The present invention relates to security mechanisms for information systems.
Current and emerging digital rights management (DRM) solutions include multi level key management solutions. Keys used for Encryption/Decryption are derived from various intermediate keys to ultimately determine a title key for a media file. As an example a master key will unlock a device key and, using the device key, a media key is unlocked. Using this media key a title key is discovered. In this process it is important that the decrypted keys are not exposed to users or processes outside the device to be used by a hacker.
Often, conventional approaches used a completely software-based approach in which the decryption keys were protected by software. Other approaches employed hardware assisted methods which exposed the keys. Exposed keys may provide backdoor access for a hacker, allowing the keys to become compromised.
In some embodiments, an apparatus has at least one memory. The at least one memory includes a first memory portion for storing at least one first decryption key. A decryption engine uses the first decryption key to decrypt information. A key processor provides the first decryption key to the decryption engine without allowing a control processor to access the first decryption key.
In some embodiments, a system comprises an input for receiving streaming encrypted payload data. A control processor controls the system to process the encrypted payload data. At least one memory is provided, including a first memory portion for storing at least one first decryption key. A decryption engine uses the first decryption key to decrypt an encrypted second decryption key, and uses the second decryption key to decrypt the encrypted payload data. A key processor provides the first decryption key to the decryption engine for decrypting the second decryption key by the decryption engine without allowing the control processor to access the first decryption key.
In some embodiments, a method includes controlling operation of a media storage system using a control processor. A first decryption key is used to decrypt a second decryption key in a decryption engine of the media storage system. The first decryption key and the decrypted second decryption key are moved between at least one memory device and the decryption engine using direct memory access (DMA), while preventing the control processor from accessing the first decryption key and preventing the control processor from accessing the decrypted second decryption key.
This description of the exemplary embodiments is intended to be read in connection with the accompanying drawings, which are to be considered part of the entire written description.
Current and evolving DRM solutions demand secure key processing, because the keys are used to decrypt the media files, allowing them to be played on home media players. If the keys are left unprotected, or are not protected sufficiently, a hacker could easily compromise the overall digital rights management concept.
A localized key protection mechanism is desired. The examples below provide a hardware-based key management engine, and a subsystem for accelerated encryption/decryption of media content.
(a) a non volatile on-chip memory 112;
(b) On-Chip key memory 110;
(c) On-chip Data memory 108;
(d) Off chip Media content memory 116;
(e) A key transfer/processing engine, such as a direct memory access (DMA) engine 104 (e.g., ARM PrimeCell PL080 by ARM Holdings, plc. of Cambridge, UK). Other key transfer engines may be used;
(f) An encryption/decryption engine 102 (e.g., an Advanced Encryption Standard (AES) core, such as a CS5210-40 core by Conexant Systems, Inc., Newport Beach, Calif.). Other encryption/decryption engines and other encryption/decryption algorithms may be used.
(g) An application Processor (control processor) 106, such as an embedded ARM 926 processor, by ARM Holdings, plc. of Cambridge, UK, or the like; and
(h) An external memory controller 114.
Optionally, an external storage device, such as an external flash memory 118 may be included.
In
An example of a media server apparatus 201 incorporating an example of a key management facility 200 is shown in
In the HNAS system 201, data from multiple sessions can simultaneously be stored to disk array 242, played out to devices on a home network (e.g., via the Ethernet 219), and/or used for control traffic. An efficient queuing structure (using buffer queues 221) efficiently manages all these traffic flows. The traffic management of memory 216 and bandwidth may be performed in hardware, via a traffic manager/arbiter (TMA) 230.
The incoming media streams are stored in a disk array 242, for example, in a 4-channel Serial Advanced Technology Attachment (SATA) hard disk array, by way of a redundant array of inexpensive disks (RAID) decode/encode module 232 and disc controller 234. Other types of storage devices, such as PATA hard disks, optical disks, or the like may be used.
A data memory 208 provides intermediate storage. The intermediate storage may be used by the key management facility for queuing or buffering encrypted payload data to be decrypted or the decrypted payload data.
Although
Operation
The non-volatile memory 212 is used to store a set of one or more master keys. In some embodiments, to enhance security, non-volatile memory 212 can only be written once. These master keys are used to decrypt the keys that are programmed in the flash 218 by the media server manufacturer. The master keys are programmed during the device manufacturing process as well.
In some embodiments, read access to the master keys in non-volatile memory 212 may be limited to the DMA Key Processing Engine 204 (to the exclusion of control processor 206). An arbiter 207 grants bus access to either control processor 206 or DMA Key Processing Engine 204 at any given time, so that processor 206 does not have access to the bus while engine 204 is reading decrypted keys from key memory 210 or the output FIFO 203 of the encryption/decryption engine 202.
