mode such that they have limited
  • the processor 16 is implemented by the R3000A MIPS RISC CPU (million instructions per second Reduced Instruction Set Computer Central Processing Unit) which forms the core of the R3904 chip
  • the non-volatile memory 14 is
  • non- volatile memory 32 is
  • the read/write memory 18 is preferably implemented by a volatile data memory (DMEM); and the cipherer 20 and the authenticator 22 are implemented by the same dedicated
  • the cipherer 20 and/or the authenticator 22 could be implemented by software without departing from the scope of the invention. Combining the cipherer 20 and the authenticator 22 may not be an acceptable tradeoff
  • the processor 16 communicates with the ROM 14,
  • GBUS general bus 40
  • apparatus 10 is further provided with a second processor 42. As shown in
  • the second processor 42 is in communication with the cipherer 20 (implemented in the illustrated apparatus 10 by crypto module 20), and with the read/ write memory 18 (in the illustrated embodiment, the DMEM) via a bus 44.
  • the second processor 42 is adapted to initiate decryption and re- encryption of information blocks stored in the DMEM 18.
  • the second processor 42 is implemented by a sequencer. The presence of the sequencer 42 and its connection to the cipherer 20 in the
  • sequencer 42 acts as a peer to the
  • processor 16 To facilitate instruction delivery from the processor 16 to the
  • the apparatus 10 is provided with an instruction memory (IMEM) 46.
  • IMEM instruction memory
  • the processor 16 when it needs to request the sequencer 42 to perform a task, it writes the necessary instruction(s) to the IMEM 46 and sends a control signal to the sequencer 42 indicating the
  • the sequencer 42 then reads and executes the instruction(s) from the IMEM 46.
  • the apparatus 10 is provided with an authenticator 22 which serves to authenticate decrypted information prior to execution by the processor 16 and to re-authenticate the information prior to
  • the authenticator 22 is implemented by the cipherer 20.
  • the cipherer 20 is preferably adapted to perform key cycling with respect to the whitening keys used to ensure re- encrypted information blocks always appear differently than they did prior to
  • the apparatus 10 is provided with an entropy source 48 which is used to continuously re-seed a cryptographically strong pseudo- random number generator (CSPRNG).
  • CSPRNG cryptographically strong pseudo- random number generator
  • the cipherer 20 implements the CSPRNG.
  • the entropy source 48 is in communication with the sequencer 42 and the crypto module 20 via the bus 44.
  • the sequencer 42 is adapted to request the entropy source 48 to generate a new random number when required and to deliver the random number to the crypto module 20 for use by the CSPRNG in generating the whitening key to be used in the re-encryption process.
  • triple DES algorithm are stored in the memory 32.
  • the apparatus 10 is provided with a key isolation circuit 50 connecting the logic circuit 34 to the cipherer 20 for loading the root key of the key hierarchy. More specifically, in the illustrated apparatus 10, the key isolation circuit 50 provides a mechanism for delivering the necessary key material from the EEPROM 32 to the crypto
  • circuit 34, the key isolation circuit 50 and the crypto module 20 define a closed system.
  • the apparatus 10 is provided with one or more silent mode silencing circuit(s) 52.
  • the silent mode silencing circuit(s) 52 are preferably implemented as hardware circuits including logic gates which pull the external pins to the predefined state (such as a tri-state) except after detection that the bus cycle will not be accessing confidential data. This detection can be implemented as hardware circuits including logic gates which pull the external pins to the predefined state (such as a tri-state) except after detection that the bus cycle will not be accessing confidential data. This detection can
  • RTOS Realtime Operating Systems
  • RISC 54 (16) performs the actual context switching (i.e., switching
  • VersaCrypt applet is runable, and if such an operation is cu ⁇ ently
  • the Secure Kernel is integrally involved with the process of system startup. If the RTOS has any requirements about initial state, where it is loaded from, or how it is loaded, it can be accommodated by the VersaCrypt bootstrap applet that is a part of the Secure Kernel startup.
  • Kernel Mode The Secure Kernel and VersaCrypt (i.e., the encrypted software being executed within the secure environment
  • Kernel is via the Syscall instruction.
  • the RTOS may not implement any system calls via the Syscall instruction, c) E ⁇ or Handling - -
  • FIG. 4 illustrates the relationship between the various classes of
  • variable access and subroutine calls they will restrict themselves to communicating through the Secure Kernel API.
  • Kernel mode software executes from one Realtime Operating System task. It is shared by the Secure Kernel, all the VersaCrypt
