TREA

CRYPTOGRAPHIC INFORMATION ASSOCIATION TO MEMORY REGIONS

Follow

Information

  • Patent Application
  • 20140164793
  • Publication Number
    20140164793
  • Date Filed
    December 22, 2011
    13 years ago
  • Date Published
    June 12, 2014
    10 years ago
Information
Abstract
Embodiments herein relate to cryptographic operations, such as encrypting and/or decrypting information to read from or written to first and second memory regions. The first cryptographic information is related to the first memory region and the second cryptographic information is related to the second memory region.
Description
BACKGROUND

A device, such as a secure processor, may encrypt information to be stored to a memory using cryptographic information in order to protect the information from being read by third parties who lack permission to access such information. For example, if the memory is external to the device, the transmission of the information between the memory and the external device may be intercepted by an unauthorized party, but still may be unreadable by the unauthorized party, if the information is encrypted.


However, a method for encrypting the information may slow an operation of the device. Further, the device may be limited in a type of encryption to be carried out. In addition, the unauthorized party may be able to access a key value included in the cryptographic information stored in the device, thus compromising a security of the transmitted information. Manufacturers, vendors, and/or users are challenged to provide faster and/or more versatile methods for encrypting the information while maintaining a threshold level of security.





BRIEF DESCRIPTION OF THE DRAWINGS

The following detailed description references the drawings, wherein:



FIG. 1 is an example block diagram of a cryptographic device;



FIG. 2 is another example block diagram of a cryptographic device;



FIG. 3A is an example block diagram of the MMU of FIG. 2;



FIG. 3B is an example block diagram of a register of FIG. 3A;



FIG. 4 is an example block diagram of a computing device including instructions for encrypting or decrypting information;



FIG. 5 is an example flowchart of a cryptographic method; and



FIG. 6 is another example flowchart of a cryptographic method.





DETAILED DESCRIPTION

Specific details are given in the following description to provide a thorough understanding of embodiments. However, it will be understood by one of ordinary skill in the art that embodiments may be practiced without these specific details. For example, systems may be shown in block diagrams in order not to obscure embodiments in unnecessary detail. In other instances, well-known processes, structures and techniques may be shown without unnecessary detail in order to avoid obscuring embodiments.


A device, such as a secure microprocessor, may generally use a same cryptographic algorithm, mode, and/or key to encrypt information for all memory regions of one or more memories. Using the same cryptographic algorithm, mode, and/or key for all types of information and/or memory regions may be relatively less efficient and/or secure. For example, certain types of cryptographic algorithms may more quickly or compactly encrypt information based on a type of the information or memory. For instance, some types of cryptographic algorithms may more suitable for multimedia data while other types of cryptographic algorithms may be more suitable for application code or cache data. In addition, using the same cryptographic algorithm, mode, and/or key reduces security because all of the memory regions may become readable and/or decrypted if an unauthorized party surreptitiously determines a way to decrypt any one of the memory regions. In addition, the device may store the key value in an unsecured manner, such as unencrypted data and/or at an unprotected location. Therefore, security may be comprised if the unauthorized party accesses the key value.


Embodiments may allow different memory regions to be encrypted with different cryptographic information, such as different algorithms, modes, and/or keys. Using different cryptographic information may increase security and/or efficiency. For instance, encrypting different memory regions with different cryptographic information may increase a time and/or difficulty for the unauthorized party to possibly decrypt a plurality of the different memory regions. Further, depending on the type of information to be encrypted or decrypted, a size of the encrypted information and/or a time for cryptographic operation may be reduced based on the selected type of algorithm, mode, and/or key. In addition, in one embodiment, all the key values may be centrally stored at separate, secure location, such as a secure memory, with the device storing a key reference that points to a location of the associated key value. Thus, the key values may be more securely protected from access by the unauthorized party.


In one embodiment, the cryptographic information may be stored at a memory management unit (MMU) included in the device. In this case, the algorithm, mode and/or key for one or more memory regions, may be assigned flexibly assigned and accessed simply. For example, the cryptographic information may be managed similar to any other attribute already handled by the MMU, such as read-write-execute and user-supervisor attributes.


