US9270469B2 - Authentication using public keys and session keys - Google Patents

Authentication using public keys and session keys Download PDF

Info

Publication number
US9270469B2
US9270469B2 US14/185,780 US201414185780A US9270469B2 US 9270469 B2 US9270469 B2 US 9270469B2 US 201414185780 A US201414185780 A US 201414185780A US 9270469 B2 US9270469 B2 US 9270469B2
Authority
US
United States
Prior art keywords
key
payload
session key
combinations
public
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US14/185,780
Other versions
US20150236856A1 (en
Inventor
Jason J. Moore
Steven E. McNeil
Stephen M. Trimberger
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xilinx Inc
Original Assignee
Xilinx Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xilinx Inc filed Critical Xilinx Inc
Assigned to XILINX, INC. reassignment XILINX, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MOORE, JASON J., MCNEIL, STEVEN E., TRIMBERGER, STEPHEN M.
Priority to US14/185,780 priority Critical patent/US9270469B2/en
Priority to JP2016553393A priority patent/JP6510546B2/en
Priority to EP15708971.5A priority patent/EP3108609B1/en
Priority to PCT/US2015/016417 priority patent/WO2015126967A1/en
Priority to CN201580009686.3A priority patent/CN106031082B/en
Priority to KR1020167024911A priority patent/KR102345177B1/en
Publication of US20150236856A1 publication Critical patent/US20150236856A1/en
Publication of US9270469B2 publication Critical patent/US9270469B2/en
Application granted granted Critical
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/76Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Definitions