  • the secure kernel implements support for a synchronous call
  • VersaCrypt applets to execute, as well as the time when it is performing a VersaCrypt export/import operation. This can cause an initial delay of up to one tick until starting to execute a VersaCrypt request or until the start of the VersaCrypt export/import operation to load the requested applet.
  • the sequencer code (executed from IMEM 46) is split up into kernel
  • the kernel segment is further broken down into a
  • cipherer 20 is to support multiple key sizes, i.e. , single DES operations, then interlocks must exist to protect against incremental attacks on triple DES keys. Even if a key hierarchy is used, it is important to authenticate any encrypted keys before they are trusted.
  • the apparatus 10 is capable of executing software in an
  • RNG 48 Self key generation is an example of the class of operations it was designed to perform. This capability is of great importance in keying a secure device where the physical security of the factory cannot be maintained.
  • the apparatus 10 requires
  • the first secret is the
  • shipment keys (the software export/import EMK, triple key, triple DES) that
  • the second secret is an ESK (triple
  • the third secret is, for example, an RSA private key (large) for the key server.
  • the key server is preferably located at a third physically secured site refe ⁇ ed to as a vault.
  • the following hardware is required: 1. a key server 120 and 2. a "test jig" 122 (see FIG. 5).
  • the key server 122 is implemented as a personal computer (PC) with a network connection and
  • the satellite I/F 94 is optionally connected to a hardware random source 126 so as to have access
  • the key material for this adapter 10' must be unique, so that if any other adapters are compromised in the field, it would in no way compromise the security of the key server 120.
  • the key server 120 is preferably isolated from the network 128 by a firewall
  • the test jig 122 is located at the second factory. In the disclosed embodiment
  • test jig 122 is implemented by a PC that is connected to each apparatus 10 as it is programmed.
  • the test jig 122 is connected to the
  • the satellite I/F 94 of the apparatus 10 is also optionally connected to a hardware random source 130 for the same reason. It may also be optionally isolated from the network 128 by a firewall 132.
  • the apparatus 10 securely boots from an external ROM, as described
  • VersaCrypt applets All communications are between the VersaCrypt applets at the key server 120, and the VersaCrypt applets in the apparatus 10 being programmed in the test jig 122.
  • all the data stored to disk on the key server 120 is encrypted to protect against compromises/viruses on the key server 120.
  • the first applet contains the "public key" of the key server 120,
  • This key is encrypted with the public key of the key server 120 and is sent to the key server 120 using the network interface of the test jig 122.
  • the key server 120 validates that it is talking to an apparatus 10 by checking the source IP Address. It also knows it is talking to an apparatus
  • the key server 120 confirms that
  • the key server 122 then sends the apparatus 10 some random numbers from the key server's source 126 (which is assumed to be more
  • the apparatus 10 knows it is talking to the key server 120 since the responding entity must have known the private key to get the session key.
  • the apparatus 10 updates its random seed material based on the random
  • the apparatus 10 also generates
  • apparatus 10 then sends the RSA public keys to the key server 120, who
  • the apparatus 10 then sends the key server 120 any confidential information that it may need to share for operational or legal reasons.
  • the key server 120 logs the received escrow material, and tells the apparatus 10 to commit its configuration. Finally, the apparatus 10 responds by reprogramming its internal EEPROM 32 and by informing the test jig 122 it has succeeded, so the test jig 122 can proceed with the next apparatus
  • the EEPROM 32 preferably includes the following data blocks.
  • Apps requiring additional EEPROM may optionally use an external unsecure EEPROM, an external encrypted EEPROM with a device specific key (and internally authenticated), and/or a larger internal EEPROM 32.
  • Bits Usage 1024 Scrambled device key This is the root of the key hierarchy.
  • the main purpose of the Secure Kernel is to provide the VersaCrypt
  • the Secure Kernel executes the following sequence of
  • the Reset/NMI cause register is a hardware register used to detect
  • the device 10 performs a self reset operation (block 154). This is so that, in the case of recoverable e ⁇ ors, the unit 10 will continue to operate without user intervention. Of course, in the case of nonrecoverable
  • the unit 10 will keep rebooting indefinitely, and no cause will be