Referring now to the drawings, FIG. 1 is an example block diagram of a cryptographic device 100. The cryptographic device 100 may be included in any type of device performing cryptographic operations, such as a secure microprocessor, a notebook computer, a desktop computer, an all-in-one system, a slate computing device, a portable reading device, a wireless email device, a mobile phone, and the like. In the embodiment of FIG. 1, the device 100 includes a cryptographic module 110 and an encryptor 120.


The cryptographic module 110 may include, for example, a hardware device including electronic circuitry for implementing the functionality described below, such as one or more registers. In addition or as an alternative, the cryptographic module 110 may be implemented as a series of instructions encoded on a machine-readable storage medium and executable by a processor. In embodiments, the cryptographic module 110 may be implemented as a hardware device or as executable instructions. For example, the cryptographic module 110 may be implemented as part of an application run by an operating system (OS) running on the device 100.


The cryptographic module 110 is to store first cryptographic information 112 related to at least one of encrypting and decrypting information to be at least one of written to and read from a first memory region (not shown) and to store second cryptographic information 114 related to at least one of encrypting and decrypting information to be at least one of written to and read from a second memory region. The term cryptographic information may relate to any type of information needed to carry out a cryptographic operation, such as a cryptographic algorithm, mode, key and/or cryptographic security parameter (CSP) information. The term cryptographic operation may refer to any to type of process related to encryption and/or decryption of information, such as data or code.


For example, the first and second cryptographic information 112 and 114 may each include algorithm, mode and/or key information. The algorithm information may include at least one of a symmetric and asymmetric key algorithm. Examples of symmetric algorithms include Twofish, Serpent, AES (Rijndael), Blowfish, CASTS, RC4, 3DES, IDEA and the like. Examples of asymmetric algorithms include Diffie-Hellman key exchange protocol, Digital Signature Standard (DSS), ElGamal, Paillier cryptosystem, RSA encryption algorithm and Cramer-Shoup cryptosystem, and the like. The algorithm may be a procedure for performing encryption or decryption.


The mode information includes at least one a block and stream cipher mode. Examples of block cipher mode include Electronic codebook (ECB), Cipher-block chaining (CBC), Propagating cipher-block chaining (PCBC). Cipher feedback (CFB), Output feedback (OFB), Counter (CTR) mode and the like. Examples of stream cipher mode include synchronous and self-synchronizing stream ciphers, such as RC4, A5/1, A5/2, Chameleon, FISH, Helix, ISAAC, MUGI, Panama, Phelix, Pike, SEAL, SOBER, SOBER-128, WAKE and the like. The mode information may relate to a procedure of enabling the repeated and secure use of the algorithm using the same key.


The key information may include a key value and/or a reference to a key value. If the key information includes the reference to the key, the key value may be retrieved from a secure memory (not shown), using the reference to the key value. The key information may be any type of information or parameter that determines the functional output of the cryptographic algorithm. Storing the key information at the secure memory, instead of at the cryptographic module 110, may prevent separation from other keys, simplify key management, and reduce the likelihood of corruption or leaking of the key information. The cryptographic module 110 will be explained in further detail with respect to FIG. 2. While the first and second cryptographic information 112 and 114 are described as including the algorithm, mode and/or key information, embodiments may also include other types of cryptographic information.


The encryptor 120 may be any type of device capable of performing encryption and/or decryption. The encryptor 120 is to at least one of encrypt and decrypt information to be at least one of read from and written to the first memory region based on the first cryptographic information 112. Further, the encryptor is to at least one of encrypt and decrypt information to be at least one of read from and written to the second memory region based on the second cryptographic information 114. The encryptor 120 will be explained in further detail with respect to FIG. 2.


A type of at least one of the algorithm, mode, and key information of at least one of the first and second cryptographic information 112 and 114 may be based on at least one of a source of the information and a type of a memory (not shown) associated with at least one of the first and second memory regions. For example, the first cryptographic information may be associated with a first type of information, such as boot code, and the second cryptographic information may associated with a second type of information, such as cache data. Accordingly, the first and second cryptographic information may include a different algorithm, mode and/or key.


Further, first and second memory regions of the first and second cryptographic information 112 and 114 may be associated with different types of memory. For example, the first memory region of the first cryptographic information 112 may be associated with an SDRAM or DRAM type of memory and use an XTS-AES mode, while the second memory region of the second cryptographic information 114 may be associated with a ROM type of memory and use a CBC mode.


