US20090034734A1 - Multi-Level Key Manager - Google Patents
Multi-Level Key ManagerDownload PDFInfo
- Publication number
- US20090034734A1 US20090034734A1US12/184,062US18406208AUS2009034734A1US 20090034734 A1US20090034734 A1US 20090034734A1US 18406208 AUS18406208 AUS 18406208AUS 2009034734 A1US2009034734 A1US 2009034734A1
- Authority
- US
- United States
- Prior art keywords
- key
- keys
- classification
- cryptographic
- processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
Definitions
- This disclosurerelates in general to secure computing systems and, more specifically to high-assurance access to keys at different classification levels amongst other things.
- Governmentsclassify information at different levels generally according to their sensitivity, for example, SECRET versus TOP SECRET. Users of the information are also classified by what level they are able to get access to. For example, someone with a SECRET clearance is not given access to TOP SECRET information. Procedures are put in place to avoid exposure to persons without the proper classification level.
- physical securityis used to prevent information of different classification levels from bleeding over to a different classification level.
- To process at multiple classification levelsthere may be several devices running in parallel for each classification level. Devices that may be capable of running at multiple classification levels are run at one classification level, cleared out and then run at a different classification level. Intermixing of different classified information is generally taboo in these systems.
- Different keysare required for each classification level to maintain the security of information in each classification level.
- the keysmay be simply different values or could be used with different algorithms. Even if security is breached for one classification level, the unique keys and algorithms can keep information protected in the other classification levels safe.
- a cryptographic device and methodfor processing different levels of classified information.
- a memorycaches keys for use in a cryptographic processor.
- the cryptographic processorrequests a key associated with a particular classification level when processing a packet of the particular classification level.
- the cryptographic deviceconfirms that the key and the packet are of the same classification level in a high-assurance manner. Checking header information of the keys one or more times is performed in one embodiment. Some embodiments authenticate the stored key in a high-assurance manner prior to providing the key to the cryptographic device.
- a cryptographic devicefor processing classified information having a number of different classification levels.
- the cryptographic deviceincludes a memory, a cryptographic processor and a key manager.
- the memoryholds a number of keys outside of an integrated circuit.
- the plurality of keysare for the plurality of different classification levels.
- the cryptographic processoris part of the integrated circuit and uses the plurality of keys to process packets of information that are categorized according to the number of different classification levels.
- the key managercan access a plurality of rules associated with the plurality of different classification levels that regulate interaction with the plurality of keys.
- a first rule of the number of rulesis used by the key manager in a first classification level of the number of different classification levels.
- a second rule of the number of rulesis used by the key manager in a second classification level of the number of different classification levels.
- a method for processing classified information in a high-assurance manneris disclosed.
- a requestis received for a first key by a cryptographic processor.
- a first rule from a number of rulesis applied to a first sterile key retrieved from a memory.
- the first sterile keyis decrypted with a first protection key to produce the first key.
- the first keyis also checked with the first rule.
- the first keyis provided to the cryptographic processor if the checking the first sterile key step and the checking the first key step are completed successfully.
- a requestis received for a second key by the cryptographic processor.
- a second rule from the number of rulesis applied to a second sterile key retrieved from the memory.
- the second sterile keyis decrypted with a second protection key to produce the second key.
- the second keyis also checked with the second rule.
- the second keyis provided to the cryptographic processor if the checking the second sterile key step and the checking the second key step are completed successfully.
- a cryptographic devicefor processing information with a plurality of classification levels.
- the cryptographic deviceincludes a memory, a cryptographic processor and a key manager.
- the memoryholds a number of keys that are used by a cryptographic processor to process packets of information that are correlated to the plurality of classification levels.
- the key managerincludes a rule enforcement circuit and a key decryption circuit.
- the key managerretrieves a first key for a first packet being processed by the cryptographic processor.
- the first packet and the first keyare of a first classification level.
- the rule enforcement circuitchecks that the first key is designated for the first classification level before providing the first key to the cryptographic processor for processing the first packet.
- the key managerretrieves a second key for a second packet being processed by the cryptographic processor.
- the second packet and the second keyare of a second classification level.
- the rule enforcement circuitchecks that the second key is designated for the second classification level before providing the second key to the cryptographic processor for processing the second packet.
- FIG. 1depicts a block diagram of an embodiment of a cryptographic device
- FIG. 2depicts a block diagram of an embodiment of a partitioned key cache
- FIG. 3depicts a block diagram of an embodiment of a key manager
- FIG. 4depicts a diagram of an embodiment of a key unscrambling process
- FIG. 5illustrates a flowchart of an embodiment of a process for operating the cryptographic device.
- FIG. 1a block diagram of an embodiment of a cryptographic device 100 is shown.
- the cryptographic device 100processes information of different classifications. Information in each classification level is kept separate or partitioned from information of other classification levels throughout the cryptographic device 100 . Additionally, each classification level can use different cryptographic algorithms and/or keys.
- Several integrated circuitscould be used to implement the cryptographic device 100 where at least a cryptographic processor 120 is in one integrated circuit and the partitioned key cache 116 is in another. Other embodiments could have the partitioned key cache 116 and cryptographic processor 120 as part of the same integrated circuit.
- a cryptographic processor 120is the circuit that performs encryption, decryption and/or bypass for the information that passes through it.
- Informationmay be a stream or packetized in cryptographic processor 120 .
- the packets or streamsare of different classification levels.
- the cryptographic processor 120can reconfigure itself for the appropriate processing on a packet-by-packet basis. Different processing steps are set up for each classification level in a pipeline fashion by the cryptographic processor 120 .
- the processing stepsperform formatting and cryptographic processing with a number of different algorithms and/or keys. Some of these processing steps can be common to multiple classification levels such that the cryptographic processor 120 can potentially reuse the sub-circuits performing processing steps for the multiple classification levels.
- a system bus 124allows the processor 108 to communicate with a key manager 104 , a partitioned key cache 116 , an input/output (IO) access controller 112 , and other peripherals that are not shown in the figure.
- the processor 108communicates with the key manager 104 , via the IO access controller 112 , to access the partitioned key cache 116 .
- Keysare loaded into the partitioned key cache 116 by the processor 104 in this embodiment and read by the cryptographic processor 120 .
- Other embodimentscould load the keys from an external source, for example.
- the IO access controller 112checks that the processor 108 or anything else using the system bus 124 is operating as expected.
- the processor 108writes a state to the IO access controller 112 .
- Each stateis able to access peripherals defined by addresses or ranges of addresses.
- the IO access controller 112checks that only the designated addresses are accessed by the processor 108 in a given state to assure that the interaction with the key manager 104 and partitioned key cache 116 to write keys is authorized.
- Each address or range of addressescan be designated for read only, write only or read and write accessible.
- the IO access controller 112further understands how states transition through the state machine such that state transitions are also checked when the processor 108 is using the system bus 124 .
- the cryptographic processor 120performs certain key operations in certain states.
- the IO access controller 112checks if an address range of a partitioned key cache 116 has been properly written by the processor based upon the current state.
- Table Igives an example of the states used for various classification levels. Additionally, the algorithm and key address is given in the table. These entries in the table serve as rules. For example, states four, seven and nine operate in a CONFIDENTIAL classification level using a DES cryptographic algorithm and the key at address forty-three in the partitioned key cache.
- the IO access controller 112 in this examplewould make sure the current states were one of states four, seven or nine when the processor 108 writes the key at address forty-three in the partitioned key cache 116 . Where a violation were determined the IO access controller 112 , the key could be zeroized and/or other remedial action could be taken.
- the partitioned key cache 116holds keys in a sterile or encrypted form. Sterilization puts the keys in a form that protects the encapsulated key even if recovered improperly. Various encryption algorithms could be used for sterilizing the keys.
- a key manager 104is capable of deriving the key from the sterilized version.
- the partitioned key cache 116could use dynamic random access memory (DRAM) or static random access memory (SRAM). This embodiment uses volatile RAM for the partitioned key cache 116 that is in a separate integrated circuit, but could be integral with the integrated circuit of the key manager 104 and/or cryptographic processor 120 .
- the partitioned key cache 116could be a segment of a larger memory used for other purposes in other embodiments.
- a key manager 104receives requests from the cryptographic processor 120 for keys used to process the various packets.
- the key manager 104checks the requests, retrieves the sterilized key, reconstitutes the key, performs checks, and returns the key to the cryptographic processor 120 .
- the key manager 104is implemented in logic that is not reprogrammable during normal operation.
- the processor 108interacts with the key manager 104 under the supervision of the IO access controller 112 .
- FIG. 2a block diagram of an embodiment of a partitioned key cache 116 is shown.
- the partitioned key cache 116has a number of partitions 204 defined. Those partitions map to peripherals or address ranges used by the IO access controller 112 .
- a given classification levelstores its keys in one partition 204 and is prevented from accessing other partitions 204 .