  • the disclosure generally relates to authenticating data.
  • Authentication is generally a process by which a receiver of data determines whether or not the received data came from a trusted source.
  • the data to be authenticated may be executable programs, configuration data for programmable logic, email messages, or application program data, for example.
  • One approach for authentication relies on public-private key pairs. Data is signed by the sender with the senders' private key of a key pair, resulting in a signature for that data.
  • a receiver may use the sender's public key of the key pair and the received data to determine whether the signature sent with the data is that of the sender. If the signature is as expected for the received data, the received data is authenticated. Otherwise, the received data may have been sent from an unreliable source or may have been tampered with.
  • the public keys employed by a receiving device to authenticate input data are typically stored in a non-volatile memory of the device. Some implementations provide the capability to revoke a public key. Revoking a public key invalidates the key for subsequent use. In most cases a new public key may be established when a current public key is revoked.
  • Flash memory is often used to store public keys since it is non-volatile and can be reprogrammed. However, for some applications flash memory may be unsuitable. For example, field programmable gate arrays (FPGAs) are made using SRAM technology. Combining flash memory into an SRAM based device may be technically challenging and cost prohibitive. Therefore, e-fuses are sometimes used for storage of public keys. However, e-fuses occupy a large area relative to the small amount of information represented by the states of the e-fuses. Therefore, it would be desirable to have a cost-effective system for storage and revocation of public keys.
  • FPGAs field programmable gate arrays
  • a method of authenticating data includes storing a plurality of combinations of representations of public keys and session key identifiers (IDs) in a non-volatile memory.
  • IDs session key identifiers
  • a payload and accompanying public key, session key ID, and signature of the payload are input.
  • the signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key.
  • the method determines whether or not the payload is authentic, from the accompanying public key and session key ID and the combinations stored in the non-volatile memory, and from the signature and the payload. In response to determining that the payload is authentic, the payload is processed. In response to determining that the payload is not authentic, processing of the payload is disabled.
  • the system includes non-volatile storage and a processor.
  • the non-volatile storage is configurable for storage of a plurality of combinations of representations of public keys and session key IDs.
  • the processor is coupled to the non-volatile storage and is configured to input a payload and accompanying public key, session key ID, and signature of the payload.
  • the signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key.
  • the processor is further configured to determine whether or not the payload is authentic, from the accompanying public key and session key ID and the combinations stored in the non-volatile memory, and from the signature and the payload. Responsive to determining that the payload is authentic, the processor processes the payload. Responsive to determining that the payload is not authentic, the processor disables processing of the payload.
  • FIG. 1 is a flow diagram that shows the construction of authentication information for a payload, and the authentication of the payload for purposes of enabling revocation of authentication keys;
  • FIG. 2 is a block diagram that shows a system in which authentication keys are used to control the booting and/or configuration of the system
  • FIG. 3 is a flowchart of a process for initially configuring the authentication system
  • FIG. 4 is a flowchart of a process of authenticating an input payload using a public key and a session key ID
  • FIG. 5 is a flowchart of a process of revoking a public key or a session key ID
  • FIG. 6 is an example SOC architecture on which a system may be implemented using the various approaches described herein.
  • the systems and methods provide an approach for securely managing authentication keys while also increasing the number of keys that may be used in the life of a device.
  • the systems and methods use public keys, session key identifier (IDs), and a payload signature to authenticate a payload. Revocation of a public key or a session key associated with a session key ID is permitted only after the system has booted with configuration data or program code that has been authenticated. Revoking a key may also be referred to as invalidating a key.
  • the session key is a public key that can be used for authenticating software or hardware loads following the boot or initial configuration of the device.
  • Another public key (or root key) and a session key ID which are stored on the device, may be used in authenticating the initial boot program or hardware configuration and the accompanying session key.
  • After the device has been configured or booted, subsequently loaded software or hardware configurations can be authenticated using the session key. This minimizes the use of the root key.
  • the approach for revoking session key provides flexibility in managing the use of the session keys.
  • the system has non-volatile storage for multiple combinations of representations of public keys and session key IDs.
  • the representations may be the binary format of the values of the actual public keys and session key IDs or may be binary formats of hash values of the public keys and session key IDs.
  • public key and session key ID may be used when referring to the representations thereof.
  • a payload input to the system is accompanied by a public key, a session key ID, and a signature of the payload.
  • the signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key.
  • the system includes a processor which determines whether or not the payload is authentic. The authenticity of the payload is determined based not only on the signature of the payload, but also on the accompanying public key and session key ID and the combinations of representations of public and session key IDs stored in the non-volatile memory.
  • the processor allows the payload to be processed. If the payload is not authentic, the processor disables further processing of the payload.
  • the processing of the payload may entail booting the system with program code contained in the payload or configuring programmable logic such as may be found in a system-on-a-chip (SOC).
  • FIG. 1 is a flow diagram that shows the construction of authentication information for a payload, and the authentication of the payload for purposes of enabling revocation of authentication keys.
  • the payload may be a boot program for a processor or configuration data for programmable logic, for example.
  • the flow diagram shows two general phases, the construction of the authentication information and the authentication of the payload using the authentication information.
  • the construction of the authentication information is marked with brace 102
  • the authentication is marked with brace 104 .
  • the payload 106 to be provided to a system has an accompanying public key Pu 108 and session key ID 110 .
  • the payload may include the session key corresponding to session key ID 110 .
  • the payload is input to a hash function 112 , which computes a hash value 114 based on the payload.
  • both the public key 108 and the session key ID 110 may be input to the hash function.
  • the hash function may be an SHA-based function.
  • the hash value 114 is encrypted with the private key Pr 116 by encryption function 118 , resulting in signature 120 .
  • the signature 120 is appended to the information that accompanies the payload 106 .
  • the payload 106 , public key 108 , session key ID 110 , and signature 120 may be formatted into a configuration file to be used in a secure boot of a system in an example application.
  • the authentication of the payload is performed by the system that inputs the payload 106 and accompanying public key 108 , session key ID 110 , and signature 120 .
  • the system includes a non-volatile memory 132 for storage of representations of the public keys 134 and session key IDs 136 .
  • hash values of the public keys are stored in order to reduce storage requirements.
  • the result produced from a hash function applied to a 2048-bit public key may be 256 bits.
  • the public keys are not hashed.
  • the non-volatile memory also includes storage for key states of the public keys.
  • the key state for each public key may be indicated by a valid bit 138 that is associated with that public key.
  • the public keys 134 , session key IDs 136 , and valid bits 138 may be stored in e-fuses, for example.
  • the public key 108 that accompanies the input payload 106 is input to a hash function 140 to produce hash value 142 .
  • Compare function 144 compares the hash value 142 to the hash values of the public keys 134 in the non-volatile memory.
  • the compare function designates the payload to be not authentic, and the system disables further processing of the payload 106 with lock-down function 146 .
  • the processor may lockdown the system by aborting booting of the system or aborting configuring programmable logic. The designation may be by way of the state of a signal or value stored in a register or memory.
  • each combination of one of session key IDs 136 and public keys 134 may be a single hash value.
  • both the public key 108 and session key ID 110 that accompany the payload 106 are input to the hash function 140 , and the compare function 144 compares the resulting hash value to the combined value of a hashed public key and session key ID in the non-volatile memory.
  • the valid function 148 determines whether or not the valid bit associated with the matching hashed public key (or alternatively, matching combination of hashed public key and session key ID, or matching non-hashed public key), has a key state that indicates that the key(s) is valid. If the key state indicates that the matching key is not valid, the valid function 148 designates the payload to be not authentic, and the system disables further processing of the payload 106 with lock-down function 150 , such as by aborting booting of the system or aborting configuring programmable logic.
  • the signature of the payload 106 is confirmed by inputting the payload 106 to hash function 152 , which would be the same as hash function 112 , and generating hash value 154 .
  • the signature 120 and public key 108 that accompany the payload 106 are input to decryption function 156 , which decrypts the signature using the public key, resulting in decrypted signature 158 .
  • the compare function 160 compares the computed hash value to the decrypted signature.
  • the system disables further processing of the payload 106 with lock-down function 162 , such as by aborting booting of the system or aborting configuring programmable logic.
  • the compare function 164 compares the session key ID 110 that accompanies the input payload to the session key ID in the non-volatile memory 132 that is associated with the matching one of the hashed public keys 134 .
  • the compare function 164 designates the payload to be not authentic, and the system disables further processing of the payload 106 with lock-down function 166 , such as by aborting booting of the system or aborting configuring programmable logic.
  • the system In response to the session key ID 120 matching the one of the session key IDs 136 , the system enables processing of the payload 106 , such as by continuing with execution of a boot program and/or configuration of programmable logic 168 .
  • the compare function 164 In the implementation in which each combination of one of session key IDs 136 and one of public keys 134 is a single hash value, the compare function 164 is not required, and a positive comparison found by compare function 160 continues with processing function 168 , such as execution of a boot program and/or configuration of programmable logic 168 .
  • a session key may be revoked independent of the associated public key.
  • each of session key IDs 136 is stored in a set of e-fuses. To revoke a session key, current flow is disabled through the one of the e-fuses of the session key ID. The blown fuse changes the value of the session key ID, which effectively revokes the previous session key ID stored in the set of fuses. In an example implementation, the session key IDs are thereby stored in unary format.
  • the non-volatile memory 132 includes valid bits for storage of key states that are associated with the combinations of public keys 134 and session key IDs 136 . Each combination includes a one of the public keys and one of the session key IDs. The key state in the valid bit associated with a combination indicates whether or not the associated combination is valid (has not been revoked).
  • the valid bits may be implemented as e-fuses.
  • FIG. 2 is a block diagram that shows a system 200 in which authentication keys are used to control the booting and/or configuration of the system.