Further, the first and second cryptographic information 112 and 114 may have different algorithms, modes, and/or keys even when the corresponding first and second memory regions share the same type of memory, such as when the first and second memory regions are associated with different types of information, or for additional security.


Hence, the type of at least one of the algorithm, mode, and key information of the first cryptographic information is determined independently from that of the second cryptographic information. As a result, at least one of the algorithm, mode, and key information of the first cryptographic information may be different than that of the first cryptographic information.


While FIG. 1 only shows the first and second cryptographic information 112 and 114, embodiments may include more or less than two total cryptographic information. Similarly, embodiments may include more or less than two total memory regions. A number, size and/or content of the cryptographic information may be varied automatically and/or manually



FIG. 2 is another example block diagram of a cryptographic device 200. The cryptographic device 200 may be included in any type of device performing cryptographic operations, such as a secure microprocessor, a notebook computer, a desktop computer, an all-in-one system, a slate computing device, a portable reading device, a wireless email device, a mobile phone, and the like. In the embodiment of FIG. 2, the device 200 includes a memory management unit (MMU) 210, a processor 220, a first controller 230, a second controller 240, a first memory region 250 and a second memory region 260. The device 200 further includes the encryptor 120 and the cryptographic module 110 of FIG. 1. The cryptographic module 110 is shown to be included within the MMU 210. However, embodiments may also include the cryptographic module 110 being external to the MMU 210.


The MMU 210, the first controller 230 and the second controller 240 may include, for example, hardware devices including electronic circuitry for implementing the functionality described below. In addition or as an alternative, each module may be implemented as a series of instructions encoded on a machine-readable storage medium and executable by a processor.


The first and second memory regions 250 and 260 may be part of one or more machine-readable storage mediums, such as any type of electronic, magnetic, optical, or other physical storage device capable of storing information, like data or instructions. Thus, the one or more machine-readable storage mediums may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like. In FIG. 2, the first and second memory regions 250 and 260 are shown to be external to the device 200. However, embodiments may also include the first and second memory regions 250 and 260 being internal to the device 200.


The MMU 210 may control aspects of memory map management. For example, the MMU 210 may define the address ranges for different parts of memory, such as the first and second memory regions 250 and 260, and/or map real (e.g. internal or physical) addresses to virtual (e.g., logical or external) addresses. Further, the MMU 210 may manage access permissions (e.g. read-write-execute, user-supervisor and/or process ID) for each memory mapped section. In FIG. 2, the MMU 210 may map addresses of and control access to the first and second memory regions 250 and 260.


The processor 220 may be, at least one central processing unit (CPU), at least one semiconductor-based microprocessor, at least one graphics processing unit (GPU), other hardware devices suitable for retrieval and execution of instructions. As an alternative or in addition to retrieving and executing instructions, the processor 220 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of the instruction.


The processor 220 may communicate with the MMU 210 when the processor 220 seeks to access memory, such as at least one of the first and second memory regions 250 and 260. For instance, the processor 220 may communicate a real or CPU address to the MMU 210 and the MMU 210 may translate the real address to a virtual or user address of at least one of the first and second memory regions 250 and 260. In accessing memory, one or more memory components may be accessed. For example, the processor 220 may request memory access to the memory when performing a write operation, via a processor local bus (PLB) (not shown) and one of the first and second controllers 230 and 240.


The first and second controllers 230 and 240 respectively control access to the first and second memory regions 250 and 260 based on access information 212 stored in the MMU 210. For example, the first controller 230 controls access to the first memory region 250 and the second controller 240 controls access to the second memory region 260. The encryptor 120, as explained in FIG. 1, may interface between the processor 220 and the first and second controllers 230 and 340.


For example, the encryptor 120 may at least one of decrypt and pass through the information to be read from at least one of the first and second memory regions 250 and 260 based on at least one of the first and second cryptographic information 112 and 114. Similarly, the encryptor 120 is to at least one of encrypt and pass through the information to be written to at least one of the first and second memory regions 250 and 260 based on at least one of the first and second cryptographic information 112 and 114. The encryptor 120 operates independently of the processor 220.