- the partitioned key cache 116is a single integrated circuit with a common interface in this embodiment, the partitioning enforces a logical separation in a high-assurance manner.
- Table IIgives an example of the mapping between state, classification and partition 204 . These mappings serve as rules. For example, state one operates at a TOP SECRET classification level and has access to partition B 204 - 2 , which includes addresses eleven through twenty.
- FIG. 3a block diagram of an embodiment of a key manager 104 is shown.
- the key managerenforces logical separation of the partitioned key cache 116 where no physical separation of the interface to the partitioned key cache 116 exists.
- a key request interface 332is coupled to the cryptographic processor 120 to receive requests for one or more particular key located at specified addresses in the partitioned key cache 116 .
- This embodimentincludes a request validator 336 that checks the request to make sure the request is formatted correctly.
- Other embodiments of the request validator 336could check that the classification level of the requesting packet matches the classification level of the partition 204 of the requested key.
- a key memory interface 132couples to the partitioned key cache 116 to retrieve the requested key. The sterile key is returned to a key buffer 308 .
- a rule enforcement circuit 336includes a sterile key validator 304 , a key decoder 324 and a reconstituted key validator 328 . Multiple levels of checks are performed on the key before the key is provided to the cryptographic processor 120 .
- the sterile key validator 304checks the classification level of the sterile key against the classification level of the packet that precipitated the request of the key. Essentially, the sterile key is checked to make sure it matches the type of processing being performed in the cryptographic processor 120 to provide high-assurance. The sterile key validator 304 could also match the algorithm and/or state as further rule checks in some embodiments.
- a CRC, checksum or other validity valueis appended to the sterile key in this embodiment when stored in the partitioned key cache 116 .
- the softwaredetermines the validity value when writing the sterile key into the partitioned key cache 116 .
- a check of the validity valueallows conformation that information stored by the processor 108 was delivered accurately to the sterile key validator 304 .
- a key map database 316holds information to validate the keys in their sterile or reconstituted form.
- the state, classification, address, algorithm, key length, header information, and/or other informationcould be stored in the key map database 316 .
- a look-up tableis used in one embodiment of the key map database 316 . Where several keys are used for a given classification level, the finer granularity of state can confirm that the key is the correct one for a particular situation. For example, there could be a different state for each key. Other embodiments could provide granularity using two or more partitions 204 for a particular classification level.
- a key decoder 324converts the sterilized key from the partitioned key cache 116 into a reconstituted key that is ready for use by the cryptographic processor 120 .
- a payload of the sterilized keyis decrypted to produce a reconstituted key.
- a cache protection key store 320holds a cache protection key for each classification level. Table III shows an example of the information stored in the cache protection key store 320 .
- Other embodimentscould have a different cache protection key for each sterilized key or one cache protection key for all keys.
- a reconstituted key validator 328Within the decrypted payload of the sterilized key is information that is checked by a reconstituted key validator 328 . Additionally, a CRC, checksum or other validity value is embedded in the decrypted payload as a second validity value. The reconstituted key validator 328 also checks the second validity value. This additional check provides a further layer of high-assurance. Should the process pass all of its checks, the decrypted key is provide to the cryptographic processor 120 for use in processing the particular packet that requested the key.
- a sterile key 416includes a sterile key header, a sterile key payload and a sterile key CRC, which serves as a validity value. All this information is stored in the partitioned key cache 116 by the processor 108 .
- the sterile key headerholds the classification level, the applicable encryption algorithm(s), and any additional key identifiers. Some embodiments may also include the memory address of the sterile key.
- the sterile key CRCis a validity value that is calculated on the whole sterile key header and sterile key payload such that any corruption can be discerned.
- the sterile key payloadis exclusive-ORed 324 with a cache protection key 420 from the cache protection key store 320 to decrypt the reconstituted key header, reconstituted key payload and reconstituted key CRC. Those items along with the sterile key header and sterile key CRC form the reconstituted key 404 .
- the reconstituted key payloadis the actual key that will be used by the cryptographic processor 120 .
- the reconstituted key CRCis a validity value that allows checking that the fields of the reconstituted key 404 has not changed.
- the exclusive-OR key decoder 324is just one example of a simple decryption function. Other embodiments may use any type of decryption function(s).
- FIG. 5a flowchart of an embodiment of a process 500 for operating the cryptographic device 100 is shown.
- the depicted portion of the processis initiated in block 504 where the cryptographic processor 120 has a packet that uses a particular key, which is requested from the key manager 104 . Some embodiments check the key request. In any event, the key is requested from the partitioned key cache 116 by the key manager 104 . The address of the key requested falls within a particular partition 204 .
- the sterile key 416is retrieved in block 516 from the partitioned key cache 116 in block 516 .
- the sterile key headeris checked in block 520 to determine if the classification matches the classification of the packet requesting the key. Additional checks are possible, for example, the sterile key CRC or validity value could be checked. Presuming the check in block 520 is successful, processing continues to block 524 where the sterile key payload is decrypted.
- the reconstituted key headeris checked in block 528 .
- the reconstituted key headerwas scrambled. Additionally, a reconstituted key CRC or validity value can be checked in some embodiments. If the check in block 528 passes, processing continues to block 532 where the key is returned the cryptographic processor 120 .
- the partitioned key cache 116is erased and/or the cache protection key store 320 in block 536 . Without the cache protection keys, the keys remain in a sterile form. Erasure of the cache protection keys can typically be performed much more quickly than the partitioned key cache 116 . Further remedial action can be taken in block 540 .
- classification levelscould be government classification levels, but need not be necessarily so.
- a classification levelis just a logical partition in the information passed. Any information that needs to be kept separate from other information could be in a separate classification level or logical partition.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
- This application claims the benefit of and is a non-provisional of co-pending: U.S. Provisional Application Ser. No. 60/962,848 filed on Jul. 31, 2007; U.S. Provisional Application Ser. No. 61/026,438 filed on Feb. 5, 2008; U.S. Provisional Application Ser. No. 60/962,821 filed on Jul. 31, 2007; and U.S. Provisional Application Ser. No. 60/962,822 filed on Jul. 31, 2007; which are all hereby expressly incorporated by reference in their entirety for all purposes.
- This application expressly incorporates by reference: U.S. Application Ser. No. ______, filed on an even day herewith, entitled “INPUT OUTPUT ACCESS CONTROLLER” (temporarily referenced by Attorney Docket No. 017018-017210US/VS-0245); and, U.S. Application Ser. No. ______, filed on an even day herewith, entitled “TRUSTED LABELER” (temporarily referenced by Attorney Docket No. 017018-014610US/VS-0246); in their entirety for all purposes.
- This disclosure relates in general to secure computing systems and, more specifically to high-assurance access to keys at different classification levels amongst other things.
- Governments classify information at different levels generally according to their sensitivity, for example, SECRET versus TOP SECRET. Users of the information are also classified by what level they are able to get access to. For example, someone with a SECRET clearance is not given access to TOP SECRET information. Procedures are put in place to avoid exposure to persons without the proper classification level.
- In processing systems, physical security is used to prevent information of different classification levels from bleeding over to a different classification level. To process at multiple classification levels, there may be several devices running in parallel for each classification level. Devices that may be capable of running at multiple classification levels are run at one classification level, cleared out and then run at a different classification level. Intermixing of different classified information is generally taboo in these systems.
- There are situations that require smaller cryptographic devices that can process different classification levels. Switching between classification levels takes time and slows down processing. Some have proposed trusted operating systems that can process information with more flexibility, but these solutions are avoided due to a lack of trust.
- Different keys are required for each classification level to maintain the security of information in each classification level. The keys may be simply different values or could be used with different algorithms. Even if security is breached for one classification level, the unique keys and algorithms can keep information protected in the other classification levels safe.
- In an embodiment, a cryptographic device and method are disclosed for processing different levels of classified information. A memory caches keys for use in a cryptographic processor. The cryptographic processor requests a key associated with a particular classification level when processing a packet of the particular classification level. The cryptographic device confirms that the key and the packet are of the same classification level in a high-assurance manner. Checking header information of the keys one or more times is performed in one embodiment. Some embodiments authenticate the stored key in a high-assurance manner prior to providing the key to the cryptographic device.
- In one embodiment, a cryptographic device for processing classified information having a number of different classification levels is disclosed. The cryptographic device includes a memory, a cryptographic processor and a key manager. The memory holds a number of keys outside of an integrated circuit. The plurality of keys are for the plurality of different classification levels. The cryptographic processor is part of the integrated circuit and uses the plurality of keys to process packets of information that are categorized according to the number of different classification levels. The key manager can access a plurality of rules associated with the plurality of different classification levels that regulate interaction with the plurality of keys. A first rule of the number of rules is used by the key manager in a first classification level of the number of different classification levels. A second rule of the number of rules is used by the key manager in a second classification level of the number of different classification levels.