  • the system 200 includes a processor 202 , programmable logic 204 , ROM 206 , RAM 208 , non-volatile memory 132 , ROM 212 , storage 214 , and interfaces 216 , 218 , and 220 .
  • the processor 202 , programmable logic 204 , ROM 206 , RAM 208 , non-volatile memory 132 , and interfaces 216 , 218 , and 220 may be implemented as a system-on-a-chip (SOC).
  • SOC system-on-a-chip
  • a combination of one of the public keys 134 and one of the session key IDs 136 is used by the processor to authenticate the first stage boot loader (FSBL) 232 and/or configuration bitstream 234 .
  • FSBL first stage boot loader
  • the processor in executing FSBL code or the programmable logic as configured with the configuration bitstream is enabled to revoke one of the public keys and/or session key IDs.
  • the processor 202 loads and executes program code from ROM 206 . That code causes the processor to input the FSBL 232 and/or configuration bitstream 234 into RAM 208 and then authenticate the FSBL or bitstream.
  • the FSBL and configuration bitstream input to the processor have an accompanying public key, session key ID, and signature. If the processor determines the input FSBL or bitstream to be authentic as described above, the processor may continue by processing the payload, that is by executing program code of the FSBL or configuring the programmable logic 204 with the configuration bitstream.
  • the non-volatile memory 132 is comprised of e-fuses in an example implementation.
  • a public key is established by blowing selected e-fuses to establish a binary value of the public key or a hash of the public key.
  • the session key ID associated with a public key is also established by blowing one or more e-fuses to represent the value of the session key ID.
  • a new session key may be established for use in combination with the associated public key by blowing another e-fuse of the e-fuses for that session key ID.
  • the session key ID is thereby embodied in a unary format in the e-fuses. For example, if 32 e-fuses are used to represent a session key ID, then the session key ID can have 32 different values.
  • the valid bits 138 associated with the combinations of public keys and session key IDs are also implemented with e-fuses.
  • the e-fuse of a valid bit is blown, the public key is invalidated, and because the session key ID associated with the public key is only used with that public key, the session key associated with that session key ID is also effectively invalidated.
  • the e-fuses of the valid bits 138 and session key IDs 136 may be blown by program code executing on the processor 202 or by circuitry configured in the programmable logic 204 only after the program code or configuration bitstream has been authenticated.
  • a write-enable (WE) e-fuse 242 controls all but the first public key. This allows the processor running unauthenticated program code or programmable logic configured with an unauthenticated configuration bitstream to program the first public key. The very first programming of the public key space is allowed to be done without authentication because there is no key in the non-volatile memory 132 with which to authenticate. After the first public key has been configured, subsequent programming or revocation of keys is permitted only after the program code or configuration bitstream has been authenticated.
  • WE write-enable
  • the public keys other than the first public key may be controlled by the WE e-fuse 242 .
  • the e-fuse of the WE bit can be blown once all desired values of the public keys are programmed.
  • individual WE bits may be used to individually control programming of the public keys.
  • the system protects against unauthorized programming of the public keys.
  • An authorized party at the initial programming of the public keys, may configure values for all the public keys 134 in the e-fuses.
  • the WE e-fuse 242 can then be blown to disable any further configuration of the public keys.
  • the authorized party at the initial programming may configure the value for only the public key that is not protected by the WE e-fuse (the first public key). Thereafter, before any other public key can be configured or revoked, any input program code or configuration bitstream must first be authenticated with a valid public key and session key.
  • FIG. 3 is a flowchart of a process for initially configuring the authentication system.
  • the representations of one or more public keys are configured in the non-volatile memory.
  • the representation of each public key may be the actual value of the public key or a hash value of the public key, depending on implementation requirements.
  • all the public keys are configured in the non-volatile memory at the initial setup.
  • only the first public key is configured, and thereafter, conditioned on authentication of program code or a configuration bitstream, other public keys can be configured by a program running on a processor of the SOC or by a circuit configured in the programmable logic of the SOC.
  • the values or one or more session key IDs may be optionally configured in the non-volatile memory.
  • An initial session key ID may be configured for each public key which was configured at block 302 .
  • the configuration of session key IDs is optional because the initial value for a session key ID may be 0, which would not require the blowing of any e-fuses. However, if a value other than 0 is desired, the e-fuses may be blown to indicate that value.
  • the WE e-fuse that controls the public keys optionally may be blown at block 306 . This may be useful in usage scenarios in which all the public keys are configured in the SOC at initial setup. Blowing the WE e-fuse disables subsequent updating of the public keys.
  • FIG. 4 is a flowchart of a process of authenticating an input payload using a public key and a session key ID.
  • the process reads the input public key that accompanies a payload and at block 404 a hash value is computed from the public key. In implementations in which the actual public key is stored in non-volatile memory, no hash value would need to be computed.
  • decision block 406 directs the process to block 408 where the system is locked down. For example, a processor performing the authentication may abort further booting of the system or abort configuration of programmable logic.
  • decision block 406 directs the process to decision block 410 , which checks whether or not the matching hashed public key is valid from the state of the associated valid bit. If the hashed public key is not valid, the system is locked down at block 408 .
  • a hash value is computed from the payload, and at block 414 , the signature that accompanies the payload is read and decrypted using the input public key.
  • the session key ID is read from the input, and decision block 418 determines whether or not the input session key ID matches the session key ID associated with the matching public key in the non-volatile memory. If the input session key ID does not match, the system is locked down at block 408 . Otherwise, decision block 420 determines whether or not the decrypted signature is equal to the hash value computed from the payload at block 412 . If the decrypted signature does not match, the system is locked down at block 422 . Otherwise, the processor may continue with program execution or configuration of programmable logic at block 424 .
  • blocks 402 , 404 , and 406 could be modified to process the input session key ID in combination with the input public key, and blocks 416 and 418 would not be necessary.
  • FIG. 5 is a flowchart of a process of revoking a public key or a session key.
  • revocation of either a public key or session key can only be performed by authenticated program code executing on a processor of the SOC or by programmable logic of the SOC as configured with an authenticated configuration bitstream.
  • an input payload is authenticated.
  • the payload may be either program code or a configuration bitstream, for example, and may include a session key.
  • the authentication uses a signature of the payload, along with a public key and a session key ID that also accompany the payload.
  • the e-fuse that implements a valid bit associated with the public key is blown. Since each session key is used only with one of the possible public keys, revoking the public key effectively revokes the combination of the public key and the associated session key.
  • one or more of the set of e-fuses that implements the session key ID associated with the revoked session key are blown. Since blowing an e-fuse changes the value of the session key ID, the previous session key ID stored by the set of e-fuses is revoked, and the new session key ID is indicated by the state of the set of e-fuses. It will be appreciated that blowing only one e-fuse to revoke a session key ID maximizes the number of session key IDs that can be used with that set of e-fuses since once an e-fuse is blown it cannot thereafter be reconfigured to conduct current.
  • FIG. 6 is an example SOC architecture 600 on which a system may be implemented using the various approaches described herein. Those skilled in the art will appreciate that the SOC of FIG. 6 provides only one example of an integrated circuit device on which the methods of the present invention can be practiced.
  • SOC 600 includes a large number of different programmable tiles including multi-gigabit transceivers (MGTs 601 ), configurable logic blocks (CLBs 602 ), random access memory blocks (BRAMs 603 ), input/output blocks (IOBs 604 ), configuration and clocking logic (CONFIG/CLOCKS 605 ), digital signal processing blocks (DSPs 606 ), specialized input/output blocks (I/O 607 ) (e.g., configuration ports and clock ports), and other programmable logic 608 such as digital clock managers, analog-to-digital converters, system monitoring logic, and so forth.
  • the example SOC also includes a hardwired processor 610 .
  • each programmable tile includes a programmable interconnect element (INT 611 ) having standardized connections to and from a corresponding interconnect element in each adjacent tile. Therefore, the programmable interconnect elements taken together implement the programmable interconnect resources for the illustrated SOC.
  • the programmable interconnect element (INT 611 ) also includes the connections to and from the programmable logic primitive within the same tile, as shown by the examples included at the top of FIG. 6 .
  • a CLB 602 can include a configurable logic primitive (CLE 612 ) that can be programmed to implement user logic plus a single programmable interconnect element (INT 611 ).
  • a BRAM 603 can include a BRAM logic primitive (BRL 613 ) in addition to one or more programmable interconnect elements.
  • BRAM logic primitive BRAM logic primitive
  • the number of interconnect elements included in a tile depends on the height of the tile. In the pictured embodiment, a BRAM tile has the same height as four CLBs, but other numbers (e.g., five) can also be used.
  • a DSP tile 606 can include a DSP logic primitive (DSPL 614 ) in addition to an appropriate number of programmable interconnect elements.
  • An 10 B 604 can include, for example, two instances of an input/output logic primitive (IOL 615 ) in addition to one instance of the programmable interconnect element (INT 611 ).
  • IOL 615 input/output logic primitive
  • INT 611 programmable interconnect element
  • Some SOCs utilizing the architecture illustrated in FIG. 6 include additional logic blocks that disrupt the regular columnar structure making up a large part of the programmable logic.
  • the additional logic blocks can be programmable blocks and/or dedicated logic.
  • the processor block PROC 610 shown in FIG. 6 spans several columns of CLBs and BRAMs.
  • a columnar area near the center of the die (shown shaded in FIG. 6 ) is used for configuration, clock, and other control logic. Horizontal areas 609 extending from this column are used to distribute the clocks and configuration signals across the breadth of the SOC.
  • a configuration port (not shown) may be used to access configuration memory (not shown) for the programmable logic to configure the programmable logic and interconnect resources.
  • an internal scrubber (not shown) may continuously read and correct configuration memory via an internal configuration access port.
  • FIG. 6 is intended to illustrate only an exemplary SOC architecture.
  • the numbers of logic blocks in a column, the relative widths of the columns, the number and order of columns, the types of logic blocks included in the columns, the relative sizes of the logic blocks, and the interconnect/logic implementations included at the top of FIG. 6 are purely exemplary.
  • more than one adjacent column of CLBs is typically included wherever the CLBs appear, to facilitate the efficient implementation of user logic.
  • the system and methods are thought to be applicable to a variety of systems for authentication. Other aspects and features will be apparent to those skilled in the art from consideration of the specification.
  • the systems and methods may be implemented as one or more processors configured to execute software, as an application specific integrated circuit (ASIC), or as a logic on a programmable logic device. It is intended that the specification and drawings be considered as examples only, with a true scope of the invention being indicated by the following claims.