When the processor 220 seeks access to memory, such as one of the first and second memory regions 230 and 240, the MMU 210 may simultaneously control the encryptor 120 and at least one of the first and second controllers 230 and 240. For example, if the processor 220 is requesting access to an address located in the first memory region 250, the MMU 210 may use access information 212 included in the MMU 210 to control the first controller 230 to enable access to the first memory region 250. Further, the MMU 210 may use the first cryptographic information 112 to control the encryptor 120 to encrypt, decrypt, or pass through any information being transmitted to or from at least one of the first and second memory regions 250 and 260. In this case, with the MMU 210 may enable the first controller 230 and configure the encryptor 120 with the algorithm, mode and/or key of the first cryptographic information 112.


As the processor 220 reads from or writes to the first memory region 250, the information passes through the encryptor 120. For example, for security purposes, the information being written to the first memory region 250 may be encrypted by the encryptor 120. Conversely, the information being read from the first memory region 250 may be decrypted by the encryptor 120. Thus, any information may be encrypted upon exiting to the device 200 and decrypted while entering the device 200. However, embodiments are not limited. For example, the encryptor 120 may decrypt information to be written to memory and/or encrypt information to be read from memory. Further, the encryptor 120 may simply allow the information to pass through encryptor 120 without any change thereto, regardless of whether the information is encrypted or not.


As the encryptor 230 receives first or second cryptographic information 112 or 114, such as the algorithm, mode or key, from the MMU 210, the cryptographic operation occurs independently of the processor 220. In fact, the cryptographic operation may even be invisible to the processor 220, such as if the information is encrypted upon being output of the device 200 and decrypted upon entering the device 200. In addition, the access information 212 and the first cryptographic information 112 are provided such that the encryptor 120 and at least one of the first and second controllers 230 and 240 operate simultaneously.


While FIG. 2 only shows the two memory regions 250 and 260 and two controllers 230 and 240, embodiments may include more or less than two memory regions and/or more or less than two controllers. While FIG. 2 only shows the single encryptor 120, embodiments may include a plurality of encryptors, such as a single encryptor for each type of memory and/or memory region.



FIG. 3A is an example block diagram of the MMU 300 of FIG. 2. In this embodiment, the MMU 300 includes a plurality of registers 302-1 to 302-n, where n is a natural number. For example, n may be between 32 and 128. The registers 302-1 to 302-n may, for example, be 64 to 96 bits in size and be referred to as translation lookaside buffers (TLB). At least one of the registers 302-1 to 302-n may be assigned to a memory region and include configuration information on how the MMU 210 should control the assigned memory region. For example, the first register 302-1 may be assigned to the first memory region 250 and the second register 302-2 may be assigned to the second memory region 260. Thus, in this case, the first register 302-1 may store the first cryptographic information 112 and a part of the access information 212 related to enabling the first controller 230. Similarly, the second register 302-2 may store the second cryptographic information 114 and a part of the access information 212 related to enabling the second controller 240.


Moreover, more than one of the registers 302-1 to 302-n may be mapped to the same memory region. For example, in one embodiment, the first register 302-1 may have write-only permission to the first memory region 250 while the second register 302-2 may have read-only permission to the first memory region 250. Further, the cryptographic information associated with the write operation of the first register 302-1 may be different than the cryptographic information associated with the read operation of the second register 302-2.


Alternatively, either of the first and/or second registers 302-1 and 302-2 may instruct the encryptor 120 to pass all the information through as clear text, without encrypting or decrypting the information. For example, the first cryptographic information 112 may instruct that information to be written to the first memory region 250 is to be encrypted using the CBC mode while information to be read from the first memory region 250 is to be read as clear text, in order to carry out bulk encryption. Conversely, writing the information as clear text and decrypting the information when read, may allow for bulk encryption. Using the two above operations together may allow for bulk translation from one algorithm to another. However, two transfers of the information would be taking place in order to preserve security. Nonetheless, the translation may also be carried out as a single complete transfer, but information would be exposed in an unencrypted state or as clear text outside of the device 200, assuming memory is external to the device 200.



FIG. 3B is an example block diagram of a register 302 of FIG. 3A. In this embodiment, the TLB 302 includes nine segments 304, 306, 308, 310, 312, 314, 316, 318 and 320. The first segment 304 may store the valid bit to indicate whether the register is active and assigned to a memory region. If the valid bit of the register 302 is not set, the MMU 210 may ignore the register 302. The second segment 306 may store the real address, such as the address received from the processor 220. The third segment 308 may store the virtual address that corresponds to a location in the memory mapped to the real address, such as a location at one of the first and second memory regions 250 and 260. The fourth segment 310 may store the size or length of information upon which the cryptographic operation is to be performed. The fifth segment 312 may store the access control related to controlling a controller that enables access to the memory, such as the first or second controller 250 or 260. The access control may determine, for instance, whether the associated memory region is readable, writeable, executable, etc.