- In another embodiment, a method for processing classified information in a high-assurance manner is disclosed. In one step, a request is received for a first key by a cryptographic processor. A first rule from a number of rules is applied to a first sterile key retrieved from a memory. The first sterile key is decrypted with a first protection key to produce the first key. The first key is also checked with the first rule. The first key is provided to the cryptographic processor if the checking the first sterile key step and the checking the first key step are completed successfully. A request is received for a second key by the cryptographic processor. A second rule from the number of rules is applied to a second sterile key retrieved from the memory. The second sterile key is decrypted with a second protection key to produce the second key. The second key is also checked with the second rule. The second key is provided to the cryptographic processor if the checking the second sterile key step and the checking the second key step are completed successfully.
- In yet another embodiment, a cryptographic device for processing information with a plurality of classification levels is disclosed. The cryptographic device includes a memory, a cryptographic processor and a key manager. The memory holds a number of keys that are used by a cryptographic processor to process packets of information that are correlated to the plurality of classification levels. The key manager includes a rule enforcement circuit and a key decryption circuit. The key manager retrieves a first key for a first packet being processed by the cryptographic processor. The first packet and the first key are of a first classification level. The rule enforcement circuit checks that the first key is designated for the first classification level before providing the first key to the cryptographic processor for processing the first packet. The key manager retrieves a second key for a second packet being processed by the cryptographic processor. The second packet and the second key are of a second classification level. The rule enforcement circuit checks that the second key is designated for the second classification level before providing the second key to the cryptographic processor for processing the second packet.
- Further areas of applicability of the present disclosure will become apparent from the detailed description provided hereinafter. It should be understood that the detailed description and specific examples, while indicating various embodiments, are intended for purposes of illustration only and are not intended to necessarily limit the scope of the disclosure.
- The present disclosure is described in conjunction with the appended figures:
FIG. 1 depicts a block diagram of an embodiment of a cryptographic device;FIG. 2 depicts a block diagram of an embodiment of a partitioned key cache;FIG. 3 depicts a block diagram of an embodiment of a key manager;FIG. 4 depicts a diagram of an embodiment of a key unscrambling process; andFIG. 5 illustrates a flowchart of an embodiment of a process for operating the cryptographic device.- In the appended figures, similar components and/or features may have the same reference label. Further, various components of the same type may be distinguished by following the reference label by a dash and a second label that distinguishes among the similar components. If only the first reference label is used in the specification, the description is applicable to any one of the similar components having the same first reference label irrespective of the second reference label.
- The ensuing description provides preferred exemplary embodiment(s) only, and is not intended to limit the scope, applicability or configuration of the disclosure. Rather, the ensuing description of the preferred exemplary embodiment(s) will provide those skilled in the art with an enabling description for implementing a preferred exemplary embodiment. It being understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope as set forth in the appended claims.
- Referring first to
FIG. 1 , a block diagram of an embodiment of acryptographic device 100 is shown. Thecryptographic device 100 processes information of different classifications. Information in each classification level is kept separate or partitioned from information of other classification levels throughout thecryptographic device 100. Additionally, each classification level can use different cryptographic algorithms and/or keys. Several integrated circuits could be used to implement thecryptographic device 100 where at least acryptographic processor 120 is in one integrated circuit and the partitionedkey cache 116 is in another. Other embodiments could have the partitionedkey cache 116 andcryptographic processor 120 as part of the same integrated circuit. - A
cryptographic processor 120 is the circuit that performs encryption, decryption and/or bypass for the information that passes through it. Information may be a stream or packetized incryptographic processor 120. The packets or streams are of different classification levels. Thecryptographic processor 120 can reconfigure itself for the appropriate processing on a packet-by-packet basis. Different processing steps are set up for each classification level in a pipeline fashion by thecryptographic processor 120. The processing steps perform formatting and cryptographic processing with a number of different algorithms and/or keys. Some of these processing steps can be common to multiple classification levels such that thecryptographic processor 120 can potentially reuse the sub-circuits performing processing steps for the multiple classification levels. - A
system bus 124 allows theprocessor 108 to communicate with akey manager 104, a partitionedkey cache 116, an input/output (IO)access controller 112, and other peripherals that are not shown in the figure. Theprocessor 108 communicates with thekey manager 104, via theIO access controller 112, to access the partitionedkey cache 116. Keys are loaded into the partitionedkey cache 116 by theprocessor 104 in this embodiment and read by thecryptographic processor 120. Other embodiments could load the keys from an external source, for example. - The
IO access controller 112 checks that theprocessor 108 or anything else using thesystem bus 124 is operating as expected. Theprocessor 108 writes a state to theIO access controller 112. Each state is able to access peripherals defined by addresses or ranges of addresses. TheIO access controller 112 checks that only the designated addresses are accessed by theprocessor 108 in a given state to assure that the interaction with thekey manager 104 and partitionedkey cache 116 to write keys is authorized. Each address or range of addresses can be designated for read only, write only or read and write accessible. TheIO access controller 112 further understands how states transition through the state machine such that state transitions are also checked when theprocessor 108 is using thesystem bus 124. - There are states defined exclusive to the various classification levels. The
cryptographic processor 120 performs certain key operations in certain states. TheIO access controller 112 checks if an address range of a partitionedkey cache 116 has been properly written by the processor based upon the current state. Table I gives an example of the states used for various classification levels. Additionally, the algorithm and key address is given in the table. These entries in the table serve as rules. For example, states four, seven and nine operate in a CONFIDENTIAL classification level using a DES cryptographic algorithm and the key at address forty-three in the partitioned key cache. TheIO access controller 112 in this example would make sure the current states were one of states four, seven or nine when theprocessor 108 writes the key at address forty-three in the partitionedkey cache 116. Where a violation were determined theIO access controller 112, the key could be zeroized and/or other remedial action could be taken. TABLE I State Enforcement Rules State(s) Classification Algorithm Key Address 1 TS AES 256 11 2, 19 S AES 196 5 3, 21 NC Triple DES 21 4, 7, 9 C DES 43 - As a packet passes through the
cryptographic processor 120 certain algorithms use keys to perform the desired processing for that packet. The partitionedkey cache 116 holds keys in a sterile or encrypted form. Sterilization puts the keys in a form that protects the encapsulated key even if recovered improperly. Various encryption algorithms could be used for sterilizing the keys. Akey manager 104 is capable of deriving the key from the sterilized version. The partitionedkey cache 116 could use dynamic random access memory (DRAM) or static random access memory (SRAM). This embodiment uses volatile RAM for the partitionedkey cache 116 that is in a separate integrated circuit, but could be integral with the integrated circuit of thekey manager 104 and/orcryptographic processor 120. The partitionedkey cache 116 could be a segment of a larger memory used for other purposes in other embodiments. - A
key manager 104 receives requests from thecryptographic processor 120 for keys used to process the various packets. Thekey manager 104 checks the requests, retrieves the sterilized key, reconstitutes the key, performs checks, and returns the key to thecryptographic processor 120. Thekey manager 104 is implemented in logic that is not reprogrammable during normal operation. To load keys into the partitionkey cache 116, theprocessor 108 interacts with thekey manager 104 under the supervision of theIO access controller 112. - With reference to
FIG. 2 , a block diagram of an embodiment of a partitionedkey cache 116 is shown. The partitionedkey cache 116 has a number of partitions204 defined. Those partitions map to peripherals or address ranges used by theIO access controller 112. A given classification level stores its keys in one partition204 and is prevented from accessing other partitions204. Although the partitionedkey cache 116 is a single integrated circuit with a common interface in this embodiment, the partitioning enforces a logical separation in a high-assurance manner. Table II gives an example of the mapping between state, classification and partition204. These mappings serve as rules. For example, state one operates at a TOP SECRET classification level and has access to partition B204-2, which includes addresses eleven through twenty. TABLE II State to Partition Mapping State(s) Classification Partition Addresses 1 TS 11-20 2, 19 S 1-10 3, 21 NC 21-30 4, 7, 9 C 31-45 - Referring next to
FIG. 3 , a block diagram of an embodiment of akey manager 104 is shown. In a high-assurance manner, the key manager enforces logical separation of the partitionedkey cache 116 where no physical separation of the interface to the partitionedkey cache 116 exists. Akey request interface 332 is coupled to thecryptographic processor 120 to receive requests for one or more particular key located at specified addresses in the partitionedkey cache 116. - This embodiment includes a
request validator 336 that checks the request to make sure the request is formatted correctly. Other embodiments of therequest validator 336 could check that the classification level of the requesting packet matches the classification level of the partition204 of the requested key. With a specified key location, a key memory interface132 couples to the partitionedkey cache 116 to retrieve the requested key. The sterile key is returned to akey buffer 308. - A
rule enforcement circuit 336 includes a sterilekey validator 304, akey decoder 324 and a reconstitutedkey validator 328. Multiple levels of checks are performed on the key before the key is provided to thecryptographic processor 120. - The sterile