Abstract

One approach for authenticating data includes storing a plurality of combinations of representations of public keys and session key IDs in a non-volatile memory. A payload and accompanying public key, session key ID, and signature of the payload are input. The signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key. Authenticity of the payload is determined based on the accompanying public key and session key ID and the combinations stored in the non-volatile memory, and from the signature and the payload. In response to determining that the payload is authentic, the payload is processed, and in response to determining that the payload is not authentic, processing of the payload is disabled.

Description

FIELD OF THE INVENTION
The disclosure generally relates to authenticating data.
BACKGROUND
Authentication is generally a process by which a receiver of data determines whether or not the received data came from a trusted source. The data to be authenticated may be executable programs, configuration data for programmable logic, email messages, or application program data, for example.
One approach for authentication relies on public-private key pairs. Data is signed by the sender with the senders' private key of a key pair, resulting in a signature for that data. A receiver may use the sender's public key of the key pair and the received data to determine whether the signature sent with the data is that of the sender. If the signature is as expected for the received data, the received data is authenticated. Otherwise, the received data may have been sent from an unreliable source or may have been tampered with.
The public keys employed by a receiving device to authenticate input data are typically stored in a non-volatile memory of the device. Some implementations provide the capability to revoke a public key. Revoking a public key invalidates the key for subsequent use. In most cases a new public key may be established when a current public key is revoked.
Flash memory is often used to store public keys since it is non-volatile and can be reprogrammed. However, for some applications flash memory may be unsuitable. For example, field programmable gate arrays (FPGAs) are made using SRAM technology. Combining flash memory into an SRAM based device may be technically challenging and cost prohibitive. Therefore, e-fuses are sometimes used for storage of public keys. However, e-fuses occupy a large area relative to the small amount of information represented by the states of the e-fuses. Therefore, it would be desirable to have a cost-effective system for storage and revocation of public keys.
SUMMARY
A method of authenticating data is disclosed. The method includes storing a plurality of combinations of representations of public keys and session key identifiers (IDs) in a non-volatile memory. A payload and accompanying public key, session key ID, and signature of the payload are input. The signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key. The method determines whether or not the payload is authentic, from the accompanying public key and session key ID and the combinations stored in the non-volatile memory, and from the signature and the payload. In response to determining that the payload is authentic, the payload is processed. In response to determining that the payload is not authentic, processing of the payload is disabled.
An authentication system is also described. The system includes non-volatile storage and a processor. The non-volatile storage is configurable for storage of a plurality of combinations of representations of public keys and session key IDs. The processor is coupled to the non-volatile storage and is configured to input a payload and accompanying public key, session key ID, and signature of the payload. The signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key. The processor is further configured to determine whether or not the payload is authentic, from the accompanying public key and session key ID and the combinations stored in the non-volatile memory, and from the signature and the payload. Responsive to determining that the payload is authentic, the processor processes the payload. Responsive to determining that the payload is not authentic, the processor disables processing of the payload.
Other features will be recognized from consideration of the Detailed Description and Claims, which follow.
BRIEF DESCRIPTION OF THE DRAWINGS
Various aspects and features of the methods and systems will become apparent upon review of the following detailed description and upon reference to the drawings in which:
FIG. 1 is a flow diagram that shows the construction of authentication information for a payload, and the authentication of the payload for purposes of enabling revocation of authentication keys;
FIG. 2 is a block diagram that shows a system in which authentication keys are used to control the booting and/or configuration of the system;
FIG. 3 is a flowchart of a process for initially configuring the authentication system;
FIG. 4 is a flowchart of a process of authenticating an input payload using a public key and a session key ID;
FIG. 5 is a flowchart of a process of revoking a public key or a session key ID; and
FIG. 6 is an example SOC architecture on which a system may be implemented using the various approaches described herein.
 DETAILED DESCRIPTION OF THE DRAWINGS
The systems and methods provide an approach for securely managing authentication keys while also increasing the number of keys that may be used in the life of a device. The systems and methods use public keys, session key identifier (IDs), and a payload signature to authenticate a payload. Revocation of a public key or a session key associated with a session key ID is permitted only after the system has booted with configuration data or program code that has been authenticated. Revoking a key may also be referred to as invalidating a key.
In one implementation, the session key is a public key that can be used for authenticating software or hardware loads following the boot or initial configuration of the device. Another public key (or root key) and a session key ID, which are stored on the device, may be used in authenticating the initial boot program or hardware configuration and the accompanying session key. After the device has been configured or booted, subsequently loaded software or hardware configurations can be authenticated using the session key. This minimizes the use of the root key. As will be apparent from the disclosure below, the approach for revoking session key provides flexibility in managing the use of the session keys.
The system has non-volatile storage for multiple combinations of representations of public keys and session key IDs. The representations may be the binary format of the values of the actual public keys and session key IDs or may be binary formats of hash values of the public keys and session key IDs. For ease of explanation, public key and session key ID may be used when referring to the representations thereof.
A payload input to the system is accompanied by a public key, a session key ID, and a signature of the payload. The signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key. The system includes a processor which determines whether or not the payload is authentic. The authenticity of the payload is determined based not only on the signature of the payload, but also on the accompanying public key and session key ID and the combinations of representations of public and session key IDs stored in the non-volatile memory.
If the payload is authentic, the processor allows the payload to be processed. If the payload is not authentic, the processor disables further processing of the payload. In an example application, the processing of the payload may entail booting the system with program code contained in the payload or configuring programmable logic such as may be found in a system-on-a-chip (SOC).
FIG. 1 is a flow diagram that shows the construction of authentication information for a payload, and the authentication of the payload for purposes of enabling revocation of authentication keys. In an example application, the payload may be a boot program for a processor or configuration data for programmable logic, for example. The flow diagram shows two general phases, the construction of the authentication information and the authentication of the payload using the authentication information. The construction of the authentication information is marked with brace 102, and the authentication is marked with brace 104.
The payload 106 to be provided to a system has an accompanying public key Pu 108 and session key ID 110. The payload may include the session key corresponding to session key ID 110. The payload is input to a hash function 112, which computes a hash value 114 based on the payload. In an alternative implementation, both the public key 108 and the session key ID 110 may be input to the hash function. In an example implementation the hash function may be an SHA-based function. The hash value 114 is encrypted with the private key Pr 116 by encryption function 118, resulting in signature 120. The signature 120 is appended to the information that accompanies the payload 106. The payload 106, public key 108, session key ID 110, and signature 120 may be formatted into a configuration file to be used in a secure boot of a system in an example application.
The authentication of the payload is performed by the system that inputs the payload 106 and accompanying public key 108, session key ID 110, and signature 120. The system includes a non-volatile memory 132 for storage of representations of the public keys 134 and session key IDs 136. In one implementation, hash values of the public keys are stored in order to reduce storage requirements. For example, the result produced from a hash function applied to a 2048-bit public key may be 256 bits. In another implementation, the public keys are not hashed. The non-volatile memory also includes storage for key states of the public keys. The key state for each public key may be indicated by a valid bit 138 that is associated with that public key. The public keys 134, session key IDs 136, and valid bits 138 may be stored in e-fuses, for example.
In an implementation in which the non-volatile memory stores hash values of public keys, the public key 108 that accompanies the input payload 106 is input to a hash function 140 to produce hash value 142. Compare function 144 compares the hash value 142 to the hash values of the public keys 134 in the non-volatile memory. In response to the hash value 142 not matching any of the hashed public keys 134, the compare function designates the payload to be not authentic, and the system disables further processing of the payload 106 with lock-down function 146. For example, the processor may lockdown the system by aborting booting of the system or aborting configuring programmable logic. The designation may be by way of the state of a signal or value stored in a register or memory.
In another implementation, each combination of one of session key IDs 136 and public keys 134 may be a single hash value. In this implementation, both the public key 108 and session key ID 110 that accompany the payload 106 are input to the hash function 140, and the compare function 144 compares the resulting hash value to the combined value of a hashed public key and session key ID in the non-volatile memory.
If the compare function 144 finds a match, the valid function 148 determines whether or not the valid bit associated with the matching hashed public key (or alternatively, matching combination of hashed public key and session key ID, or matching non-hashed public key), has a key state that indicates that the key(s) is valid. If the key state indicates that the matching key is not valid, the valid function 148 designates the payload to be not authentic, and the system disables further processing of the payload 106 with lock-down function 150, such as by aborting booting of the system or aborting configuring programmable logic.
In response to the valid bit having a key state that indicates that the key(s) is valid, the signature of the payload 106 is confirmed by inputting the payload 106 to hash function 152, which would be the same as hash function 112, and generating hash value 154. The signature 120 and public key 108 that accompany the payload 106 are input to decryption function 156, which decrypts the signature using the public key, resulting in decrypted signature 158. The compare function 160 compares the computed hash value to the decrypted signature. In response to the signature failing to match, the system disables further processing of the payload 106 with lock-down function 162, such as by aborting booting of the system or aborting configuring programmable logic.
In response to the decrypted signature matching the hash value, the compare function 164 compares the session key ID 110 that accompanies the input payload to the session key ID in the non-volatile memory 132 that is associated with the matching one of the hashed public keys 134. In response to the session key ID 120 not matching the one of the session key IDs 136, the compare function 164 designates the payload to be not authentic, and the system disables further processing of the payload 106 with lock-down function 166, such as by aborting booting of the system or aborting configuring programmable logic. In response to the session key ID 120 matching the one of the session key IDs 136, the system enables processing of the payload 106, such as by continuing with execution of a boot program and/or configuration of programmable logic 168. In the implementation in which each combination of one of session key IDs 136 and one of public keys 134 is a single hash value, the compare function 164 is not required, and a positive comparison found by compare function 160 continues with processing function 168, such as execution of a boot program and/or configuration of programmable logic 168.
A session key may be revoked independent of the associated public key. In an example implementation, each of session key IDs 136 is stored in a set of e-fuses. To revoke a session key, current flow is disabled through the one of the e-fuses of the session key ID. The blown fuse changes the value of the session key ID, which effectively revokes the previous session key ID stored in the set of fuses. In an example implementation, the session key IDs are thereby stored in unary format.
Revoking a public key revokes not only the public key but also effectively revokes the associated session key. As explained above, the non-volatile memory 132 includes valid bits for storage of key states that are associated with the combinations of public keys 134 and session key IDs 136. Each combination includes a one of the public keys and one of the session key IDs. The key state in the valid bit associated with a combination indicates whether or not the associated combination is valid (has not been revoked). The valid bits may be implemented as e-fuses.