The sixth segment 314 may store a process identifier (PID), which identifies the process or application requesting the cryptographic operation. The seventh segment 316 may store other configuration information related to MMU functionality. The eighth and ninth segments 318 and 320 may store the cryptographic information. For example, the eighth segment 318 may store the algorithm and/or mode. The ninth segment 320 may store the key, reference to key, and/or other types of cryptographic security parameters (CSP). While the register 302 of FIG. 3B is shown to have nine segments 304 to 330, embodiments of the register 302 may have more or less than nine segments.



FIG. 4 is an example block diagram of a computing device 400 including instructions for encrypting or decrypting information. In the embodiment of FIG. 4, the computing device 400 includes a processor 410 and a machine-readable storage medium 420. The machine-readable storage medium 420 further includes instructions 422, 424 and 426 for encrypting or decrypting information.


The computing device 400 may be, for example, a chip set, a notebook computer, a slate computing device, a portable reading device, a wireless email device, a mobile phone, or any other device capable of executing the instructions 422, 424 and 426. In certain examples, the computing device 400 may include or be connected to additional components such as memories, sensors, displays, etc.


The processor 410 may be, at least one central processing unit (CPU), at least one semiconductor-based microprocessor, at least one graphics processing unit (GPU), other hardware devices suitable for retrieval and execution of instructions stored in the machine-readable storage medium 420, or combinations thereof. The processor 410 may fetch, decode, and execute instructions 422, 424 and 426 to implement encrypting or decrypting of information. As an alternative or in addition to retrieving and executing instructions, the processor 410 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 422, 424 and 426.


The machine-readable storage medium 420 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions. Thus, the machine-readable storage medium 420 may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like. As such, the machine-readable storage medium 320 can be non-transitory. As described in detail below, machine-readable storage medium 420 may be encoded with a series of executable instructions encrypting or decrypting information.


Moreover, the instructions 422, 424 and 426 when executed by a processor (e.g., via one processing element or multiple processing elements of the processor) can cause the processor to perform processes, such as, the process of FIG. 5 or 6. For example, the access instructions 422 may be executed by the processor 410 to access at least one of first and second cryptographic information (not shown). The first cryptographic information is related to at least one of encrypting and decrypting information to be at least one of read from and written to a first memory region (not shown).


The second cryptographic information is related to at least one of encrypting and decrypting information to be at least one of read from and written to a second memory region (not shown). The encrypt instructions 424 may be executed by the processor 410 to encrypt information to be at least one of written to and read from at least one of the first and second memory regions, if at least one of the first and second cryptographic information includes instructions to encrypt the information. The decrypt instructions 426 may be executed by the processor 410 to decrypt information to be at least one of written to and read from at least one of the first and second memory regions, if at least one of the first and second cryptographic information includes instructions to decrypt the information. At least one of an algorithm, mode and key of the first and second cryptographic information may be different.


The machine-readable storage medium 420 may also include instructions (not shown) to control access to the first and second memory regions based on access information separate from the first and second cryptographic information. The access is controlled to occur simultaneously with at least one of the encryption and decryption of the information. As noted above, the first cryptographic information is determined independent of the second cryptographic information. An operation of the device 400 may be described in more detail with respect to FIGS. 5 and 6.



FIG. 5 is an example flowchart of a cryptographic method 500. Although execution of the method 500 is described below with reference to the device 100, other suitable components for execution of the method 500 can be utilized, such as the device 200. Additionally, the components for executing the method 500 may be spread among multiple devices (e.g. a processing device in communication with input and output devices). In certain scenarios, multiple devices acting in coordination can be considered a single device to perform the method 500. The method 500 may be implemented in the form of executable instructions stored on a machine-readable storage medium, such as storage medium 420, and/or in the form of electronic circuitry.