key validator 304 checks the classification level of the sterile key against the classification level of the packet that precipitated the request of the key. Essentially, the sterile key is checked to make sure it matches the type of processing being performed in thecryptographic processor 120 to provide high-assurance. The sterilekey validator 304 could also match the algorithm and/or state as further rule checks in some embodiments. - A CRC, checksum or other validity value is appended to the sterile key in this embodiment when stored in the partitioned
key cache 116. The software determines the validity value when writing the sterile key into the partitionedkey cache 116. A check of the validity value allows conformation that information stored by theprocessor 108 was delivered accurately to the sterilekey validator 304. - A
key map database 316 holds information to validate the keys in their sterile or reconstituted form. The state, classification, address, algorithm, key length, header information, and/or other information could be stored in thekey map database 316. A look-up table is used in one embodiment of thekey map database 316. Where several keys are used for a given classification level, the finer granularity of state can confirm that the key is the correct one for a particular situation. For example, there could be a different state for each key. Other embodiments could provide granularity using two or more partitions204 for a particular classification level. - A
key decoder 324 converts the sterilized key from the partitionedkey cache 116 into a reconstituted key that is ready for use by thecryptographic processor 120. A payload of the sterilized key is decrypted to produce a reconstituted key. A cache protectionkey store 320 holds a cache protection key for each classification level. Table III shows an example of the information stored in the cache protectionkey store 320. Other embodiments could have a different cache protection key for each sterilized key or one cache protection key for all keys. TABLE III Cache Protection Keys State(s) Classification Random Key 1 TS 19A5E9F45609DC90h 2, 19 S AA5119A456870190h 3, 21 N 78A5E49B56A093D0h 4, 7, 9 C 15E456894309AE9F0h - Within the decrypted payload of the sterilized key is information that is checked by a reconstituted
key validator 328. Additionally, a CRC, checksum or other validity value is embedded in the decrypted payload as a second validity value. The reconstitutedkey validator 328 also checks the second validity value. This additional check provides a further layer of high-assurance. Should the process pass all of its checks, the decrypted key is provide to thecryptographic processor 120 for use in processing the particular packet that requested the key. - With reference to
FIG. 4 , a diagram demonstrating an embodiment of akey unscrambling process 400 is shown. Asterile key 416 includes a sterile key header, a sterile key payload and a sterile key CRC, which serves as a validity value. All this information is stored in the partitionedkey cache 116 by theprocessor 108. The sterile key header holds the classification level, the applicable encryption algorithm(s), and any additional key identifiers. Some embodiments may also include the memory address of the sterile key. The sterile key CRC is a validity value that is calculated on the whole sterile key header and sterile key payload such that any corruption can be discerned. - The sterile key payload is exclusive-
ORed 324 with a cache protection key420 from the cache protectionkey store 320 to decrypt the reconstituted key header, reconstituted key payload and reconstituted key CRC. Those items along with the sterile key header and sterile key CRC form thereconstituted key 404. The reconstituted key payload is the actual key that will be used by thecryptographic processor 120. The reconstituted key CRC is a validity value that allows checking that the fields of thereconstituted key 404 has not changed. The exclusive-ORkey decoder 324 is just one example of a simple decryption function. Other embodiments may use any type of decryption function(s). - Referring next to
FIG. 5 , a flowchart of an embodiment of aprocess 500 for operating thecryptographic device 100 is shown. The depicted portion of the process is initiated inblock 504 where thecryptographic processor 120 has a packet that uses a particular key, which is requested from thekey manager 104. Some embodiments check the key request. In any event, the key is requested from the partitionedkey cache 116 by thekey manager 104. The address of the key requested falls within a particular partition204. - The
sterile key 416 is retrieved inblock 516 from the partitionedkey cache 116 inblock 516. The sterile key header is checked inblock 520 to determine if the classification matches the classification of the packet requesting the key. Additional checks are possible, for example, the sterile key CRC or validity value could be checked. Presuming the check inblock 520 is successful, processing continues to block524 where the sterile key payload is decrypted. - In the
reconstituted key 404, the reconstituted key header is checked inblock 528. Prior to thedecoding block 524, the reconstituted key header was scrambled. Additionally, a reconstituted key CRC or validity value can be checked in some embodiments. If the check inblock 528 passes, processing continues to block532 where the key is returned thecryptographic processor 120. - Should any of the checks fail in
blocks key cache 116 is erased and/or the cache protectionkey store 320 inblock 536. Without the cache protection keys, the keys remain in a sterile form. Erasure of the cache protection keys can typically be performed much more quickly than the partitionedkey cache 116. Further remedial action can be taken inblock 540. - The above embodiments discuss processing at different classification levels. These classification levels could be government classification levels, but need not be necessarily so. A classification level is just a logical partition in the information passed. Any information that needs to be kept separate from other information could be in a separate classification level or logical partition.
- While the principles of the disclosure have been described above in connection with specific apparatuses and methods, it is to be clearly understood that this description is made only by way of example and not as limitation on the scope of the disclosure.
Claims (20)
1. A cryptographic device for processing classified information having a plurality of different classification levels, the cryptographic device comprising:
a memory holding a plurality of keys outside of an integrated circuit, wherein the plurality of keys are for the plurality of different classification levels;
a cryptographic processor that is part of the integrated circuit, wherein the cryptographic processor uses the plurality of keys to process packets of information that are categorized according to the plurality of different classification levels; and
a key manager, wherein:
the key manager can access a plurality of rules associated with the plurality of different classification levels,
the plurality of rules regulate interaction with the plurality of keys,
a first rule of the plurality of rules is used by the key manager in a first classification level of the plurality of different classification levels, and
a second rule of the plurality of rules is used by the key manager in a second classification level of the plurality of different classification levels.
2. The cryptographic device for processing classified information having the plurality of different classification levels as recited inclaim 1 , wherein:
a first key accessed in the first classification level includes a header that is checked against the first rule, and
the first key includes a coded header that is checked against the first rule.
3. The cryptographic device for processing classified information having the plurality of different classification levels as recited inclaim 1 , wherein the first and second keys are encrypted in the memory.
4. The cryptographic device for processing classified information having the plurality of different classification levels as recited inclaim 1 , wherein the plurality of keys are stored in an encrypted state.
5. The cryptographic device for processing classified information having the plurality of different classification levels as recited inclaim 1 , wherein the key manager further comprises a key decoder, which decrypts the plurality of keys before passing them to the cryptographic processor.
6. The cryptographic device for processing classified information having the plurality of different classification levels as recited inclaim 1 , further comprising an access controller, wherein the access controller checks that a predetermined state of operation is active while writing the first key to a partition of the memory.
7. A method for processing classified information in a high-assurance manner, the method comprising steps of:
receiving a request for a first key by a cryptographic processor;
choosing a first rule from a plurality of rules;
retrieving a first sterile key from a memory;
checking the first sterile key with the first rule;
decrypting the first sterile key with a first protection key to produce the first key;
checking the first key with the first rule;
providing the first key to the cryptographic processor if the checking the first sterile key step and the checking the first key step are completed successfully;
receiving a request for a second key by a cryptographic processor;
choosing a second rule from the plurality of rules;
retrieving the second sterile key from the memory;
checking the second sterile key with the second rule;
decrypting the second sterile key with a second protection key to produce a second key;
checking the second key with the second rule; and
providing the second key to the cryptographic processor if the checking the second sterile key step and the checking the second key step are completed successfully.
8. The method for processing classified information in the high-assurance manner as recited inclaim 7 , further comprising a step of erasing the first and second protection keys to zeroize utility of the first and second keys.
9. The method for processing classified information in the high-assurance manner as recited inclaim 7 , wherein the cryptographic processor is capable of processing multiple classification levels simultaneously in different packets.
10. The method for processing classified information in the high-assurance manner as recited inclaim 7 , wherein the first rule requires a classification level of a packet being processed with the cryptographic processor to match the classification level of the first key.
11. The method for processing classified information in the high-assurance manner as recited inclaim 7 , wherein:
the first and second sterile keys are stored in a second integrated circuit, and
the decrypting steps are performed in a first integrated circuit.
12. A cryptographic device for processing information with a plurality of classification levels, the cryptographic device comprising:
a memory holding a plurality of keys;
a cryptographic processor that uses the plurality of keys to process packets of information that are correlated to the plurality of classification levels; and
a key manager that comprises a rule enforcement circuit and a key decryption circuit, wherein:
the key manager retrieves a first key for a first packet being processed by the cryptographic processor,
the first packet is of a first classification level,
the first key is associated with the first classification level,
the rule enforcement circuit checks that the first key is designated for the first classification level before providing the first key to the cryptographic processor for processing the first packet,
the key manager retrieves a second key for a second packet being processed by the cryptographic processor,
the second packet is of a second classification level,
the second key is associated with the second classification level, and
the rule enforcement circuit checks that the second key is designated for the second classification level before providing the second key to the cryptographic processor for processing the second packet.