Due to the cost associated with the non-volatile (NV) memory 212 and key memory 210, the amount of on-chip memory space may optionally be very limited. By storing encrypted keys in an optional external flash memory 218, the total number of device specific keys that can be stored is extended. The device specific keys are encrypted, and the key (to decrypt the keys stored in flash memory 218) is programmed in the NV memory 212.
When a decryption operation requiring a key is to be performed, the control processor 206 set ups the DMA Key Processing Engine 204 to move a key from either the NV memory 212 or the Key memory 210 to the Encryption/Decryption engine (e.g., AES core) 202. Once this is done, the control processor 206 inputs the data that are to be decrypted to the Encryption/Decryption engine 202. Arbiter 207 then grants DMA Key Processing Engine 204 access to bus 220, to the exclusion of control processor 206. When Encryption/Decryption engine 202 decrypts the data, the decrypted key is moved by the DMA key processing engine 204 to the key memory 210. At this time, access by the control processor 206 to the decrypted key is prohibited. Control processor 206 does not have access to read key memory 210.
In some embodiments, the key memory 210 may be a volatile memory (e.g., random access memory), in which case the decrypted keys are automatically removed from memory when the system 201 is powered down. In other embodiments, key memory 210 is an additional non-volatile memory.
The above process ensures that the master key is secure in NV key memory 212 and will be accessed in a secure manner in order to decrypt any further keys.
The key processing engine 204 may also process the keys by performing pre-determined logical operations (i.e., XOR with another datum, or the like). The operand and the operators are specified by the control processor 206. However, at no time does the control processor 206 have access to the decrypted key. Instead, the control processor 206 is provided a pointer to the decrypted key. When the decrypted key is to be used for decryption, control processor 206 provides the pointer to key processing engine 204, which moves the decrypted key from key memory 210 to the encryption/decryption engine 202.
Although the example of a key processing engine 204 described above is a DMA engine, in other embodiments, key processing engine 204 may be any module that can move data efficiently between NV memory 212, encryption/decryption engine 202, and key memory 210 without making the data available to control processor 106, such as a function built into the TMA 230 itself.
In some embodiments, one of the DMA channels (i.e., CH0) is dedicated to handling internal transfers of keys among the Encryption/Decryption engine (AES core 202), non-volatile memory 212 and the internal key memory 210. When an encrypted key stored in flash 218 is to be decrypted, the control processor 206 programs the DMA CH0 with the following parameters:
Source Addr=the address of the device key in NV memory 212,
Dest Address=the address of the key register 210
When the DMA channel is thus programmed, the DMA engine 204 sets access to the AES output FIFO 203 (shown in
Once the DMA engine 204 completes the transfer of the master key to the AES core 202, the control processor 206 reads the external flash 218 and loads the encrypted device key in the AES Input FIFO 205 (shown in
In data flow 301, one or more packets of data are received (e.g., received from network 219, by way of the upper layer protocol (ULP) protocol accelerator block 238, which optionally offloads routine network, transport and application layer protocol processing from control processor 206), and passed on to the traffic manager/arbitrator (TMA) 230.
In data flow 302, TMA 230 stores the data in intermediate buffers 221 in the DDR memory 216. The packets are re-assembled and, in some embodiments, translated to accommodate the internal bus width of the HNAS system 201.
In data flow 303, the memory 216 outputs the data to be decrypted from the buffers 221 to the DMA engine 204 via the TMA 230.
In data flow 304, the DMA channel moves the master key and an encrypted device key to the Encryption/Decryption engine (AES core) 202, which decrypts the device key using the master key.
In data flow 305, the DMA engine 204 reads the decrypted device key from the AES output FIFO 203.
In data flow 306, the DMA channel 204 delivers the decrypted device key to the internal key memory 210, where it is stored.
In data flow 307, the DMA engine retrieves the decrypted device key from the internal key memory 210.
In data flow 308, the DMA engine 204 delivers the encrypted data to be decrypted into the AES core 202, along with the decrypted device key, and enables the decryption operation to be performed (on the encrypted data content) in the AES core 202 using the decrypted device key.
In data flow 309, the DMA engine 204 reads the decrypted data from the AES output FIFO 203.
In data flow 310, the DMA engine 204 delivers the decrypted data to the TMA 230, which transmits the decrypted data to a buffer queue 221 in memory 216.
In data flow 311, TMA 230 retrieves the decrypted data from the buffer queue 221 at an appropriate rate for forwarding the data to RDE module 232.