At block 505, the device 100 receives a memory access request associated with a first memory region of a plurality of memory regions. Then, at block 510, the device 100 accesses first cryptographic information of a plurality of cryptographic information related to at least one of encrypting information to be written to and decrypting information to be read from the first memory region. Each of the plurality of cryptographic information is associated with one of the plurality of memory regions. Lastly, at block 515, the device 100 at least one of encrypts information to be written to the first memory region based on the first cryptographic information and decrypts information to be read from the first memory region based on the first cryptographic information.



FIG. 6 is another example flowchart of a cryptographic method 600. Although execution of the method 600 is described below with reference to the device 100, other suitable components for execution of the method 600 can be utilized, such as the device 200. Additionally, the components for executing the method 600 may be spread among multiple devices (e.g., a processing device in communication with input and output devices). In certain scenarios, multiple devices acting in coordination can be considered a single device to perform the method 600. The method 600 may be implemented in the form of executable instructions stored on a machine-readable storage medium, such as storage medium 420, and/or in the form of electronic circuitry.


Blocks 605, 610 and 615 of FIG. 6 may be similar to blocks 505, 510 and 515 of FIG. 5. For instance, at block 605, the device 100 receives a memory access request associated with a first memory region of a plurality of memory regions. Then, at block 510, the device 100 accesses first cryptographic information of a plurality of cryptographic information related to at least one of encrypting information to be written to and decrypting information to be read from the first memory region. As noted above, each of the plurality of cryptographic information is associated with one of the plurality of memory regions. Next, at block 515, the device 100 at least one of encrypts information to be written to the first memory region based on the first cryptographic information and decrypts information to be read from the first memory region based on the first cryptographic information.


Further, at block 620, the device 100 receives a memory access request associated with a second memory region of the plurality of memory regions. Afterward, at block 625, the device 100 accesses second cryptographic information of a plurality of cryptographic information related to at least one of encrypting information to be written to and decrypting information to be read from the second memory region. Lastly, at block 630, the device 100 at least one of encrypts information to be written to the second memory region based on the second cryptographic information and decrypts information to be read from the first memory region based on the second cryptographic information.


As noted above, the first and second cryptographic information include at least one of algorithm, mode and key information. The algorithm information includes at least one of a symmetric and asymmetric key algorithm, the mode information includes at least one a block and stream cipher mode, and the key information includes at least one of a value of and a reference to a key.


A type of at least one of the algorithm, mode, and key information of at least one of the first and second cryptographic information is based on at least one of a source of the information and a type of a memory associated with at least one of the first and second memory regions, as noted above. Further, the type of at least one of the algorithm, mode, and key information of the first cryptographic information is independent from that of the second cryptographic information. For example, the first and second cryptographic information may have different algorithms, modes, and/or keys.


According to the foregoing, embodiments provide a method and/or device for encrypting and/or decrypting information to written to or read from a memory. For example, different memory regions may be encrypted or decrypted using different cryptographic information, thus improving security and/or efficiency. Further, the cryptographic information may be flexibly modified and simply implemented, such as by modifying the MMU to store the cryptographic information for the respective memory regions.