FIG. 2 is a block diagram that shows a system 200 in which authentication keys are used to control the booting and/or configuration of the system. The system 200 includes a processor 202, programmable logic 204, ROM 206, RAM 208, non-volatile memory 132, ROM 212, storage 214, and interfaces 216, 218, and 220. The processor 202, programmable logic 204, ROM 206, RAM 208, non-volatile memory 132, and interfaces 216, 218, and 220 may be implemented as a system-on-a-chip (SOC). A combination of one of the public keys 134 and one of the session key IDs 136 is used by the processor to authenticate the first stage boot loader (FSBL) 232 and/or configuration bitstream 234. Once authenticated, the processor in executing FSBL code or the programmable logic as configured with the configuration bitstream, is enabled to revoke one of the public keys and/or session key IDs.
In booting the system, the processor 202 loads and executes program code from ROM 206. That code causes the processor to input the FSBL 232 and/or configuration bitstream 234 into RAM 208 and then authenticate the FSBL or bitstream. The FSBL and configuration bitstream input to the processor have an accompanying public key, session key ID, and signature. If the processor determines the input FSBL or bitstream to be authentic as described above, the processor may continue by processing the payload, that is by executing program code of the FSBL or configuring the programmable logic 204 with the configuration bitstream.
The non-volatile memory 132 is comprised of e-fuses in an example implementation. A public key is established by blowing selected e-fuses to establish a binary value of the public key or a hash of the public key. The session key ID associated with a public key is also established by blowing one or more e-fuses to represent the value of the session key ID. A new session key may be established for use in combination with the associated public key by blowing another e-fuse of the e-fuses for that session key ID. The session key ID is thereby embodied in a unary format in the e-fuses. For example, if 32 e-fuses are used to represent a session key ID, then the session key ID can have 32 different values.
The valid bits 138 associated with the combinations of public keys and session key IDs are also implemented with e-fuses. When the e-fuse of a valid bit is blown, the public key is invalidated, and because the session key ID associated with the public key is only used with that public key, the session key associated with that session key ID is also effectively invalidated. The e-fuses of the valid bits 138 and session key IDs 136 may be blown by program code executing on the processor 202 or by circuitry configured in the programmable logic 204 only after the program code or configuration bitstream has been authenticated.
In one implementation, a write-enable (WE) e-fuse 242 controls all but the first public key. This allows the processor running unauthenticated program code or programmable logic configured with an unauthenticated configuration bitstream to program the first public key. The very first programming of the public key space is allowed to be done without authentication because there is no key in the non-volatile memory 132 with which to authenticate. After the first public key has been configured, subsequent programming or revocation of keys is permitted only after the program code or configuration bitstream has been authenticated.
The public keys other than the first public key may be controlled by the WE e-fuse 242. The e-fuse of the WE bit can be blown once all desired values of the public keys are programmed. In another implementation, individual WE bits may be used to individually control programming of the public keys.
The system protects against unauthorized programming of the public keys. An authorized party, at the initial programming of the public keys, may configure values for all the public keys 134 in the e-fuses. The WE e-fuse 242 can then be blown to disable any further configuration of the public keys. In an alternative approach, the authorized party, at the initial programming may configure the value for only the public key that is not protected by the WE e-fuse (the first public key). Thereafter, before any other public key can be configured or revoked, any input program code or configuration bitstream must first be authenticated with a valid public key and session key.
FIG. 3 is a flowchart of a process for initially configuring the authentication system. At block 302, the representations of one or more public keys are configured in the non-volatile memory. The representation of each public key may be the actual value of the public key or a hash value of the public key, depending on implementation requirements.
In one implementation, all the public keys are configured in the non-volatile memory at the initial setup. Alternatively, only the first public key is configured, and thereafter, conditioned on authentication of program code or a configuration bitstream, other public keys can be configured by a program running on a processor of the SOC or by a circuit configured in the programmable logic of the SOC.
At block 304, the values or one or more session key IDs may be optionally configured in the non-volatile memory. An initial session key ID may be configured for each public key which was configured at block 302. The configuration of session key IDs is optional because the initial value for a session key ID may be 0, which would not require the blowing of any e-fuses. However, if a value other than 0 is desired, the e-fuses may be blown to indicate that value.
The WE e-fuse that controls the public keys optionally may be blown at block 306. This may be useful in usage scenarios in which all the public keys are configured in the SOC at initial setup. Blowing the WE e-fuse disables subsequent updating of the public keys.
FIG. 4 is a flowchart of a process of authenticating an input payload using a public key and a session key ID. At block 402, the process reads the input public key that accompanies a payload and at block 404 a hash value is computed from the public key. In implementations in which the actual public key is stored in non-volatile memory, no hash value would need to be computed.
If the computed hash value does not match any of the hashed public keys stored in the non-volatile memory, decision block 406 directs the process to block 408 where the system is locked down. For example, a processor performing the authentication may abort further booting of the system or abort configuration of programmable logic.
If the computed hash value does not match any of the hashed public keys stored in the non-volatile memory, decision block 406 directs the process to decision block 410, which checks whether or not the matching hashed public key is valid from the state of the associated valid bit. If the hashed public key is not valid, the system is locked down at block 408.
If the hashed public key is valid, at block 412, a hash value is computed from the payload, and at block 414, the signature that accompanies the payload is read and decrypted using the input public key.
At block 416, the session key ID is read from the input, and decision block 418 determines whether or not the input session key ID matches the session key ID associated with the matching public key in the non-volatile memory. If the input session key ID does not match, the system is locked down at block 408. Otherwise, decision block 420 determines whether or not the decrypted signature is equal to the hash value computed from the payload at block 412. If the decrypted signature does not match, the system is locked down at block 422. Otherwise, the processor may continue with program execution or configuration of programmable logic at block 424.
In an implementation in which the public key and session key ID are hashed together (not shown), a single hash value would be computed from the input public key and session key ID and that hash value would be compared to the hash values of public keys and session key IDs stored in non-volatile memory. Thus, blocks 402, 404, and 406 could be modified to process the input session key ID in combination with the input public key, and blocks 416 and 418 would not be necessary.
FIG. 5 is a flowchart of a process of revoking a public key or a session key. In an SOC implementation, revocation of either a public key or session key can only be performed by authenticated program code executing on a processor of the SOC or by programmable logic of the SOC as configured with an authenticated configuration bitstream.
At block 502, an input payload is authenticated. The payload may be either program code or a configuration bitstream, for example, and may include a session key. The authentication uses a signature of the payload, along with a public key and a session key ID that also accompany the payload.
At block 504, to revoke a public key, the e-fuse that implements a valid bit associated with the public key is blown. Since each session key is used only with one of the possible public keys, revoking the public key effectively revokes the combination of the public key and the associated session key.
To revoke a session key, at block 506, one or more of the set of e-fuses that implements the session key ID associated with the revoked session key are blown. Since blowing an e-fuse changes the value of the session key ID, the previous session key ID stored by the set of e-fuses is revoked, and the new session key ID is indicated by the state of the set of e-fuses. It will be appreciated that blowing only one e-fuse to revoke a session key ID maximizes the number of session key IDs that can be used with that set of e-fuses since once an e-fuse is blown it cannot thereafter be reconfigured to conduct current.
FIG. 6 is an example SOC architecture 600 on which a system may be implemented using the various approaches described herein. Those skilled in the art will appreciate that the SOC of FIG. 6 provides only one example of an integrated circuit device on which the methods of the present invention can be practiced. SOC 600 includes a large number of different programmable tiles including multi-gigabit transceivers (MGTs 601), configurable logic blocks (CLBs 602), random access memory blocks (BRAMs 603), input/output blocks (IOBs 604), configuration and clocking logic (CONFIG/CLOCKS 605), digital signal processing blocks (DSPs 606), specialized input/output blocks (I/O 607) (e.g., configuration ports and clock ports), and other programmable logic 608 such as digital clock managers, analog-to-digital converters, system monitoring logic, and so forth. The example SOC also includes a hardwired processor 610.
In some implementations, each programmable tile includes a programmable interconnect element (INT 611) having standardized connections to and from a corresponding interconnect element in each adjacent tile. Therefore, the programmable interconnect elements taken together implement the programmable interconnect resources for the illustrated SOC. The programmable interconnect element (INT 611) also includes the connections to and from the programmable logic primitive within the same tile, as shown by the examples included at the top of FIG. 6.
For example, a CLB 602 can include a configurable logic primitive (CLE 612) that can be programmed to implement user logic plus a single programmable interconnect element (INT 611). A BRAM 603 can include a BRAM logic primitive (BRL 613) in addition to one or more programmable interconnect elements. Typically, the number of interconnect elements included in a tile depends on the height of the tile. In the pictured embodiment, a BRAM tile has the same height as four CLBs, but other numbers (e.g., five) can also be used. A DSP tile 606 can include a DSP logic primitive (DSPL 614) in addition to an appropriate number of programmable interconnect elements. An 10 B 604 can include, for example, two instances of an input/output logic primitive (IOL 615) in addition to one instance of the programmable interconnect element (INT 611). As will be clear to those of skill in the art, the actual I/O pads connected, for example, to the I/O logic primitive 615 are manufactured using metal layered above the various illustrated logic blocks, and typically are not confined to the area of the input/output logic primitive 615.
Some SOCs utilizing the architecture illustrated in FIG. 6 include additional logic blocks that disrupt the regular columnar structure making up a large part of the programmable logic. The additional logic blocks can be programmable blocks and/or dedicated logic. For example, the processor block PROC 610 shown in FIG. 6 spans several columns of CLBs and BRAMs.
In the pictured embodiment, a columnar area near the center of the die (shown shaded in FIG. 6) is used for configuration, clock, and other control logic. Horizontal areas 609 extending from this column are used to distribute the clocks and configuration signals across the breadth of the SOC. A configuration port (not shown) may be used to access configuration memory (not shown) for the programmable logic to configure the programmable logic and interconnect resources. In one embodiment, an internal scrubber (not shown) may continuously read and correct configuration memory via an internal configuration access port.
Note that FIG. 6 is intended to illustrate only an exemplary SOC architecture. The numbers of logic blocks in a column, the relative widths of the columns, the number and order of columns, the types of logic blocks included in the columns, the relative sizes of the logic blocks, and the interconnect/logic implementations included at the top of FIG. 6 are purely exemplary. For example, in an actual SOC more than one adjacent column of CLBs is typically included wherever the CLBs appear, to facilitate the efficient implementation of user logic.
Though aspects and features may in some cases be described in individual figures, it will be appreciated that features from one figure can be combined with features of another figure even though the combination is not explicitly shown or explicitly described as a combination.
The system and methods are thought to be applicable to a variety of systems for authentication. Other aspects and features will be apparent to those skilled in the art from consideration of the specification. The systems and methods may be implemented as one or more processors configured to execute software, as an application specific integrated circuit (ASIC), or as a logic on a programmable logic device. It is intended that the specification and drawings be considered as examples only, with a true scope of the invention being indicated by the following claims.