13. The cryptographic device for processing information with the plurality of classification levels as recited inclaim 12 , wherein at least one of the first and second keys are stored in the memory in an unusable form.
14. The cryptographic device for processing information with the plurality of classification levels as recited inclaim 12 , wherein the key manager further comprises a key decoder that descrambles the first key before providing the first key to the cryptographic processor.
15. The cryptographic device for processing information with the plurality of classification levels as recited inclaim 12 , wherein the memory and the cryptographic processor are in different integrated circuit.
16. The cryptographic device for processing information with the plurality of classification levels as recited inclaim 12 , wherein:
the plurality of keys are divided among a plurality of partitions in the memory, and
each classification level has a different partition to logically separate keys of different classification levels.
17. The cryptographic device for processing information with the plurality of classification levels as recited inclaim 12 , wherein the plurality of classification levels includes a plurality of protection values that are each used to descramble the plurality of keys.
18. The cryptographic device for processing information with the plurality of classification levels as recited inclaim 12 , wherein the rule enforcement circuit checks the first key twice to confirm that the first classification level of the key matches the first classification level of the packet.
19. The cryptographic device for processing information with the plurality of classification levels as recited inclaim 12 , wherein the first and second keys are decrypted in the key manager.
20. The cryptographic device for processing information with the plurality of classification levels as recited inclaim 12 , wherein a header is used to designate the first key for the first classification level.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US12/184,062US20090034734A1 (en) | 2007-07-31 | 2008-07-31 | Multi-Level Key Manager |
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US96282107P | 2007-07-31 | 2007-07-31 | |
| US96284807P | 2007-07-31 | 2007-07-31 | |
| US96282207P | 2007-07-31 | 2007-07-31 | |
| US2643808P | 2008-02-05 | 2008-02-05 | |
| US12/184,062US20090034734A1 (en) | 2007-07-31 | 2008-07-31 | Multi-Level Key Manager |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| US20090034734A1true US20090034734A1 (en) | 2009-02-05 |
Family
ID=39832694
Family Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US12/184,079Active2031-01-15US8312292B2 (en) | 2007-07-31 | 2008-07-31 | Input output access controller |
| US12/184,062AbandonedUS20090034734A1 (en) | 2007-07-31 | 2008-07-31 | Multi-Level Key Manager |
| US12/184,048Active2031-01-25US8392983B2 (en) | 2007-07-31 | 2008-07-31 | Trusted labeler |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US12/184,079Active2031-01-15US8312292B2 (en) | 2007-07-31 | 2008-07-31 | Input output access controller |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US12/184,048Active2031-01-25US8392983B2 (en) | 2007-07-31 | 2008-07-31 | Trusted labeler |
Country Status (2)
| Country | Link |
|---|---|
| US (3) | US8312292B2 (en) |
| WO (3) | WO2009018481A1 (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090158050A1 (en)* | 2007-07-31 | 2009-06-18 | Viasat, Inc. | Trusted Labeler |
| US20120066509A1 (en)* | 2010-09-10 | 2012-03-15 | Douglas Edward Lapp | Multi-level security software architecture |
| US20120069995A1 (en)* | 2010-09-22 | 2012-03-22 | Seagate Technology Llc | Controller chip with zeroizable root key |
| US20120170750A1 (en)* | 2007-09-14 | 2012-07-05 | Security First Corp. | Systems and methods for managing cryptographic keys |
| US8494168B1 (en)* | 2008-04-28 | 2013-07-23 | Netapp, Inc. | Locating cryptographic keys stored in a cache |
| US9449180B2 (en) | 1999-09-20 | 2016-09-20 | Security First Corp. | Secure data parser method and system |
| US20170041138A1 (en)* | 2015-08-04 | 2017-02-09 | Ge Aviation Systems Llc | Cryptographic key server embedded in data transfer system |
| US20170075821A1 (en)* | 2013-04-01 | 2017-03-16 | Secturion Systems, Inc. | Multi-level independent security architecture |
| US9798899B1 (en) | 2013-03-29 | 2017-10-24 | Secturion Systems, Inc. | Replaceable or removable physical interface input/output module |
| US9858442B1 (en) | 2013-03-29 | 2018-01-02 | Secturion Systems, Inc. | Multi-tenancy architecture |
| US10013580B2 (en) | 2013-03-29 | 2018-07-03 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
| CN110233723A (en)* | 2019-04-28 | 2019-09-13 | 新大陆(福建)公共服务有限公司 | A kind of secondary key management method and safety chip |
| US10708236B2 (en) | 2015-10-26 | 2020-07-07 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
| US11063914B1 (en) | 2013-03-29 | 2021-07-13 | Secturion Systems, Inc. | Secure end-to-end communication system |
| US11283774B2 (en) | 2015-09-17 | 2022-03-22 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
| US20220209947A1 (en)* | 2020-12-28 | 2022-06-30 | Stmicroelectronics (Rousset) Sas | Electronic system comprising a plurality of microprocessors |
| US20220286439A1 (en)* | 2020-10-23 | 2022-09-08 | Secturion Systems, Inc. | Multi-independent level security for high performance computing and data storage systems |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100132047A1 (en)* | 2008-11-24 | 2010-05-27 | Honeywell International Inc. | Systems and methods for tamper resistant memory devices |
| US8275996B1 (en) | 2010-04-12 | 2012-09-25 | Stephen Waller Melvin | Incremental encryption of stored information |
| US8812875B1 (en)* | 2010-04-12 | 2014-08-19 | Stephen Melvin | Virtual self-destruction of stored information |
| WO2013055872A2 (en)* | 2011-10-12 | 2013-04-18 | Raytheon Company | An integrated circuit for cyber security processing |
| DE102017202787A1 (en)* | 2017-02-21 | 2018-08-23 | Siemens Aktiengesellschaft | Method and validation unit for controlling the loading of cryptographic keys that can be used in IT systems, in particular embedded systems, in particular "key blobs" |
| US11310198B2 (en) | 2017-05-31 | 2022-04-19 | Crypto4A Technologies Inc. | Integrated multi-level or cross-domain network security management appliance, platform and system, and remote management method and system therefor |
| US11321493B2 (en)* | 2017-05-31 | 2022-05-03 | Crypto4A Technologies Inc. | Hardware security module, and trusted hardware network interconnection device and resources |
| US11288404B2 (en)* | 2019-06-14 | 2022-03-29 | Infineon Technologies Ag | Resource protection |
Citations (59)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4442484A (en)* | 1980-10-14 | 1984-04-10 | Intel Corporation | Microprocessor memory management and protection mechanism |
| US4683532A (en)* | 1984-12-03 | 1987-07-28 | Honeywell Inc. | Real-time software monitor and write protect controller |
| US5495533A (en)* | 1994-04-29 | 1996-02-27 | International Business Machines Corporation | Personal key archive |
| US5905725A (en)* | 1996-12-16 | 1999-05-18 | Juniper Networks | High speed switching device |
| US5991519A (en)* | 1997-10-03 | 1999-11-23 | Atmel Corporation | Secure memory having multiple security levels |
| US6408001B1 (en)* | 1998-10-21 | 2002-06-18 | Lucent Technologies Inc. | Method for determining label assignments for a router |
| US20030084309A1 (en)* | 2001-10-22 | 2003-05-01 | Sun Microsystems, Inc. | Stream processor with cryptographic co-processor |
| US6604147B1 (en)* | 2000-05-09 | 2003-08-05 | Lucent Technologies Inc. | Scalable IP edge router |
| US20040008685A1 (en)* | 2002-07-03 | 2004-01-15 | Nec Corporation | Multi-protocol label switching device and multi-protocol switching method |
| US6704871B1 (en)* | 1997-09-16 | 2004-03-09 | Safenet, Inc. | Cryptographic co-processor |
| US20040066781A1 (en)* | 2002-10-07 | 2004-04-08 | Broadcom Corporation | Fast-path implementation for an uplink double tagging engine |
| US6751729B1 (en)* | 1998-07-24 | 2004-06-15 | Spatial Adventures, Inc. | Automated operation and security system for virtual private networks |