In data flow 312, TMA 230 delivers the decrypted data to RDE 232 for storage in disk 242.
At step 400 control processor 206 controls operation of a media storage system 201. For example, control processor 206 controls the DMA processor 204
At step 402, control processor 206 retrieves the encrypted second decrypted key (the device key) from the flash memory 218 or RAM 216 in which the device key is stored.
At step 404, the control processor 206 delivers the encrypted second decrypted key to the decryption engine 202 before the step 408 of using the first decryption key to decrypt the encrypted second decryption key.
At step 406, DMA processor 204 moves the first decryption key from the NV memory 212 to the decryption engine 202 using direct memory access (DMA), while preventing the control processor 206 from accessing the first decryption key.
At step 408, decryption engine 202 of the media storage system 201 uses the first decryption key to decrypt the second decryption key; while preventing the control processor 206 from accessing the decrypted second decryption key.
Step 410, DMA engine 204 moves the second decryption key to the key memory 210 from the decryption engine 202, while preventing the control processor 206 from accessing the decrypted second decryption key.
At step 412, DMA engine 204 moves the second decryption key from key memory 210 to the decryption engine, while preventing the control processor 206 from accessing the decrypted second decryption key.
At step 414, the control processor 206 delivers payload data to the decryption engine 202.
At step 416, decryption engine 416 decrypts the payload data using the second decryption key.
One of ordinary skill in the art understands that the system and data flows described above can be extended to multiple levels of keys. The decrypted device key can be delivered by the DMA engine 204 to the input of the AES core 202 for decrypting an additional key, that is in turn used to decrypt the encrypted payload data.
Although an example is described above in which the decrypted device key is stored in the key memory 210, in other embodiments, the decrypted device key is re-encrypted with a different key (e.g., another master key stored in non-volatile memory 212) by encryption/decryption engine 202, before storing it in key memory 210.
Although the examples described above include an encryption/decryption engine 202 that acts as the decryption engine, for the purpose of performing the decryption operations described above, a standalone decryption engine that provides the decryption functions may alternatively be used.
The exemplary apparatus and method described above provides an efficient data movement mechanism for encryption/decryption, and an efficient key protection strategy including hardware for decryption and storage of decrypted device keys.
The optional inclusion of non-volatile and key memory allows a designer to extend the number of keys supported. Thus, the number of keys supported is variable.
The apparatus provides a multi-level key management and processing engine that supports a master key to unlock device specific keys on a chip.
The master keys may be programmed by the manufacturer of the device at the time of production, so that each vendor can select one or more master keys.
The apparatus may provide hardware acceleration of the key management, encryption and decryption with minimal control processor intervention.
The apparatus may provide the ability to hide the keys from the control processor itself to avoid hackers from modifying the boot up code to access any protected keys.
Although the invention has been described in terms of exemplary embodiments, it is not limited thereto. Rather, the invention should be construed broadly, to include other variants and embodiments of the invention, which may be made by those skilled in the art without departing from the scope and range of equivalents of the invention.
This application is a continuation in part of U.S. patent application Ser. No. 11/226,507, filed Sep. 13, 2005, and is a continuation in part of U.S. patent application Ser. No. 11/273,750, filed Nov. 15, 2005, and is a continuation in part of U.S. patent application Ser. No. 11/364,979, filed Feb. 28, 2006, and is a continuation in Part of U.S. patent application Ser. No. 11/384,975, filed Mar. 20, 2006, and claims the benefit of U.S. provisional patent application Nos. 60/724,692, filed Oct. 7, 2005, 60/724,464, filed Oct. 7, 2005, 60/724,462, filed Oct. 7, 2005, 60/724,463, filed Oct. 7, 2005, 60/724,722, filed Oct. 7, 2005, 60/725,060, filed Oct. 7, 2005, and 60/724,573, filed Oct. 7, 2005, all of which applications are expressly incorporated by reference herein in their entireties.
Number | Date | Country | |
---|---|---|---|
60724692 | Oct 2005 | US | |
60724464 | Oct 2005 | US | |
60724462 | Oct 2005 | US | |
60724463 | Oct 2005 | US | |
60724722 | Oct 2005 | US | |
60725060 | Oct 2005 | US | |
60724573 | Oct 2005 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 11226507 | Sep 2005 | US |
Child | 11539327 | Oct 2006 | US |
Parent | 11273750 | Nov 2005 | US |
Child | 11539327 | Oct 2006 | US |
Parent | 11364979 | Feb 2006 | US |
Child | 11539327 | Oct 2006 | US |
Parent | 11384975 | Mar 2006 | US |
Child | 11539327 | Oct 2006 | US |