Claims (15)

What is claimed is:
1. A method of authenticating data, comprising:
storing a plurality of combinations of representations of public keys and session key IDs in a non-volatile memory;
storing a plurality of key states in association with the plurality of combinations of representations of public keys and session key IDs, respectively, wherein each key state indicates whether or not the associated combination is valid;
inputting a payload and accompanying public key, session key ID, and signature of the payload, wherein the signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key;
determining with a processor whether or not the payload is authentic, from the accompanying public key and session key ID and the combinations stored in the non-volatile memory, and from the signature and the payload, wherein the determining includes:
determining whether or not one of the plurality of combinations has a representation of a public key that matches the accompanying public key and whether or not the combination is valid from the key state associated with the combination, and
in response to determining that the one of the combinations has the representation of a public key that matches the accompanying public key and is not valid, designating the payload to be not authentic;
in response to determining that the payload is authentic, processing the payload; and
in response to determining that the payload is not authentic, disabling processing of the payload.
2. The method of claim 1, further comprising:
wherein the storing of the plurality of combinations of representations of public keys and session key IDs includes storing the representation of each session key ID in a plurality of e-fuses;
establishing a new session key by disabling current flow through one of the plurality of e-fuses of the representations of the session key ID of one of the plurality of combinations.
3. The method of claim 1, wherein the storing of the plurality of key states in association with the plurality of combinations of representations of public keys and session key IDs includes storing each key state in one or more e-fuses.
4. The method of claim 1, further comprising:
wherein the storing of the plurality of combinations of representations of public keys and session key IDs includes storing the representation of each session key ID in a plurality of e-fuses;
establishing a new session key by disabling current flow through one of the plurality of e-fuses of the representation of the session key ID of one of the plurality of combinations.
5. The method of claim 1, wherein:
the representation of each public key of the plurality of combinations of representations of public keys and session key IDs is a hash value of a public key;
the determining whether or not the payload is authentic from the accompanying public key and session key ID and the combinations stored in the non-volatile memory includes:
computing a hash value of the accompanying public key;
determining whether or not the hash value of the accompanying public key matches the representation of a public key of one of the plurality of combinations; and
designating the payload to be not authentic in response to determining that the hash value of the accompanying public key does not match the representation of a public key of the plurality of combinations.
6. The method of claim 5, wherein the determining whether or not the payload is authentic from the accompanying public key and session key ID and the combinations stored in the non-volatile memory includes:
for one of the plurality of combinations of representations of public keys and session key IDs that has the representation of the public key that matches the hash value of the accompanying public key, determining whether or not an accompanying session key ID number matches the representation of the session key ID number of the one combination;
in response to determining that the accompanying session key ID number matches the representation of the session key ID number of the one combination, designating the payload to be authentic; and
in response to determining that the accompanying session key ID number does not match the representation of the session key ID number of the one combination, designating the payload to be not authentic.
7. The method of claim 2, wherein the storing of the plurality of combinations of representations of public keys and session key IDs includes storing the representation of each public key in a plurality of e-fuses.
8. The method of claim 1, wherein:
each combination of the plurality of combinations of representations of public keys and session key IDs in the non-volatile memory is a hash value of a public key and a session key ID;
the determining whether or not the payload is authentic from the accompanying public key and session key ID and the combinations stored in the non-volatile memory includes:
computing a first hash value of the accompanying public key and session key ID;
determining whether or not the first hash value matches any of the hash values in the non-volatile memory; and
designating the payload to be not authentic in response to determining that the first hash value does not match any of the hash values in the non-volatile memory.
9. An authentication system, comprising:
non-volatile memory configurable for storage of a plurality of combinations of representations of public keys and session key IDs and storage for a plurality of key states in association with the plurality of combinations of representations of public keys and session key IDs, respectively, wherein each key state indicates whether or not the associated combination is valid;
a processor coupled to the non-volatile storage, the processor configured to:
input a payload and accompanying public key, session key ID, and signature of the payload, wherein the signature is a function of the payload and a private key of a key pair that includes the accompanying public key and the private key;
determine whether or not one of the combinations has a representation of a public key that matches the accompanying public key and whether or not the combination is valid from the key state associated with the combination;
in response to determining that the one of the combinations has the representation of a public key that matches the accompanying public key and is not valid, designate the payload to be not authentic;
determine whether or not the payload is authentic, from the accompanying public key and session key ID and the combinations stored in the non-volatile memory, and from the signature and the payload;
responsive to determining that the payload is authentic, process the payload; and
responsive to determining that the payload is not authentic, disable processing of the payload.
10. The system of claim 9, wherein:
the non-volatile memory includes a plurality of e-fuses for storage of the combinations of representations of public keys and session key IDs; and
the processor is further configured to establish a new session key by disabling current flow through one of the plurality of e-fuses of the representations of the session key ID of one of the plurality of combinations.
11. The system of claim 9, wherein the non-volatile memory includes a plurality of e-fuses for storage of the plurality of key states.
12. The system of claim 11, wherein:
the non-volatile memory includes a plurality of e-fuses for storage of the representations of the session key IDs; and
the processor is further configured to establish a new session key by disabling current flow through one of the plurality of e-fuses of the representation of the session key ID of one of the plurality of combinations.
13. The system of claim 9, wherein:
the representation of each public key of the plurality of combinations of representations of public keys and session key IDs is a hash value of a public key;
the processor, in determining whether or not the payload is authentic from the accompanying public key and session key ID and the combinations stored in the non-volatile memory, is configured to:
compute a hash value of the accompanying public key;
determine whether or not the hash value of the accompanying public key matches the representation of a public key of one of the plurality of combinations; and
designate the payload to be not authentic in response to determining that the hash value of the accompanying public key does not match the representation of a public key of the plurality of combinations.
14. The system of claim 13, wherein the processor, in determining whether or not the payload is authentic from the accompanying public key and session key ID and the combinations stored in the non-volatile memory, is configured to:
for one of the plurality of combinations of representations of public keys and session key IDs that has the representation of the public key that matches the hash value of the accompanying public key, determine whether or not an accompanying session key ID number matches the representation of the session key ID number of the one combination;
in response to determining that the accompanying session key ID number matches the representation of the session key ID number of the one combination, designate the payload to be authentic; and
in response to determining that the accompanying session key ID number does not match the representation of the session key ID number of the one combination, designate the payload to be not authentic.
15. The system of claim 9, wherein:
each combination of the plurality of combinations of representations of public keys and session key IDs in the non-volatile memory is a hash value of a public key and a session key ID;
the processor, in determining whether or not the payload is authentic from the accompanying public key and session key ID and the combinations stored in the non-volatile memory, is configured to:
compute a first hash value of the accompanying public key and session key ID;
determine whether or not the first hash value matches any of the hash values in the non-volatile memory; and
designate the payload to be not authentic in response to determining that the first hash value does not match any of the hash values in the non-volatile memory.
US14/185,780 2014-02-20 2014-02-20 Authentication using public keys and session keys Active 2034-05-08 US9270469B2 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
US14/185,780 US9270469B2 (en) 2014-02-20 2014-02-20 Authentication using public keys and session keys
CN201580009686.3A CN106031082B (en) 2014-02-20 2015-02-18 Use the certification of public key and session key
EP15708971.5A EP3108609B1 (en) 2014-02-20 2015-02-18 Authentication using public keys and session keys
PCT/US2015/016417 WO2015126967A1 (en) 2014-02-20 2015-02-18 Authentication using public keys and session keys
JP2016553393A JP6510546B2 (en) 2014-02-20 2015-02-18 Public key and session key authentication
KR1020167024911A KR102345177B1 (en) 2014-02-20 2015-02-18 Authentication using public keys and session keys