Claims
  • 1. A device comprising: a cryptographic module to store first cryptographic information related to at least one of encrypting and decrypting information to be at least one of written to and read from a first memory region and to store second cryptographic information related to at least one of encrypting and decrypting information to be at least one of written to and read from a second memory region; andan encryptor to, at least one of encrypt and decrypt information to be at least one of read from and written to the first memory region based on the first cryptographic information, andat least one of encrypt and decrypt information to be at least one of read from and written to the second memory region based on the second cryptographic information.
  • 2. The device of claim 1, wherein, the first and second cryptographic information include at least one of algorithm, mode and key information,the algorithm information includes at least one of a symmetric and asymmetric key algorithm,the mode information includes at least one a block and stream cipher mode, andthe key information includes at least one of a key value and a reference to a key value.
  • 3. The device of claim 2, wherein, a type of at least one of the algorithm, mode, and key information of at least one of the first and second cryptographic information is based on at least one of a source of the information and a type of a memory associated with at least one of the first and second memory regions, andthe type of at least one of the algorithm, mode, and key information of the first cryptographic information is independent from that of the second cryptographic information.
  • 4. The device of claim 3, wherein at least one of the algorithm, mode, and key information of the first cryptographic information related to encrypting the information is different than that of the first cryptographic information related to decrypting the information.
  • 5. The device of claim 1, further comprising: a memory management unit (MMU) storing access information related to controlling access to the first and second memory regions; anda first controller to control access to the first memory region based on the access information, whereinthe access information and the first cryptographic information are provided such that the encryptor and the first controller operate simultaneously.
  • 6. The device of claim 5, further comprising: a second controller to control access to the second memory region based on the access information, whereinthe access information and at the second cryptographic information are provided such that the encryptor and the second controller operate simultaneously.
  • 7. The device of claim 6, wherein, the encryptor is to transmit information between a processor and at least one of the first and second memory regions,the encryptor is to at least one of receive information from and transmit information to the first memory region via the first controller, andthe encryptor is to at least one of receive information from and transmit information to the second memory region via the second controller.
  • 8. The device of claim 7, wherein the first and second memory regions are external to the device, andthe MMU includes the cryptographic module, the MMU to receive memory access requests from the processor and to map a physical address received from the processor to a virtual address of at least one of the first and second memory regions.
  • 9. The device of claim 1, wherein, the encryptor is to at least one of decrypt and pass through the information to be read from at least one of the first and second memory regions based on at least one of the first and second cryptographic information,the encryptor is to at least one of encrypt and pass through the information to be written to at least one of the first and second memory regions based on at least one of the first and second cryptographic information, andthe encryptor is to operate independently of the processor.
  • 10. A cryptographic method, comprising: receiving a memory access request associated with a first memory region of a plurality of memory regions;accessing first cryptographic information of a plurality of cryptographic information related to at least one of encrypting information to be written to and decrypting information to be read from the first memory region, each of the plurality of cryptographic information associated with one of the plurality of memory regions; andat least one of encrypting information to be written to the first memory region based on the first cryptographic information and decrypting information to be read from the first memory region based on the first cryptographic information.
  • 11. The method of claim 10, further comprising: receiving a memory access request associated with a second memory region of the plurality of memory regions;accessing second cryptographic information of a plurality of cryptographic information related to at least one of encrypting information to be written to and decrypting information to be read from the second memory region; andat least one of encrypting information to be written to the second memory region based on the second cryptographic information and decrypting information to be read from the first memory region based on the second cryptographic information.
  • 12. The method of claim 11, wherein, the first and second cryptographic information include at least one of algorithm, mode and key information,the algorithm information includes at least one of a symmetric and asymmetric key algorithm,the mode information includes at least one a block and stream cipher mode, andthe key information includes at least one of a value of and a reference to a key.
  • 13. The method of claim 12, wherein, a type of at least one of the algorithm, mode, and key information of at least one of the first and second cryptographic information is based on at least one of a source of the information and a type of a memory associated with at least one of the first and second memory regions, andthe type of at least one of the algorithm, mode, and key information of the first cryptographic information is independent from that of the second cryptographic information.
  • 14. A non-transitory computer-readable storage medium storing instructions that, if executed by a processor of a device, cause the processor to: access at least one of first and second cryptographic information, the first cryptographic information related to at least one of encrypting and decrypting information to be at least one of be read from and written to a first memory region, the second cryptographic information related to at least one of encrypting and decrypting information to be at least one of read from and written to a second memory region;encrypt information to be at least one of written to and read from at least one of the first and second memory regions if at least one of the first and second cryptographic information includes instructions to encrypt the information; anddecrypt information to be at least one of written to and read from at least one of the first and second memory regions if at least one of the first and second cryptographic information includes instructions to decrypt the information, whereinat least one of an algorithm, mode and key of the first and second cryptographic information is different.
  • 15. The non-transitory computer-readable storage medium of claim 14, further comprising instructions that, if executed by the processor, cause the processor to: control access to the first and second memory regions based on access information separate from the first and second cryptographic information, whereinthe access is controlled to occur simultaneously with at least one of the encryption and decryption of the information, andthe first cryptographic information is independent of the second cryptographic information.
PRIORITY INFORMATION

This application claims the benefit of priority on U.S. Provisional Application No. 61/509,078, filed Jul. 18, 2011, the entire contents of which are incorporated herein in their entirety by reference.

PCT Information
Filing Document Filing Date Country Kind 371c Date
PCT/US2011/066750 12/22/2011 WO 00 1/10/2014
Provisional Applications (1)
Number Date Country
61509078 Jul 2011 US