Abstract: Disclosed are methods for encrypting communications with a remote endpoint via a memory device. In one embodiment, a memory device is configured to receive, from the application, a request to establish a communications session with a remote computing device, establish a shared symmetric key, the shared symmetric key shared between the memory device and the remote computing device, receive a message from the application, the message including an identifier of the remote computing device and a payload, generate a ciphertext using the symmetric key and the payload, and return the ciphertext to the application.

Abstract: Methods, systems, and devices for techniques for generating a shared secret for an electronic system are described. A memory system may identify an initial key pair and exchange a public key of the key pair with a public key associated with a server. The memory system and the server may each generate a shared secret. In some cases, the memory system and the server may use the shared secret to generate a device identifier for the memory system, for example by incorporating the device identifier into a cryptographic representation of a software layer of the memory system. The memory system and the server may use the device identifier to generate one or more asymmetric key pairs, which may be used by the server to authenticate the memory system.

Abstract: Methods, systems, and devices for a measurement command for memory systems are described. A memory system and a host system may support a measure command to calculate a cryptographic value of data stored in a region of the memory system. In some cases, a region indicated by the measure command may correspond to a protected region of the memory system. In such cases, the measure command may include a cryptographic signature from the host system. Upon receiving the measure command, the memory system may perform a hashing operation on the data to generate the cryptographic value. In some cases, the memory system may transmit the digest to the host. Additionally or alternatively, the memory system may extend the digest into a register indicated by the command. Further, the measure command may be used to generate a key pair associated with the memory system.

Abstract: A system, method and apparatus to control memory devices over computer networks. For example, a server system establishes a secure authenticated connection with a client computer system to receive a request having a batch identification that is configured in the server system to identify a batch of multiple memory devices. After determining that the client computer system is eligible to control the multiple memory devices in the batch, the server system transmits to the client computer system a response. The response contains control data for each respective memory device in the batch. The control data is based on at least a cryptographic key stored in the server system in association with the respective memory device. Using the control data the client computer system submits a command with a digital signature to the respective memory device, which validates the digital signature prior to execution of the command.

Abstract: Methods, systems, and devices for memory recovery partitions are described. A memory system may include a memory array configured with one or more logical partitions. In some examples, a primary boot image may be stored to a first logical partition and a recovery boot image may be stored to a second logical partition. During a boot operation, the memory system may determine whether the primary boot image includes one or more errors. If the primary boot image includes relatively few (or no) errors, the memory system may boot using the primary boot image. If the primary boot image includes a relatively high quantity of errors (e.g., higher than a threshold quantity of errors), the memory system may autonomously load a recovery boot image stored to the second logical partition.

Abstract: Methods, systems, and devices for partitioned cryptographic protection for a memory system are described. The method may include a host system generating a command to update a protection attribute of a first set of memory cells of the memory system, where the memory system includes multiple sets of memory cells, each set associated with a respective set of one or more first keys. The method may further include encrypting the command based on a second key corresponding to a first key within the respective set of one or more first keys, and transmitting, after encrypting the command, the command to the memory system to update the protection attribute of the first set of memory cells.

Abstract: Devices and techniques for authenticated modification of a storage device are described herein. A data transmission, received at an interface of the storage device, can be decoded to obtain a command, a set of input identifications, and a first signature corresponding to data identified by the input identifications. Members of the set of input identifications can be marshalled to produce an input set. A cryptographic engine of the storage device can be invoked on the input set to produce a second signature from the input set. The first signature is and the second signature are compared to determine a match. In response to the match, the input set can be written to a secure portion of the storage device.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device. In one embodiment, a method comprises receiving a command; generating, by the semiconductor device, a response code in response to the command; returning the response code to a processing device; receiving a command to replace a storage root key of the device; generating a replacement key based on the response code; and replacing an existing key with the replacement key.

Abstract: Various examples are directed to systems and methods for providing a digital fingerprint of a selected portion of a memory device to a host device. A host device executing at a host device may send a to a driver a command to produce digital fingerprint data. The command may include an output pointer indicating a memory location of the local memory. The driver may generate a modified command that does not include the output pointer. The driver may send the modified command to a memory device. The driver may receive a reply comprising the digital fingerprint data and write the digital fingerprint data to a location at the memory location of local memory of the host device indicated by the output pointer.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device and in particular to a key management system. In one embodiment, a method is disclosed comprising receiving a request for an activation code database from a remote computing device, the request including at least one parameter; retrieving at least one pair based on the at least one parameter, the pair including a unique ID (UID) and secret key; generating an activation code for the UID; and returning the activation code to the remote computing device.