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/185,780 US9270469B2 (en) 2014-02-20 2014-02-20 Authentication using public keys and session keys

Publications (2)

Publication Number Publication Date
US20150236856A1 US20150236856A1 (en) 2015-08-20
US9270469B2 true US9270469B2 (en) 2016-02-23

Family

ID=52633630

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/185,780 Active 2034-05-08 US9270469B2 (en) 2014-02-20 2014-02-20 Authentication using public keys and session keys

Country Status (6)

Country Link
US (1) US9270469B2 (en)
EP (1) EP3108609B1 (en)
JP (1) JP6510546B2 (en)
KR (1) KR102345177B1 (en)
CN (1) CN106031082B (en)
WO (1) WO2015126967A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180349293A1 (en) * 2017-06-05 2018-12-06 Silicon Motion, Inc. Controller and advanced method for deleting data
US11232219B1 (en) 2019-01-31 2022-01-25 Xilinx, Inc. Protection of electronic designs
US11280829B1 (en) 2019-12-19 2022-03-22 Xlnx, Inc. System-on-chip having secure debug mode
US11582021B1 (en) 2019-11-20 2023-02-14 Xilinx, Inc. Protection against differential power analysis attacks involving initialization vectors

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9659191B2 (en) * 2014-04-09 2017-05-23 Seagate Technology Llc Encryption key storage and modification in a data storage device
US10541817B2 (en) * 2016-03-14 2020-01-21 Ricoh Company, Ltd. Data generation apparatus, data recording system, and program product
CN107451432A (en) * 2016-05-30 2017-12-08 深圳市中兴微电子技术有限公司 A kind of startup program inspection method and device
US10091904B2 (en) * 2016-07-22 2018-10-02 Intel Corporation Storage sled for data center
US10268844B2 (en) * 2016-08-08 2019-04-23 Data I/O Corporation Embedding foundational root of trust using security algorithms
US10541820B2 (en) 2017-08-17 2020-01-21 Global Bonsai LLC Distributed digital ledger
US11558178B2 (en) * 2018-01-31 2023-01-17 Walmart Apollo, Llc System and method for prescription security and authentication
KR102192477B1 (en) * 2018-07-16 2020-12-18 (주)이더블유비엠 Method, system and program of silent authentication instead of fido-based authentication
WO2021100907A1 (en) * 2019-11-20 2021-05-27 (주)이더블유비엠 Fido-based silent authentication method, system, and program
US11893118B2 (en) * 2021-05-25 2024-02-06 Microsoft Technology Licensing, Llc Transfer of ownership of a computing device via a security processor

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2355819A (en) 1999-10-26 2001-05-02 Marconi Comm Ltd Authentication of data and software
US20040098579A1 (en) * 2001-08-01 2004-05-20 Toshihisa Nakano Encrypted data delivery system
US20040107349A1 (en) 2002-12-03 2004-06-03 Marco Sasselli Method for securing software updates
US20040249817A1 (en) * 1999-06-28 2004-12-09 Zix Corporation, A Texas Corporation Secure transmission system
US6851049B1 (en) * 2000-10-02 2005-02-01 Pgp Corporation Method and apparatus for facilitating secure anonymous email recipients
US20050235145A1 (en) * 2002-12-05 2005-10-20 Canon Kabushiki Kaisha Secure file format
US20070226500A1 (en) * 2006-03-24 2007-09-27 Microsoft Corporation Subscription-based computing implemented in hardware of computing device
US20070269040A1 (en) * 2006-05-16 2007-11-22 Microsoft Corporation Cryptographic Protocol for Commonly Controlled Devices
US20080010470A1 (en) * 1997-02-21 2008-01-10 Mckeon Brian B Tamper resistant module having separate control of issuance and content delivery
US7412061B2 (en) * 1999-03-27 2008-08-12 Microsoft Corporation Encrypting a digital object on a key ID selected therefor
US20090086974A1 (en) * 2007-10-02 2009-04-02 Masana Murase Support for Multiple Security Policies on a Unified Authentication Architecture
US20110156801A1 (en) * 2009-12-31 2011-06-30 Xianghong Tong Tamper resistant fuse design
US7987358B1 (en) * 2006-06-09 2011-07-26 Xilinx, Inc. Methods of authenticating a user design in a programmable integrated circuit
WO2012056094A1 (en) 2010-10-29 2012-05-03 Nokia Corporation Software authentication
US20120290830A1 (en) * 2011-05-09 2012-11-15 Cleversafe, Inc. Generating an encrypted message for storage
US20130145160A1 (en) * 2011-12-05 2013-06-06 Certicom Corp. System and method for mounting encrypted data based on availability of a key on a network
US8813253B2 (en) * 2003-11-27 2014-08-19 Nagravision S.A. Method for the authentication of applications
US8863230B1 (en) * 2006-06-09 2014-10-14 Xilinx, Inc. Methods of authenticating a programmable integrated circuit in combination with a non-volatile memory device