| US20040258062A1 (en)* | 2003-01-27 | 2004-12-23 | Paolo Narvaez | Method and device for the classification and redirection of data packets in a heterogeneous network |
| US6836548B1 (en)* | 1991-10-29 | 2004-12-28 | The Commonwealth Of Australia | Communications security and trusted path method and means |
| US6854061B2 (en)* | 1999-12-31 | 2005-02-08 | International Business Machines Corporation | Installing and controlling trial software |
| US20050031119A1 (en)* | 2003-08-04 | 2005-02-10 | Yuying Ding | Method and communications device for secure group communication |
| US20050044252A1 (en)* | 2002-12-19 | 2005-02-24 | Floyd Geoffrey E. | Packet classifier |
| US20050094643A1 (en)* | 2003-11-05 | 2005-05-05 | Xiaolin Wang | Method of and apparatus for variable length data packet transmission with configurable adaptive output scheduling enabling transmission on the same transmission link(s) of differentiated services for various traffic types |
| US20050102546A1 (en)* | 2003-11-07 | 2005-05-12 | Patchen Paul J. | System and method for handling state change conditions by a program status register |
| US20050198412A1 (en)* | 2003-08-19 | 2005-09-08 | General Dynamics Advanced Information Systems, Inc. | Trusted interface unit (TIU) and method of making and using the same |
| US20060039335A1 (en)* | 2004-08-20 | 2006-02-23 | Fujitsu Limited | Communication device simultaneously using plurality of routes corresponding to application characteristics |
| US20060075311A1 (en)* | 2004-09-23 | 2006-04-06 | Prashant Ranjan | Techniques to perform error detection |
| US7055029B2 (en)* | 1998-02-03 | 2006-05-30 | Hewlett-Packard Development Company, L.P. | Cryptographic system enabling ownership of a secure process |
| US20060114914A1 (en)* | 2004-11-30 | 2006-06-01 | Broadcom Corporation | Pipeline architecture of a network device |
| US20060146706A1 (en)* | 2005-01-06 | 2006-07-06 | Enigma Semiconductor | Method and apparatus for scheduling packets and/or cells |
| US20060190987A1 (en)* | 2005-02-04 | 2006-08-24 | Ntt Docomo, Inc. | Client apparatus, device verification apparatus, and verification method |
| US20060251078A1 (en)* | 2005-04-12 | 2006-11-09 | Samsung Electronics Co., Ltd. | Message transmission method and device in mixture of private network and public network |
| US20060294596A1 (en)* | 2005-06-27 | 2006-12-28 | Priya Govindarajan | Methods, systems, and apparatus to detect unauthorized resource accesses |
| US20070014399A1 (en)* | 2005-07-15 | 2007-01-18 | Scheidt Edward M | High assurance key management overlay |
| US20070067826A1 (en)* | 2005-09-19 | 2007-03-22 | Texas Instruments Incorporated | Method and system for preventing unsecure memory accesses |
| US7213147B2 (en)* | 2000-05-12 | 2007-05-01 | Microsoft Corporation | Methods and apparatus for managing secure collaborative transactions |
| US20070101142A1 (en)* | 2003-02-03 | 2007-05-03 | Sony Corporation | Wireless adhoc communication system, terminal, authentication method for use in terminal, encryption method, terminal management method, and program for enabling terminal to perform those methods |
| US20070110069A1 (en)* | 2005-11-12 | 2007-05-17 | Electronics And Telecommunications Research Institute | Method of blocking network attacks using packet information and apparatus thereof |
| US20070130458A1 (en)* | 2002-06-17 | 2007-06-07 | Digitalnet Government Solutions, Llc | Trusted computer system |
| US20070157287A1 (en)* | 2005-12-29 | 2007-07-05 | Blue Jungle | Techniques and System for Specifying Policies Using Abstractions |
| US20070156999A1 (en)* | 2005-12-30 | 2007-07-05 | David Durham | Identifier associated with memory locations for managing memory accesses |
| US20070156987A1 (en)* | 2006-01-05 | 2007-07-05 | Chen Iue-Shuenn I | System and method for partitioning multiple logical memory regions with access control by a central control agent |
| US20070220500A1 (en)* | 2006-03-20 | 2007-09-20 | Louisa Saunier | Computer security method and computer system |
| US7274696B1 (en)* | 2002-10-21 | 2007-09-25 | Force10 Networks, Inc. | Scalable redundant switch fabric architecture |
| US20070226795A1 (en)* | 2006-02-09 | 2007-09-27 | Texas Instruments Incorporated | Virtual cores and hardware-supported hypervisor integrated circuits, systems, methods and processes of manufacture |
| US20070250904A1 (en)* | 2006-04-19 | 2007-10-25 | Thales Holdings Uk Plc | Privacy protection system |
| US7322043B2 (en)* | 2002-06-20 | 2008-01-22 | Hewlett-Packard Development Company, L.P. | Allowing an electronic device accessing a service to be authenticated |
| US20080019358A1 (en)* | 2005-10-12 | 2008-01-24 | Juniper Networks, Inc. | Spoof checking within a label switching computer network |
| US20080077794A1 (en)* | 2006-09-22 | 2008-03-27 | International Business Machines Corporation | Method for controlling security function execution with a flexible, entendable, and non-forgable block |
| US7356147B2 (en)* | 2002-04-18 | 2008-04-08 | International Business Machines Corporation | Method, system and program product for attaching a title key to encrypted content for synchronized transmission to a recipient |
| US20080130534A1 (en)* | 2006-11-30 | 2008-06-05 | Kabushiki Kaisha Toshiba | Data transmitting apparatus, data receiving apparatus, and data communication system |
| US20080215897A1 (en)* | 2003-07-31 | 2008-09-04 | International Business Machines Corporation | Security Containers for Document Components |
| US7441262B2 (en)* | 2002-07-11 | 2008-10-21 | Seaway Networks Inc. | Integrated VPN/firewall system |
| US20090037631A1 (en)* | 2007-07-31 | 2009-02-05 | Viasat, Inc. | Input Output Access Controller |
| US20090214044A1 (en)* | 2008-02-21 | 2009-08-27 | Hitachi, Ltd. | Data archiving technique for encrypted data |
| US20090249080A1 (en)* | 2008-03-27 | 2009-10-01 | General Instrument Corporation | Methods, apparatus and system for authenticating a programmable hardware device and for authenticating commands received in the programmable hardware device from a secure processor |
| US20090282263A1 (en)* | 2003-12-11 | 2009-11-12 | Khan Moinul H | Method and apparatus for a trust processor |
| US7636858B2 (en)* | 2003-12-11 | 2009-12-22 | Intel Corporation | Management of a trusted cryptographic processor |
| US20100008499A1 (en)* | 2007-04-06 | 2010-01-14 | Lee Adam Y | Method and apparatus for generating random data-encryption keys |
| US7660986B1 (en)* | 1999-06-08 | 2010-02-09 | General Instrument Corporation | Secure control of security mode |
| US7715565B2 (en)* | 2004-07-29 | 2010-05-11 | Infoassure, Inc. | Information-centric security |
| US7764672B2 (en)* | 2003-03-19 | 2010-07-27 | Hitachi, Ltd. | Packet communication device |
| US7773754B2 (en)* | 2002-07-08 | 2010-08-10 | Broadcom Corporation | Key management system and method |
| US7774619B2 (en)* | 2004-11-17 | 2010-08-10 | Broadcom Corporation | Secure code execution using external memory |
Family Cites Families (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6101255A (en)* | 1997-04-30 | 2000-08-08 | Motorola, Inc. | Programmable cryptographic processing system and method |
| JP4522548B2 (en)* | 2000-03-10 | 2010-08-11 | 富士通フロンテック株式会社 | Access monitoring device and access monitoring method |
| US6615329B2 (en)* | 2001-07-11 | 2003-09-02 | Intel Corporation | Memory access control system, apparatus, and method |
| US7178033B1 (en) | 2001-12-12 | 2007-02-13 | Pss Systems, Inc. | Method and apparatus for securing digital assets |
| US7089419B2 (en)* | 2002-04-18 | 2006-08-08 | International Business Machines Corporation | Control function with multiple security states for facilitating secure operation of an integrated system |
| US7322042B2 (en)* | 2003-02-07 | 2008-01-22 | Broadon Communications Corp. | Secure and backward-compatible processor and secure software execution thereon |
| JP4130799B2 (en)* | 2003-12-24 | 2008-08-06 | 三星電子株式会社 | Multi-beam semiconductor laser |
| US7542567B2 (en)* | 2004-06-10 | 2009-06-02 | Freescale Semiconductor, Inc. | Method and apparatus for providing security in a data processing system |
| US7681226B2 (en)* | 2005-01-28 | 2010-03-16 | Cisco Technology, Inc. | Methods and apparatus providing security for multiple operational states of a computerized device |
| US20070245413A1 (en) | 2005-07-05 | 2007-10-18 | Viasat, Inc. | Trusted Cryptographic Switch |