  • the 3K section of EEPROM 32 is read and a 1 's density is calculated. If the 1 's density is below the threshold of 64 (block 170), it is assumed that no key material is present and testing or initial programming can occur. In such a circumstance, some security circuitry is disabled (block 172). If a fixed pattern (used to detect the presence of an external ROM 142
  • a checksum on the restricted block of the EEPROM 32 is calculated (block 182). If the checksum is bad, a fatal enor occurs (block 184). The apparatus 10 is locked up because either the EEPROM 22 has degraded or the unit 10 has been tampered with. If the checksum is o.k. (block 182), various hardware configurations are set based on values retrieved from the EEPROM 32 (block 186).
  • This delay serves multiple purposes. Most importantly, it causes an attacker to take longer per iteration (for many types of automated attack) without being noticeable to users during a longer system reboot time.
  • dummy user RISC code is loaded.
  • the dummy applet and RISC code are
  • the normal Kernel, sequencer, and RISC code for importing a VersaCrypt applet assumes that the user code is present and interacts with it.
  • the Kernel sequencer applets expect to be called by the user background, and must have a foreground handler (part of
  • RISC code will keep attempting to yield control to the RTOS while waiting for the sequencer 42 to complete. Some user nub must be present to handle these functions.
  • An external ROM 142 can be used for booting on systems without a PCI Bus 78, for testing, for diagnostics on returned units, for debugging, etc. Its presence can be detected by the first half of a weU known pattern at a fixed offset (block 188). If no external ROM 142 is
  • the apparatus 10 attempts to boot over the PCI bus 78 (block 190). SpecificaUy, it first waits for the SCB to be set (become
  • Part of this operation includes initializing certain weU defined
  • control then passes to the code in user mode, with interrupts
  • interrupt handlers are executed in user mode, through a user provided table of handlers. Returning from an interrupt is via a system caU. Although there is a separate interrupt stack (as required for VersaCrypt, and also so each task need not aUocate enough stack space for nested interrupts),
  • the context is saved on the stack for a variety of reasons. It simplifies preemptive context switches, as might be triggered from a timer interrupt routine which must have already saved a partial context on the stack.
  • the Secure Kernel would be the logical place for this to happen, because the user routine would have to work around the registers saved by the interrupt handling part of the Secure Kernel.
  • the Secure Kernel also would have to have this functionaUty for VersaCrypt, and in fact would execute faster since the internal ROM 14 is faster than the external SDRAM
  • the Secure Kernel doesn't require any knowledge of the underlying RTOS's task control blocks or other data structures. Only the saved stack pointer would need to be saved in the task control block. Changing context for the Secure Kernel would only entaU saving the remaining registers (for User Code) onto the stack, switching
  • Kernel mode code must have a Kernel space stack.
  • Kernel mode code cannot be run with interrupts enabled from an interrupt handler.
  • the limit on Kernel mode from an interrupt routine is to limit the number of Kernel contexts that must be stored in DMEM 18 concurrently.
  • the Secure Kernel has a number of contexts that it must maintain. Each VersaCrypt applet has a context on its own stack, whether in DMEM 18 (only for the cu ⁇ ently loaded VersaCrypt applet) or encrypted in external SDRAM 24. The Secure Kernel must also have a second context that is
  • This third context is also used when stealing cycles to assist
  • Kernel mode code VersaCrypt applets or the Secure Kernel
  • the system saves and clears aU registers (this protects and hides sensitive data), before passing control to the interrupt routine. This causes
  • the kernel wiU save a partial context on the stack when user code is interrupted. This wiU stiU be
  • Kernel mode faster than Kernel mode, but should be more than sufficient for interrupt processing.
  • preemption occurs, it saves the remaining context onto the stack (for user tasks) and restores the fuU context from the stack (like it always does for the
  • the Secure Kernel Before returning from an interrupt and when performing a context switch, the Secure Kernel may perform some limited operations (uses limited
  • stack pointers are saved in DMEM 18, or encrypted in external SDRAM 24
  • VersaCrypt control blocks are to store VersaCrypt applets and data segments in external memory; to manage the user VersaCrypt caUs; and to maintain the VersaCrypt run queue. To be able to take advantage of common routines in the Secure Kernel, applets are treated
  • the format of the VersaCrypt control blocks in external memory 24 is:
  • Encryption begins here, triple key, triple DES O-CBC] 64 PreWhite This is a random value that is XORed with aU plaintext before encryption. This value changes with each