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003348079A (en) * 2002-05-27 2003-12-05 Konica Minolta Holdings Inc Image forming apparatus
JP2004304304A (en) * 2003-03-28 2004-10-28 Fujitsu Ltd Electronic signature generating method, electronic signature authenticating method, electronic signature generating request program and electronic signature authenticate request program
JP4546231B2 (en) * 2004-12-09 2010-09-15 株式会社日立製作所 ID-based signature and encryption system and method
JP2009217722A (en) * 2008-03-12 2009-09-24 Nippon Telegr & Teleph Corp <Ntt> Authentication processing system, authentication device, management device, authentication processing method, authentication processing program and management processing program
JP5382766B2 (en) * 2008-09-26 2014-01-08 日本電気通信システム株式会社 E-mail verification system, transmission terminal, reception terminal, e-mail processing terminal, e-mail verification, transmission and reception method
CN102365839B (en) * 2009-04-06 2014-07-16 松下电器产业株式会社 Key implementation system
CN102761420B (en) * 2012-08-08 2014-10-29 飞天诚信科技股份有限公司 Security certification method

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080010470A1 (en) * 1997-02-21 2008-01-10 Mckeon Brian B Tamper resistant module having separate control of issuance and content delivery
US7412061B2 (en) * 1999-03-27 2008-08-12 Microsoft Corporation Encrypting a digital object on a key ID selected therefor
US20040249817A1 (en) * 1999-06-28 2004-12-09 Zix Corporation, A Texas Corporation Secure transmission system
GB2355819A (en) 1999-10-26 2001-05-02 Marconi Comm Ltd Authentication of data and software
US6851049B1 (en) * 2000-10-02 2005-02-01 Pgp Corporation Method and apparatus for facilitating secure anonymous email recipients
US20040098579A1 (en) * 2001-08-01 2004-05-20 Toshihisa Nakano Encrypted data delivery system
US20040107349A1 (en) 2002-12-03 2004-06-03 Marco Sasselli Method for securing software updates
US20050235145A1 (en) * 2002-12-05 2005-10-20 Canon Kabushiki Kaisha Secure file format
US8813253B2 (en) * 2003-11-27 2014-08-19 Nagravision S.A. Method for the authentication of applications
US20070226500A1 (en) * 2006-03-24 2007-09-27 Microsoft Corporation Subscription-based computing implemented in hardware of computing device
US20070269040A1 (en) * 2006-05-16 2007-11-22 Microsoft Corporation Cryptographic Protocol for Commonly Controlled Devices
US7987358B1 (en) * 2006-06-09 2011-07-26 Xilinx, Inc. Methods of authenticating a user design in a programmable integrated circuit
US8863230B1 (en) * 2006-06-09 2014-10-14 Xilinx, Inc. Methods of authenticating a programmable integrated circuit in combination with a non-volatile memory device
US20090086974A1 (en) * 2007-10-02 2009-04-02 Masana Murase Support for Multiple Security Policies on a Unified Authentication Architecture
US20110156801A1 (en) * 2009-12-31 2011-06-30 Xianghong Tong Tamper resistant fuse design
US20120110333A1 (en) * 2010-10-29 2012-05-03 Nokia Corporation Software security
WO2012056094A1 (en) 2010-10-29 2012-05-03 Nokia Corporation Software authentication
US20120290830A1 (en) * 2011-05-09 2012-11-15 Cleversafe, Inc. Generating an encrypted message for storage
US20130145160A1 (en) * 2011-12-05 2013-06-06 Certicom Corp. System and method for mounting encrypted data based on availability of a key on a network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Wikipedia, "Public-key cryptography", Wikipedia.org, Wikimedia Foundation, 22 pages, last modified on Feb. 12, 2015, .
Wikipedia, "Public-key cryptography", Wikipedia.org, Wikimedia Foundation, 22 pages, last modified on Feb. 12, 2015, <http://en.wikipedia.org/wiki/Public-key cryptography>.

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180349293A1 (en) * 2017-06-05 2018-12-06 Silicon Motion, Inc. Controller and advanced method for deleting data
US10664414B2 (en) * 2017-06-05 2020-05-26 Silicon Motion, Inc. Controller and advanced method for deleting data
US11232219B1 (en) 2019-01-31 2022-01-25 Xilinx, Inc. Protection of electronic designs
US11582021B1 (en) 2019-11-20 2023-02-14 Xilinx, Inc. Protection against differential power analysis attacks involving initialization vectors
US11280829B1 (en) 2019-12-19 2022-03-22 Xlnx, Inc. System-on-chip having secure debug mode

Also Published As

Publication number Publication date
KR20160123336A (en) 2016-10-25
US20150236856A1 (en) 2015-08-20
JP2017506850A (en) 2017-03-09
EP3108609A1 (en) 2016-12-28
CN106031082A (en) 2016-10-12
CN106031082B (en) 2019-08-27
JP6510546B2 (en) 2019-05-08
EP3108609B1 (en) 2020-06-24
WO2015126967A1 (en) 2015-08-27
KR102345177B1 (en) 2021-12-30

Similar Documents

Publication Publication Date Title
US9270469B2 (en) Authentication using public keys and session keys
US9230112B1 (en) Secured booting of a field programmable system-on-chip including authentication of a first stage boot loader to mitigate against differential power analysis
US9165143B1 (en) Image file generation and loading
US9870488B1 (en) Method and apparatus for securing programming data of a programmable device
US9830456B2 (en) Trust transference from a trusted processor to an untrusted processor
US9806883B2 (en) Secure provision of a key
JP6371919B2 (en) Secure software authentication and verification
US8776211B1 (en) Processing commands according to authorization
EP3197089B1 (en) Secure information configuration method, secure authentication method and related chip
US8281115B2 (en) Security method using self-generated encryption key, and security apparatus using the same
US10984107B2 (en) Secure boot
US9959403B2 (en) Information processing system for mutual authentication between communication device and storage
US20090193261A1 (en) Apparatus and method for authenticating a flash program
US11294992B2 (en) Locking execution of cores to licensed programmable devices in a data center
US8966253B1 (en) Method and apparatus for authenticating a programmable device bitstream
WO2018053855A1 (en) Enhanced secure boot
CN104838387A (en) Chip verification
US9218505B1 (en) Programmable integrated circuit with DPA-resistant decryption
US8983073B1 (en) Method and apparatus for restricting the use of integrated circuits
WO2009129017A1 (en) Methods, apparatus and system for authenticating a programmable hardware device and for authenticating commands received in the programmable hardware device from a secure processor
US11765149B2 (en) Secure data provisioning
US10067770B2 (en) Platform key hierarchy
US11582021B1 (en) Protection against differential power analysis attacks involving initialization vectors
US9530022B1 (en) Protection of designs for electronic systems
EP3918496B1 (en) Locking execution of cores to licensed programmable devices in a data center

Legal Events

Date Code Title Description
AS Assignment

Owner name: XILINX, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MOORE, JASON J.;MCNEIL, STEVEN E.;TRIMBERGER, STEPHEN M.;SIGNING DATES FROM 20140211 TO 20140220;REEL/FRAME:032260/0778

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8