| US8190877B2 (en)* | 2005-07-05 | 2012-05-29 | Viasat, Inc. | Trusted cryptographic processor |
| DE112006001751B4 (en) | 2005-07-06 | 2010-04-08 | International Rectifier Corporation, El Segundo | Power semiconductor device and method for manufacturing a semiconductor device |
| US8041947B2 (en)* | 2006-03-23 | 2011-10-18 | Harris Corporation | Computer architecture for an electronic device providing SLS access to MLS file system with trusted loading and protection of program execution memory |
- 2008
- 2008-07-31USUS12/184,079patent/US8312292B2/enactiveActive
- 2008-07-31WOPCT/US2008/071821patent/WO2009018481A1/enactiveApplication Filing
- 2008-07-31WOPCT/US2008/071823patent/WO2009018483A1/enactiveApplication Filing
- 2008-07-31USUS12/184,062patent/US20090034734A1/ennot_activeAbandoned
- 2008-07-31WOPCT/US2008/071818patent/WO2009018479A1/enactiveApplication Filing
- 2008-07-31USUS12/184,048patent/US8392983B2/enactiveActive
Patent Citations (60)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4442484A (en)* | 1980-10-14 | 1984-04-10 | Intel Corporation | Microprocessor memory management and protection mechanism |
| US4683532A (en)* | 1984-12-03 | 1987-07-28 | Honeywell Inc. | Real-time software monitor and write protect controller |
| US6836548B1 (en)* | 1991-10-29 | 2004-12-28 | The Commonwealth Of Australia | Communications security and trusted path method and means |
| US5495533A (en)* | 1994-04-29 | 1996-02-27 | International Business Machines Corporation | Personal key archive |
| US5905725A (en)* | 1996-12-16 | 1999-05-18 | Juniper Networks | High speed switching device |
| US6704871B1 (en)* | 1997-09-16 | 2004-03-09 | Safenet, Inc. | Cryptographic co-processor |
| US5991519A (en)* | 1997-10-03 | 1999-11-23 | Atmel Corporation | Secure memory having multiple security levels |
| US7055029B2 (en)* | 1998-02-03 | 2006-05-30 | Hewlett-Packard Development Company, L.P. | Cryptographic system enabling ownership of a secure process |
| US6751729B1 (en)* | 1998-07-24 | 2004-06-15 | Spatial Adventures, Inc. | Automated operation and security system for virtual private networks |
| US6408001B1 (en)* | 1998-10-21 | 2002-06-18 | Lucent Technologies Inc. | Method for determining label assignments for a router |
| US7660986B1 (en)* | 1999-06-08 | 2010-02-09 | General Instrument Corporation | Secure control of security mode |
| US6854061B2 (en)* | 1999-12-31 | 2005-02-08 | International Business Machines Corporation | Installing and controlling trial software |
| US6604147B1 (en)* | 2000-05-09 | 2003-08-05 | Lucent Technologies Inc. | Scalable IP edge router |
| US7213147B2 (en)* | 2000-05-12 | 2007-05-01 | Microsoft Corporation | Methods and apparatus for managing secure collaborative transactions |
| US20030084309A1 (en)* | 2001-10-22 | 2003-05-01 | Sun Microsystems, Inc. | Stream processor with cryptographic co-processor |
| US7356147B2 (en)* | 2002-04-18 | 2008-04-08 | International Business Machines Corporation | Method, system and program product for attaching a title key to encrypted content for synchronized transmission to a recipient |
| US20070130458A1 (en)* | 2002-06-17 | 2007-06-07 | Digitalnet Government Solutions, Llc | Trusted computer system |
| US7322043B2 (en)* | 2002-06-20 | 2008-01-22 | Hewlett-Packard Development Company, L.P. | Allowing an electronic device accessing a service to be authenticated |
| US20040008685A1 (en)* | 2002-07-03 | 2004-01-15 | Nec Corporation | Multi-protocol label switching device and multi-protocol switching method |
| US7773754B2 (en)* | 2002-07-08 | 2010-08-10 | Broadcom Corporation | Key management system and method |
| US7441262B2 (en)* | 2002-07-11 | 2008-10-21 | Seaway Networks Inc. | Integrated VPN/firewall system |
| US20040066781A1 (en)* | 2002-10-07 | 2004-04-08 | Broadcom Corporation | Fast-path implementation for an uplink double tagging engine |
| US7274696B1 (en)* | 2002-10-21 | 2007-09-25 | Force10 Networks, Inc. | Scalable redundant switch fabric architecture |
| US20050044252A1 (en)* | 2002-12-19 | 2005-02-24 | Floyd Geoffrey E. | Packet classifier |
| US20040258062A1 (en)* | 2003-01-27 | 2004-12-23 | Paolo Narvaez | Method and device for the classification and redirection of data packets in a heterogeneous network |
| US20070101142A1 (en)* | 2003-02-03 | 2007-05-03 | Sony Corporation | Wireless adhoc communication system, terminal, authentication method for use in terminal, encryption method, terminal management method, and program for enabling terminal to perform those methods |
| US7764672B2 (en)* | 2003-03-19 | 2010-07-27 | Hitachi, Ltd. | Packet communication device |
| US20080215897A1 (en)* | 2003-07-31 | 2008-09-04 | International Business Machines Corporation | Security Containers for Document Components |
| US20050031119A1 (en)* | 2003-08-04 | 2005-02-10 | Yuying Ding | Method and communications device for secure group communication |
| US20050198412A1 (en)* | 2003-08-19 | 2005-09-08 | General Dynamics Advanced Information Systems, Inc. | Trusted interface unit (TIU) and method of making and using the same |
| US20050094643A1 (en)* | 2003-11-05 | 2005-05-05 | Xiaolin Wang | Method of and apparatus for variable length data packet transmission with configurable adaptive output scheduling enabling transmission on the same transmission link(s) of differentiated services for various traffic types |
| US20050102546A1 (en)* | 2003-11-07 | 2005-05-12 | Patchen Paul J. | System and method for handling state change conditions by a program status register |
| US20090282263A1 (en)* | 2003-12-11 | 2009-11-12 | Khan Moinul H | Method and apparatus for a trust processor |
| US7636858B2 (en)* | 2003-12-11 | 2009-12-22 | Intel Corporation | Management of a trusted cryptographic processor |
| US7715565B2 (en)* | 2004-07-29 | 2010-05-11 | Infoassure, Inc. | Information-centric security |
| US20060039335A1 (en)* | 2004-08-20 | 2006-02-23 | Fujitsu Limited | Communication device simultaneously using plurality of routes corresponding to application characteristics |
| US20060075311A1 (en)* | 2004-09-23 | 2006-04-06 | Prashant Ranjan | Techniques to perform error detection |
| US7774619B2 (en)* | 2004-11-17 | 2010-08-10 | Broadcom Corporation | Secure code execution using external memory |
| US20060114914A1 (en)* | 2004-11-30 | 2006-06-01 | Broadcom Corporation | Pipeline architecture of a network device |
| US20060146706A1 (en)* | 2005-01-06 | 2006-07-06 | Enigma Semiconductor | Method and apparatus for scheduling packets and/or cells |
| US20060190987A1 (en)* | 2005-02-04 | 2006-08-24 | Ntt Docomo, Inc. | Client apparatus, device verification apparatus, and verification method |
| US20060251078A1 (en)* | 2005-04-12 | 2006-11-09 | Samsung Electronics Co., Ltd. | Message transmission method and device in mixture of private network and public network |
| US20060294596A1 (en)* | 2005-06-27 | 2006-12-28 | Priya Govindarajan | Methods, systems, and apparatus to detect unauthorized resource accesses |
| US20070014399A1 (en)* | 2005-07-15 | 2007-01-18 | Scheidt Edward M | High assurance key management overlay |
| US20070067826A1 (en)* | 2005-09-19 | 2007-03-22 | Texas Instruments Incorporated | Method and system for preventing unsecure memory accesses |
| US20080019358A1 (en)* | 2005-10-12 | 2008-01-24 | Juniper Networks, Inc. | Spoof checking within a label switching computer network |
| US20070110069A1 (en)* | 2005-11-12 | 2007-05-17 | Electronics And Telecommunications Research Institute | Method of blocking network attacks using packet information and apparatus thereof |
| US20070157287A1 (en)* | 2005-12-29 | 2007-07-05 | Blue Jungle | Techniques and System for Specifying Policies Using Abstractions |
| US20070156999A1 (en)* | 2005-12-30 | 2007-07-05 | David Durham | Identifier associated with memory locations for managing memory accesses |
| US20070156987A1 (en)* | 2006-01-05 | 2007-07-05 | Chen Iue-Shuenn I | System and method for partitioning multiple logical memory regions with access control by a central control agent |
| US20070226795A1 (en)* | 2006-02-09 | 2007-09-27 | Texas Instruments Incorporated | Virtual cores and hardware-supported hypervisor integrated circuits, systems, methods and processes of manufacture |
| US20070220500A1 (en)* | 2006-03-20 | 2007-09-20 | Louisa Saunier | Computer security method and computer system |
