US2012137137A1PendingUtilityA1

Method and apparatus for key provisioning of hardware devices

47
Assignee: BRICKELL ERNEST FPriority: Nov 30, 2010Filed: Nov 30, 2010Published: May 31, 2012
Est. expiryNov 30, 2030(~4.4 yrs left)· nominal 20-yr term from priority
G06F 21/73H04L 9/0816G06F 21/572
47
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform.

Claims

exact text as granted — not AI-modified
1 . A method comprising:
 receiving, by a hardware device in a system, an encrypted security key, the encrypted security key stored in a database maintained by a provisioning server associated with a provisioning identifier derived from a unique device key, the unique device key embedded by a key generation server in the hardware device by writing the unique device key in a protected memory in the hardware device, the security key encrypted using a base provisioning key derived from the unique device key;   deriving, by the hardware device, the base provisioning key from the unique device key stored in protected memory, the protected memory inaccessible by software; and   decrypting, by the hardware, the encrypted security key using the derived base provisioning key.   
     
     
         2 . The method of  claim 1 , wherein the protected memory is write-once memory. 
     
     
         3 . The method of  claim 1 , wherein the key generation server is an off-line server that operates in a trusted environment. 
     
     
         4 . The method of  claim 1 , wherein the provisioning identifier and provisioning key derived from the unique device identifier are symmetric keys. 
     
     
         5 . The method of  claim 1 , wherein a copy of the unique device key is not available to the first server after the unique device key is written to the protected memory. 
     
     
         6 . The method of  claim 1 , wherein the hardware device receives the encrypted security key via a communications network. 
     
     
         7 . The method of  claim 1 , wherein the hardware device receives the encrypted security key from a storage medium in the system. 
     
     
         8 . The method of  claim 1 , further comprising:
 deriving, by the hardware device, a provisioning key from the base provisioning key, the provisioning key derived based on a latest firmware version number associated with firmware available for installation in the hardware device.   
     
     
         9 . The method of  claim 7 , further comprising:
 receiving, by the hardware device, a encrypted device authentication key, the device authentication key encrypted by the provisioning key; and   decrypting, by the hardware device, the encrypted device authentication key associated with the provisioning key associated with the latest firmware version number or a prior firmware version number.   
     
     
         10 . An apparatus comprising:
 a hardware device in a system to receive an encrypted security key, the encrypted security key stored in a database maintained by a provisioning server associated with a provisioning identifier derived from a unique device key, the unique device key embedded by a key generation server in the hardware device by writing the unique device key in a protected memory in the hardware device, the security key encrypted using a base provisioning key derived from the unique device key, the hardware device to derive the base provisioning key from the unique device key stored in protected memory, the protected memory inaccessible by software and the hardware device to decrypt the encrypted security key using the derived base provisioning key.   
     
     
         11 . The apparatus of  claim 10 , wherein the protected memory is write-once memory. 
     
     
         12 . The apparatus of  claim 10 , wherein the key generation server is an off-line server that operates in a trusted environment. 
     
     
         13 . The apparatus of  claim 10 , wherein the provisioning identifier and provisioning key derived from the unique device identifier are symmetric keys. 
     
     
         14 . The method of  claim 10 , wherein a copy of the unique device key is not available to the first server after the unique device key is written to the protected memory. 
     
     
         15 . The apparatus of  claim 10 , wherein the hardware device receives the encrypted security key via a communications network. 
     
     
         16 . The apparatus of  claim 10 , wherein the hardware device receives the encrypted security key from a storage medium in the system. 
     
     
         17 . The apparatus of  claim 10 , wherein the hardware device derives a provisioning key from the base provisioning key, the provisioning key derived based on a latest firmware version number associated with firmware available for installation in the hardware device. 
     
     
         18 . The apparatus of  claim 16 , wherein the hardware device receives an encrypted device authentication key, the device authentication key encrypted by the provisioning key and the hardware device decrypts the encrypted device authentication key associated with the provisioning key associated with the latest firmware version number or a prior firmware version number. 
     
     
         19 . An article including a machine-accessible medium having associated information, wherein the information, when accessed, results in a machine performing:
 receiving, by a hardware device in a system, an encrypted security key, the encrypted security key stored in a database maintained by a provisioning server associated with a provisioning identifier derived from a unique device key, the unique device key embedded by a key generation server in the hardware device by writing the unique device key in a protected memory in the hardware device, the security key encrypted using a base provisioning key derived from the unique device key;   deriving, by the hardware device, the base provisioning key from the unique device key stored in protected memory, the protected memory inaccessible by software; and   decrypting, by the hardware, the encrypted security key using the derived base provisioning key.   
     
     
         20 . The article of  claim 19 , further comprising:
 deriving, by the hardware device, a provisioning key from the base provisioning key, the provisioning key derived based on a latest firmware version number associated with firmware available for installation in the hardware device.   
     
     
         21 . A system comprising:
 a disk drive; and   a hardware device, the hardware device to receive an encrypted security key, the encrypted security key stored in a database maintained by a provisioning server associated with a provisioning identifier derived from a unique device key, the unique device key embedded by a key generation server in the hardware device by writing the unique device key in a protected memory in the hardware device, the security key encrypted using a base provisioning key derived from the unique device key, the hardware device to derive the base provisioning key from the unique device key stored in protected memory, the protected memory inaccessible by software and the hardware device to decrypt the encrypted security key using the derived base provisioning key.   
     
     
         22 . The system of  claim 21 , wherein the encrypted security key is stored on a storage medium accessible via the disk drive and the hardware device receives the encrypted security key from the disk drive.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.