  • 64 PostWhite This is a random value that is XORed with aU ciphertext after encryption. This value changes with each export. 64n Data This is either the VersaCrypt applet (described below),
  • the apparatus 10 uses a single DES CBC-MAC.
  • the PreWhite field is the DES key for this operation, since choice of key
  • the IV wiU be the PreWhite field, only with its words swapped.
  • the apparatus 10 uses whitening to strengthen the key material, since the export process provides an attacker with a large amount of ciphertext. It also means that each time a block is exported, aU the data is changed, denying hackers information about what data is changing or how long certain
  • VersaCrypt can change its key material for each
  • the apparatus 10 also protects against stale data attacks (this is simUar to a replayed data attack on networks), where an old value of a VersaCrypt block is given back at a latter time by limiting the number of VersaCrypt blocks, such that the checksums for each block can be
  • the limit for VersaCrypt blocks is 32 blocks, or 256 bytes in the iUustrated apparatus 10.
  • VersaCrypt block IDs can be any 16 bit value, other than the reserved value of 0. The only restriction is that the bottom 5 bits of the ID
  • Data segments are used to store data that can be shared between VersaCrypt applets. They may be exported/imported by VersaCrypt applets and are not useable by user code.
  • VersaCrypt applets are user caUable VersaCrypt functions. They are caUed via a system caU which inserts a caU control block into the queue in
  • VersaCrypt run queue (if not already present).
  • VersaCrypt sub applets are VersaCrypt applets, except they are only caUed by other VersaCrypt applets,
  • VersaCrypt applet is used to refer coUectively to both VersaCrypt applets and VersaCrypt sub applets. The only real distinction is on who they are intended to be caUed by, as wiU be described below.
  • VersaCrypt applets are caUed as subroutines using normal C calling conventions and must observe standard C register usage. Their stack pointers are initialized to the end of the applet's block, and have its parameter avaUable.
  • VersaCrypt applets must save aU non temporary registers they use, like any other C function, as some of them wiU be used for storing VersaCrypt linkage information.
  • the data segments are managed by VersaCrypt applets via four
  • a VersaCrypt applet may have as many as eight data segments loaded at a time, and must expUcitly unload them when finished (excluding the parameter to VersaCrypt sub applets). When they are loaded
  • the VersaCrypt applets are only caUed via a system caU. This
  • the kernel task in
  • VersaCrypt applet is entered, it has the CaUCB as its only parameter.
  • any true task like a VersaCrypt applet is spUt into an
  • conditional access software might have a User portion (that includes an
  • the VersaCrypt sub applets are just like regular applets, but are used to break up any VersaCrypt applets that exceed the memory limits. They can only be caUed via a kernel only system caU, and cannot be caUed directly by user software. When they are caUed by a VersaCrypt applet (or sub applet), the caller blocks and the sub applet starts executing. If a sub applet is already executing when it is caUed, an alarm is triggered (this precludes sharing of routines between applets, in most cases, and certain types of recursion). Sub applets are not reentrant. The caUer passes ParmlD (which is the ID of a data segment) and, when the VersaCrypt sub
  • applet is entered, it has a pointer to this data segment as its only parameter.
  • the data segment is used to both pass parameters and return results.
  • Disable VersaCrypt Preemption flag is clear, and the VersaCrypt Run Queue is not empty then a) set the disable VersaCrypt preemption flag; b) save the cu ⁇ ent stack pointer, for exporting; c) load the secure kernel's Export/Import stack pointer; and d) enable interrupts (block 210).
  • a Secure Kernel task is now cu ⁇ ently running to perform export/import operations.
  • the imported applet and each of its data segments are: a) copied from SDRAM 24 into DMEM 18; b) decrypted with whitening; c) the MAC for the decrypted block is calculated and compared with the value in the table in DMEM 18; d) the flags are checked, (i.e. , to make sure the blocks are of the expected type, etc.); e) if the imported applet is a sub applet that is not cu ⁇ ently nning, the first data segment in its table is replaced with its parameter, so it wiU be loaded; f) the vaUdity of the data
  • segment map for applets and sub applets is checked; and g) the instruction and data caches are flushed.
  • the applet is just starting (block 214 and block 224)
  • its context is initialized: i) its saved stack pointer is setup; ii) its parameter is set to the queued CaUCB (for applets) or the data segment (for sub applets); iii) its return register ($31) is set to point into code in the Secure Kernel to handle applet completion (this wiU also require saving the CaUCB (for applets) or the calling
  • applet ID (for sub applets)); and iv) its flags are updated, (i.e., it is now executing) (block 226).
  • 8x32 Dsmap This is the map of data segments that are cu ⁇ ently loaded.
  • the first 16 bits of each segment is the segment ID.
  • the second 16 bits is an offset to where it is loaded.
  • the segments are sorted by decreasing offset, with any unused (aU 0s) entries at the end.
  • 32n Applet This it the VersaCrypt applet: text, data, Bss, and stack.
  • the Bss and stack are initiaUy 0s.
  • the purpose of the VersaCrypt applet caU control block is to have a weU defined interface for making user requests of VersaCrypt.
  • This CaUCB aUows for asynchronous requests, so that user software need not wait for the relatively slow scheduling of VersaCrypt applets, and can
  • the format of the user VersaCrypt applet caU control block is: Bits Field Description 32 Link For adding the CaUCB into the queue of requests for this applet.
  • n Parms These are any parameters passed to the applet and space for returning any results. Although its size is specific to each applet, it is strongly recommended that it is limited. For security reasons, it is important that parameters must be copied into DMEM at the start of the request and that the results be copied back
  • the apparatus 10 further implements a method for tamper checking the integrated circuit.
  • the method is implemented upon detection of a reset event.
  • the processor 54 (16) is held in a reset state such that the EEPROM 32 cannot be accessed.
  • the EEPROM 32 cannot be accessed when the processor 54 (16) is held in a reset state because the processor must initiate aU EEPROM accesses..
  • aU possible circuits including memories are tested by a BIST (BuUt In Self Test).
  • the processor 54 (16) is held in the reset state during execution of these tests.
  • the processor 54 (16) is only released from the reset state if the tested elements respectively pass the BIST tests. If any of
  • the apparatus 10 is assumed to have been tampered with and the processor 54 (16) is held in the reset state
  • the tamper checking method is performed by one of the watchdog circuits 88 (see FIG. 3).
  • the tamper checking method is preferably implemented by hardware and is performed every time a reset condition occurs.
  • periodicaUy occurring events could be used as trigger(s) without departing from the scope or the spirit of the invention. If periodic event(s) are used as trigger(s) without departing from the scope or the spirit of the invention. If periodic event(s) are used as trigger(s) without departing from the scope or the spirit of the invention. If periodic event(s) are used as trigger(s) without departing from the scope or the spirit of the invention. If periodic event(s) are used as
  • the apparatus wiU preferably isolate and test the possibly effected elements.
  • the apparatus wiU preferably isolate and test the possibly effected elements.
  • persons of ordinary skUl in the art will readUy appreciate that, in addition to (or instead of) holding the processor in a reset state, other tamper responses can be used without departing from the scope
  • processor can be used to initiate
  • the apparatus 10 is implemented in a single die.
  • the processor 16 wiU have a kernel mode of operation that prohibits user software from accessing
  • aU bus masters besides the processor 16, i.e. , DMA, should have a limited
  • no external bus masters are aUowed.
  • address map should be defined such that aU secure
  • peripherals faU in the kernel address space and such that aU other peripherals faU in the user address space.
  • system could contain any desired standard or appUcation specific peripherals, without departing from the scope or spirit of the invention.
  • a hostUe posture is taken with respect to aU external resources and user suppUed parameters.
  • Such resources should be expected to change without notice at unexpected times as a result of attacks.
  • Regular accesses should be considered to be providing information for statistical attacks. All addresses must be checked for
  • vaUdity before use and aU values must be copied to internal memories before authentication and/or use.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Remote Sensing (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
PCT/US1998/020083 1998-09-25 1998-09-25 An apparatus for providing a secure processing environment WO2000019299A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
AU10623/99A AU743775B2 (en) 1998-09-25 1998-09-25 An apparatus for providing a secure processing environment
CA002309627A CA2309627A1 (en) 1998-09-25 1998-09-25 An apparatus for providing a secure processing environment
PCT/US1998/020083 WO2000019299A1 (en) 1998-09-25 1998-09-25 An apparatus for providing a secure processing environment
JP2000572741A JP2002526822A (ja) 1998-09-25 1998-09-25 セキュリティ処理環境を提供するための装置
EP98953190A EP1032869A1 (de) 1998-09-25 1998-09-25 Ein gerät um eine sichere umgebung für datenverarbeitung zu gewähren

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US1998/020083 WO2000019299A1 (en) 1998-09-25 1998-09-25 An apparatus for providing a secure processing environment

Publications (1)

Publication Number Publication Date
WO2000019299A1 true WO2000019299A1 (en) 2000-04-06

Family

ID=22267934

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1998/020083 WO2000019299A1 (en) 1998-09-25 1998-09-25 An apparatus for providing a secure processing environment

Country Status (5)

Country Link
EP (1) EP1032869A1 (de)
JP (1) JP2002526822A (de)
AU (1) AU743775B2 (de)
CA (1) CA2309627A1 (de)
WO (1) WO2000019299A1 (de)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001344228A (ja) * 2000-05-31 2001-12-14 Nippon Telegr & Teleph Corp <Ntt> 暗号化通信におけるサービス品質制御方法及び装置サービス品質制御プログラムを格納した記憶媒体
EP1278114A2 (de) * 2001-05-30 2003-01-22 Fujitsu Limited Vorrichtung zur Kodeausführung und Verfahren zur Kodeverteilung
WO2003058409A2 (en) * 2002-01-07 2003-07-17 Scm Microsystems Gmbh Protecting a device against unintended use in a secure environment
JP2003535538A (ja) * 2000-05-31 2003-11-25 フランス テレコム スマートカード用暗号化方法と装置、及び超小型回路を有するスマートカード
US8181040B2 (en) 2003-08-26 2012-05-15 Panasonic Corporation Program execution device
US8473750B2 (en) 2004-12-15 2013-06-25 Nvidia Corporation Chipset security offload engine
FR3059121A1 (fr) * 2016-11-23 2018-05-25 Safran Identity and Security Procede de verification de donnees

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6983374B2 (en) 2000-02-14 2006-01-03 Kabushiki Kaisha Toshiba Tamper resistant microprocessor
GB2411254B (en) 2002-11-18 2006-06-28 Advanced Risc Mach Ltd Monitoring control for multi-domain processors
GB2395583B (en) 2002-11-18 2005-11-30 Advanced Risc Mach Ltd Diagnostic data capture control for multi-domain processors
JP4691337B2 (ja) * 2003-08-26 2011-06-01 パナソニック株式会社 プログラム実行装置、認証局装置
CN1984298B (zh) * 2005-12-14 2010-05-19 辉达公司 芯片组安全卸载引擎
GB2487575B (en) 2011-01-28 2017-04-12 Advanced Risc Mach Ltd Controlling generation of debug exceptions
US9116711B2 (en) 2012-02-08 2015-08-25 Arm Limited Exception handling in a data processing apparatus having a secure domain and a less secure domain
US10210349B2 (en) 2012-02-08 2019-02-19 Arm Limited Data processing apparatus and method using secure domain and less secure domain
US9213828B2 (en) 2012-02-08 2015-12-15 Arm Limited Data processing apparatus and method for protecting secure data and program code from non-secure access when switching between secure and less secure domains
GB2499287A (en) * 2012-02-08 2013-08-14 Advanced Risc Mach Ltd Exception handling in data processing with different security domains
US9477834B2 (en) 2012-02-08 2016-10-25 Arm Limited Maintaining secure data isolated from non-secure access when switching between domains
US20230185636A1 (en) * 2021-12-10 2023-06-15 Nvidia Corporation Application programming interfaces for interoperability

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0262025A2 (de) * 1986-09-16 1988-03-30 Fujitsu Limited System zum Gewähren des Zugangs in Speicherfeldbereiche einer Chipkarte für mehrere Anwendungen
GB2205667A (en) * 1987-06-12 1988-12-14 Ncr Co Method of controlling the operation of security modules
US5467396A (en) * 1993-10-27 1995-11-14 The Titan Corporation Tamper-proof data storage

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0262025A2 (de) * 1986-09-16 1988-03-30 Fujitsu Limited System zum Gewähren des Zugangs in Speicherfeldbereiche einer Chipkarte für mehrere Anwendungen
GB2205667A (en) * 1987-06-12 1988-12-14 Ncr Co Method of controlling the operation of security modules
US5467396A (en) * 1993-10-27 1995-11-14 The Titan Corporation Tamper-proof data storage

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012133390A (ja) * 2000-05-31 2012-07-12 Fr Telecom スマートカード用暗号化方法と装置、及び超小型回路を有するスマートカード
JP2003535538A (ja) * 2000-05-31 2003-11-25 フランス テレコム スマートカード用暗号化方法と装置、及び超小型回路を有するスマートカード
JP2001344228A (ja) * 2000-05-31 2001-12-14 Nippon Telegr & Teleph Corp <Ntt> 暗号化通信におけるサービス品質制御方法及び装置サービス品質制御プログラムを格納した記憶媒体
EP1278114A2 (de) * 2001-05-30 2003-01-22 Fujitsu Limited Vorrichtung zur Kodeausführung und Verfahren zur Kodeverteilung
EP1278114A3 (de) * 2001-05-30 2004-12-01 Fujitsu Limited Vorrichtung zur Kodeausführung und Verfahren zur Kodeverteilung
WO2003058409A2 (en) * 2002-01-07 2003-07-17 Scm Microsystems Gmbh Protecting a device against unintended use in a secure environment
WO2003058409A3 (en) * 2002-01-07 2004-06-17 Scm Microsystems Gmbh Protecting a device against unintended use in a secure environment
US8874938B2 (en) 2003-08-26 2014-10-28 Panasonic Intellectual Property Corporation Of America Program execution device
US10318768B2 (en) 2003-08-26 2019-06-11 Panasonic Intellectual Property Corporation Of America Program execution device
US8522053B2 (en) 2003-08-26 2013-08-27 Panasonic Corporation Program execution device
US8181040B2 (en) 2003-08-26 2012-05-15 Panasonic Corporation Program execution device
US9218485B2 (en) 2003-08-26 2015-12-22 Panasonic Intellectual Property Corporation Of America Program execution device
US9524404B2 (en) 2003-08-26 2016-12-20 Panasonic Intellectual Property Corporation Of America Program execution device
US9811691B2 (en) 2003-08-26 2017-11-07 Panasonic Intellectual Property Corporation Of America Program execution device
US11651113B2 (en) 2003-08-26 2023-05-16 Panasonic Holdings Corporation Program execution device
US10970424B2 (en) 2003-08-26 2021-04-06 Panasonic Intellectual Property Corporation Of America Program execution device
US10108821B2 (en) 2003-08-26 2018-10-23 Panasonic Intellectual Property Corporation Of America Program execution device
US10607036B2 (en) 2003-08-26 2020-03-31 Panasonic Intellectual Property Corporation Of America Program execution device
US8473750B2 (en) 2004-12-15 2013-06-25 Nvidia Corporation Chipset security offload engine
US10404719B2 (en) 2016-11-23 2019-09-03 Idemia Identity & Security France Data verification method
EP3327607A1 (de) * 2016-11-23 2018-05-30 Idemia Identity & Security France Datenüberprüfungsverfahren
FR3059121A1 (fr) * 2016-11-23 2018-05-25 Safran Identity and Security Procede de verification de donnees

Also Published As

Publication number Publication date
AU1062399A (en) 2000-04-17
EP1032869A1 (de) 2000-09-06
CA2309627A1 (en) 2000-04-06
JP2002526822A (ja) 2002-08-20
AU743775B2 (en) 2002-02-07

Similar Documents

Publication Publication Date Title
US6385727B1 (en) Apparatus for providing a secure processing environment
US6438666B2 (en) Method and apparatus for controlling access to confidential data by analyzing property inherent in data
AU743775B2 (en) An apparatus for providing a secure processing environment
KR100851631B1 (ko) 보안 모드 제어 메모리
EP0908810B1 (de) Gesicherter Prozessor mit externem Speicher unter Verwendung von Block-Chaining und Wiederherstellung der Blockreihenfolge
KR100809977B1 (ko) 집적 시스템 내에서의 보안 운영의 활성화 방법, 보안 운영의 초기화 방법, 암호화된 데이터의 변환 방법 및 집적 시스템 기능의 복원 방법
US7987356B2 (en) Programmable security platform
US7480806B2 (en) Multi-token seal and unseal
US8356188B2 (en) Secure system-on-chip
US7930537B2 (en) Architecture for encrypted application installation
JP2004537786A (ja) オペレーティングシステムおよびカスタマイズされた制御プログラムとインタフェースする安全なマシンプラットフォーム
EP1855476A2 (de) System und Verfahren zur sicheren Verarbeitung von Daten
TWI490724B (zh) 用於加載至少一個軟體模組的代碼的方法
US8656191B2 (en) Secure system-on-chip
EP1320803A2 (de) Nichtflüchtige speicheranordnung mit darin eingebetteter sicherheitsvorrichtung
CN116484379A (zh) 系统启动方法、包含可信计算基软件的系统、设备及介质
CA2311392C (en) Method and apparatus for controlling access to confidential data
MXPA00005081A (en) An apparatus for providing a secure processing environment
MXPA00005079A (en) Method and apparatus for controlling access to confidential data

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

WWE Wipo information: entry into national phase

Ref document number: 1998953190

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 10623/99

Country of ref document: AU

ENP Entry into the national phase

Ref document number: 2309627

Country of ref document: CA

Ref country code: CA

Ref document number: 2309627

Kind code of ref document: A

Format of ref document f/p: F

WWE Wipo information: entry into national phase

Ref document number: PA/a/2000/005081

Country of ref document: MX

ENP Entry into the national phase

Ref country code: JP

Ref document number: 2000 572741

Kind code of ref document: A

Format of ref document f/p: F

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWP Wipo information: published in national office

Ref document number: 1998953190

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWG Wipo information: grant in national office

Ref document number: 10623/99

Country of ref document: AU

WWW Wipo information: withdrawn in national office

Ref document number: 1998953190

Country of ref document: EP