| US20070250904A1 (en)* | 2006-04-19 | 2007-10-25 | Thales Holdings Uk Plc | Privacy protection system |
| US20080077794A1 (en)* | 2006-09-22 | 2008-03-27 | International Business Machines Corporation | Method for controlling security function execution with a flexible, entendable, and non-forgable block |
| US20080130534A1 (en)* | 2006-11-30 | 2008-06-05 | Kabushiki Kaisha Toshiba | Data transmitting apparatus, data receiving apparatus, and data communication system |
| US20100008499A1 (en)* | 2007-04-06 | 2010-01-14 | Lee Adam Y | Method and apparatus for generating random data-encryption keys |
| US20090037631A1 (en)* | 2007-07-31 | 2009-02-05 | Viasat, Inc. | Input Output Access Controller |
| US20090158050A1 (en)* | 2007-07-31 | 2009-06-18 | Viasat, Inc. | Trusted Labeler |
| US20090214044A1 (en)* | 2008-02-21 | 2009-08-27 | Hitachi, Ltd. | Data archiving technique for encrypted data |
| US20090249080A1 (en)* | 2008-03-27 | 2009-10-01 | General Instrument Corporation | Methods, apparatus and system for authenticating a programmable hardware device and for authenticating commands received in the programmable hardware device from a secure processor |
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9449180B2 (en) | 1999-09-20 | 2016-09-20 | Security First Corp. | Secure data parser method and system |
| US9613220B2 (en) | 1999-09-20 | 2017-04-04 | Security First Corp. | Secure data parser method and system |
| US20090158050A1 (en)* | 2007-07-31 | 2009-06-18 | Viasat, Inc. | Trusted Labeler |
| US8312292B2 (en) | 2007-07-31 | 2012-11-13 | Viasat, Inc. | Input output access controller |
| US8392983B2 (en) | 2007-07-31 | 2013-03-05 | Viasat, Inc. | Trusted labeler |
| US9397827B2 (en)* | 2007-09-14 | 2016-07-19 | Security First Corp. | Systems and methods for managing cryptographic keys |
| US20120170750A1 (en)* | 2007-09-14 | 2012-07-05 | Security First Corp. | Systems and methods for managing cryptographic keys |
| US8494168B1 (en)* | 2008-04-28 | 2013-07-23 | Netapp, Inc. | Locating cryptographic keys stored in a cache |
| US9129121B2 (en) | 2008-04-28 | 2015-09-08 | Netapp, Inc. | Locating cryptographic keys stored in a cache |
| US9430659B2 (en) | 2008-04-28 | 2016-08-30 | Netapp, Inc. | Locating cryptographic keys stored in a cache |
| US8478997B2 (en)* | 2010-09-10 | 2013-07-02 | Raytheon Company | Multi-level security software architecture |
| EP2428910A3 (en)* | 2010-09-10 | 2016-06-08 | Raytheon Cyber Products, LLC | Multi-level security data processing architecture |
| US20120066509A1 (en)* | 2010-09-10 | 2012-03-15 | Douglas Edward Lapp | Multi-level security software architecture |
| US20120069995A1 (en)* | 2010-09-22 | 2012-03-22 | Seagate Technology Llc | Controller chip with zeroizable root key |
| US11288402B2 (en) | 2013-03-29 | 2022-03-29 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
| US10902155B2 (en) | 2013-03-29 | 2021-01-26 | Secturion Systems, Inc. | Multi-tenancy architecture |
| US9798899B1 (en) | 2013-03-29 | 2017-10-24 | Secturion Systems, Inc. | Replaceable or removable physical interface input/output module |
| US9858442B1 (en) | 2013-03-29 | 2018-01-02 | Secturion Systems, Inc. | Multi-tenancy architecture |
| US11921906B2 (en) | 2013-03-29 | 2024-03-05 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
| US10013580B2 (en) | 2013-03-29 | 2018-07-03 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
| US11783089B2 (en) | 2013-03-29 | 2023-10-10 | Secturion Systems, Inc. | Multi-tenancy architecture |
| US11063914B1 (en) | 2013-03-29 | 2021-07-13 | Secturion Systems, Inc. | Secure end-to-end communication system |
| US10114766B2 (en)* | 2013-04-01 | 2018-10-30 | Secturion Systems, Inc. | Multi-level independent security architecture |
| US11429540B2 (en)* | 2013-04-01 | 2022-08-30 | Secturion Systems, Inc. | Multi-level independent security architecture |
| US20190050348A1 (en)* | 2013-04-01 | 2019-02-14 | Secturion Systems, Inc. | Multi-level independent security architecture |
| US20170075821A1 (en)* | 2013-04-01 | 2017-03-16 | Secturion Systems, Inc. | Multi-level independent security architecture |
| US20230049021A1 (en)* | 2013-04-01 | 2023-02-16 | Secturion Systems, Inc. | Multi-level independent security architecture |
| US9990503B2 (en)* | 2015-08-04 | 2018-06-05 | Ge Aviation Systems, Llc | Cryptographic key server embedded in data transfer system |
| US20170041138A1 (en)* | 2015-08-04 | 2017-02-09 | Ge Aviation Systems Llc | Cryptographic key server embedded in data transfer system |
| US11283774B2 (en) | 2015-09-17 | 2022-03-22 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
| US11792169B2 (en) | 2015-09-17 | 2023-10-17 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
| US11750571B2 (en) | 2015-10-26 | 2023-09-05 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
| US10708236B2 (en) | 2015-10-26 | 2020-07-07 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
| CN110233723A (en)* | 2019-04-28 | 2019-09-13 | 新大陆(福建)公共服务有限公司 | A kind of secondary key management method and safety chip |
| US20220286439A1 (en)* | 2020-10-23 | 2022-09-08 | Secturion Systems, Inc. | Multi-independent level security for high performance computing and data storage systems |
| US11968187B2 (en)* | 2020-10-23 | 2024-04-23 | Secturion Systems, Inc. | Multi-independent level security for high performance computing and data storage systems |
| US20220209947A1 (en)* | 2020-12-28 | 2022-06-30 | Stmicroelectronics (Rousset) Sas | Electronic system comprising a plurality of microprocessors |
| US12058255B2 (en)* | 2020-12-28 | 2024-08-06 | STMicroelectro cs (Rousset) SAS | Electronic system comprising a plurality of microprocessors |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009018481A1 (en) | 2009-02-05 |
| US8392983B2 (en) | 2013-03-05 |
| WO2009018479A1 (en) | 2009-02-05 |
| WO2009018483A1 (en) | 2009-02-05 |
| US8312292B2 (en) | 2012-11-13 |
| US20090037631A1 (en) | 2009-02-05 |
| US20090158050A1 (en) | 2009-06-18 |
| WO2009018479A4 (en) | 2009-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20090034734A1 (en) | Multi-Level Key Manager | |
| US9483664B2 (en) | Address dependent data encryption | |
| US8839001B2 (en) | Infinite key memory transaction unit | |
| CN101673251B (en) | Device with privileged memory and applications thereof | |
| CN102117387B (en) | Safe key access Apparatus and method for | |
| US5224166A (en) | System for seamless processing of encrypted and non-encrypted data and instructions | |
| US11658808B2 (en) | Re-encryption following an OTP update event | |
| US7774622B2 (en) | CRPTO envelope around a CPU with DRAM for image protection | |
| US8127145B2 (en) | Computer architecture for an electronic device providing a secure file system | |
| CN106383790A (en) | Bus management unit and high safety system on chip | |
| KR20080100673A (en) | Encryption-based processor security method and device | |
| US9152576B2 (en) | Mode-based secure microcontroller | |
| US11019098B2 (en) | Replay protection for memory based on key refresh | |
| EP2228988B1 (en) | Circuit for restricting data access | |
| TW201933169A (en) | Managing a set of cryptographic keys in an encrypted system | |
| EP2990953B1 (en) | Periodic memory refresh in a secure computing system | |
| US8612774B2 (en) | Secure OTP using external memory | |
| JP2017526220A (en) | Inferential cryptographic processing for out-of-order data | |
| US20210011994A1 (en) | Device and method for managing an encrypted software application | |
| US20240080193A1 (en) | Counter integrity tree | |
| US20240333473A1 (en) | Memory controller cryptographic data quantization using a cache | |
| US12248409B2 (en) | Apparatus and method of controlling access to data stored in a non-trusted memory | |
| US20230418603A1 (en) | System and Method for Securing Nonvolatile Memory for Execute-in-Place | |
| US20120148047A1 (en) | Detecting key corruption | |
| CN114237492A (en) | Non-volatile memory protection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment | Owner name:VIASAT, INC., CALIFORNIA Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:OWENS, JOHN R.;ANDOLINA, JOHN C.;SHANKEN, STUART N.;AND OTHERS;REEL/FRAME:021499/0783;SIGNING DATES FROM 20080813 TO 20080828 | |
| STCB | Information on status: application discontinuation | Free format text:ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |