US2012137137A1PendingUtilityA1
Method and apparatus for key provisioning of hardware devices
Est. expiryNov 30, 2030(~4.4 yrs left)· nominal 20-yr term from priority
Inventors:Ernest BrickellShay GueronJiangtao LiCarlos V. RozasDaniel NemiroffVincent R. ScarlataUday SavagaonkarSimon P. Johnson
G06F 21/73H04L 9/0816G06F 21/572
47
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform.
Claims
exact text as granted — not AI-modified1 . A method comprising:
receiving, by a hardware device in a system, an encrypted security key, the encrypted security key stored in a database maintained by a provisioning server associated with a provisioning identifier derived from a unique device key, the unique device key embedded by a key generation server in the hardware device by writing the unique device key in a protected memory in the hardware device, the security key encrypted using a base provisioning key derived from the unique device key; deriving, by the hardware device, the base provisioning key from the unique device key stored in protected memory, the protected memory inaccessible by software; and decrypting, by the hardware, the encrypted security key using the derived base provisioning key.
2 . The method of claim 1 , wherein the protected memory is write-once memory.
3 . The method of claim 1 , wherein the key generation server is an off-line server that operates in a trusted environment.
4 . The method of claim 1 , wherein the provisioning identifier and provisioning key derived from the unique device identifier are symmetric keys.
5 . The method of claim 1 , wherein a copy of the unique device key is not available to the first server after the unique device key is written to the protected memory.
6 . The method of claim 1 , wherein the hardware device receives the encrypted security key via a communications network.
7 . The method of claim 1 , wherein the hardware device receives the encrypted security key from a storage medium in the system.
8 . The method of claim 1 , further comprising:
deriving, by the hardware device, a provisioning key from the base provisioning key, the provisioning key derived based on a latest firmware version number associated with firmware available for installation in the hardware device.
9 . The method of claim 7 , further comprising:
receiving, by the hardware device, a encrypted device authentication key, the device authentication key encrypted by the provisioning key; and decrypting, by the hardware device, the encrypted device authentication key associated with the provisioning key associated with the latest firmware version number or a prior firmware version number.
10 . An apparatus comprising:
a hardware device in a system to receive an encrypted security key, the encrypted security key stored in a database maintained by a provisioning server associated with a provisioning identifier derived from a unique device key, the unique device key embedded by a key generation server in the hardware device by writing the unique device key in a protected memory in the hardware device, the security key encrypted using a base provisioning key derived from the unique device key, the hardware device to derive the base provisioning key from the unique device key stored in protected memory, the protected memory inaccessible by software and the hardware device to decrypt the encrypted security key using the derived base provisioning key.
11 . The apparatus of claim 10 , wherein the protected memory is write-once memory.
12 . The apparatus of claim 10 , wherein the key generation server is an off-line server that operates in a trusted environment.
13 . The apparatus of claim 10 , wherein the provisioning identifier and provisioning key derived from the unique device identifier are symmetric keys.
14 . The method of claim 10 , wherein a copy of the unique device key is not available to the first server after the unique device key is written to the protected memory.
15 . The apparatus of claim 10 , wherein the hardware device receives the encrypted security key via a communications network.
16 . The apparatus of claim 10 , wherein the hardware device receives the encrypted security key from a storage medium in the system.
17 . The apparatus of claim 10 , wherein the hardware device derives a provisioning key from the base provisioning key, the provisioning key derived based on a latest firmware version number associated with firmware available for installation in the hardware device.
18 . The apparatus of claim 16 , wherein the hardware device receives an encrypted device authentication key, the device authentication key encrypted by the provisioning key and the hardware device decrypts the encrypted device authentication key associated with the provisioning key associated with the latest firmware version number or a prior firmware version number.
19 . An article including a machine-accessible medium having associated information, wherein the information, when accessed, results in a machine performing:
receiving, by a hardware device in a system, an encrypted security key, the encrypted security key stored in a database maintained by a provisioning server associated with a provisioning identifier derived from a unique device key, the unique device key embedded by a key generation server in the hardware device by writing the unique device key in a protected memory in the hardware device, the security key encrypted using a base provisioning key derived from the unique device key; deriving, by the hardware device, the base provisioning key from the unique device key stored in protected memory, the protected memory inaccessible by software; and decrypting, by the hardware, the encrypted security key using the derived base provisioning key.
20 . The article of claim 19 , further comprising:
deriving, by the hardware device, a provisioning key from the base provisioning key, the provisioning key derived based on a latest firmware version number associated with firmware available for installation in the hardware device.
21 . A system comprising:
a disk drive; and a hardware device, the hardware device to receive an encrypted security key, the encrypted security key stored in a database maintained by a provisioning server associated with a provisioning identifier derived from a unique device key, the unique device key embedded by a key generation server in the hardware device by writing the unique device key in a protected memory in the hardware device, the security key encrypted using a base provisioning key derived from the unique device key, the hardware device to derive the base provisioning key from the unique device key stored in protected memory, the protected memory inaccessible by software and the hardware device to decrypt the encrypted security key using the derived base provisioning key.
22 . The system of claim 21 , wherein the encrypted security key is stored on a storage medium accessible via the disk drive and the hardware device receives the encrypted security key from the disk drive.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.