Abstract: Methods, systems, and devices for security techniques for low power state of memory device are described. A host device may initiate a low power state of a memory device. The host device may store a first value of a counter associated with the memory device operating in the low power state and transmit a command to the memory device to enter the low power state. The memory device may increment the counter based on receiving the command and increment the counter to a second value. The host device may validate the memory device based on a difference between the first value of the counter stored by the host device and the second value of the counter.

Abstract: A security server to validate identity data of computing devices having secure memory devices and track activities of components in the computing devices. The server system is configured to store data representative of a unique device secret sealed in the memory device. The server system can generate a first cryptographic key independently from the memory device generating a second cryptographic key. The memory device uses the second cryptographic key to generate identity data including a message and a verification code generated via cryptographic operations combining the message and the second cryptographic key. The server system can use the first cryptographic key to determine whether the verification code is valid for the message. If so, the security server can generate an activity record associating the activity of the computing device with identifications of respective components of the computing device confirmed via validation of the identity data.

Abstract: Methods, systems, and devices for performing cryptographic functions at a memory system are described to support integration of cryptographic primitives at a memory system to perform one or more cryptographic operations at the memory system. A host system may indicate, to a memory system, to perform one or more cryptographic operations, such as by sending a command to the memory system. In some cases, the indication may also include information associated with the cryptographic operation(s), an indication of an action to perform with a result of the cryptographic operation(s), or both. In response to the indication, the memory system may perform the indicated cryptographic operation(s) and may return, to the host system, an output associated with the cryptographic operation(s). The output may include a cryptographic value or data, an indication of a result of the cryptographic operation(s), an indication that the cryptographic operation(s) have been completed, or a combination thereof.

Abstract: An online service store to configure services for endpoints in connection with validating authenticity of the endpoints. For example, a service can be ordered for an endpoint prior to the use of the endpoint. After receiving a request having identity data generated by a memory device configured in the endpoint, a server system can determine, based on a secret of the memory device and other data stored about the endpoint, the validity of the identity data and thus the authenticity of the endpoint. Based on the service ordered for the endpoint, the server system causes the endpoint to be connected to a client server to receive the service. The server system can cause the firmware of the endpoint to be updated to enable the endpoint to receive the service from the client server.

Abstract: Methods, systems, and devices for remote provisioning of certificates for memory system provenance are described. The method may include a server receiving a first certificate that includes a first public key, a first signature generated using a first private key of a memory system, and an indication of a characteristic associated with the memory system. The server may verify the first signature and that the characteristic associated with the memory system is a valid characteristic for the memory system to have. The server may generate a second certificate that includes the first public key and a second signature generated using a second private key. The server may provide the second certificate to a host system such that the host may verify the provenance of the memory system.

Abstract: The disclosed embodiments are related to the generation of a personal identifier within a memory device. In one embodiment, a method is disclosed comprising generating an asymmetric key pair from a physically unclonable function (PUF), the asymmetric key pair including a public key and a private key; generating a certificate signing request (CSR) for the public key, the CSR including a user identifier and a customer public key; requesting a digital certificate of the public key from a certificate authority (CA), the certificate authority storing a mapping between the customer public key and the user identifier; receiving a message from a host device; signing the message using the private key; and transmitting the signed message and the digital certificate to a computing device.

Abstract: A storage device includes a memory storage region and a controller having a processor. The processor retrieves user data from the memory storage region using a physical block address corresponding to a logical block address (LBA), in response to a read command. The retrieved user data includes a first hash received through a host interface in a prior host data transmission. The processor further performs error correction on the user data to generate error-corrected user data. The processor further causes a cryptographic engine to produce a second hash of the error-corrected user data. The first hash is compared to the second hash associated with the error-corrected user data to determine a match result. A notification is generated in response to the match result.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device and in particular to a key management system. In one embodiment, a method is disclosed comprising receiving a request for an activation code database from a remote computing device, the request including at least one parameter; retrieving at least one pair based on the at least one parameter, the pair including a unique ID (UID) and secret key; generating an activation code for the UID; and returning the activation code to the remote computing device.

Abstract: A storage device includes a memory storage region and a controller having a processor. The processor retrieves user data from the memory storage region using a physical block address corresponding to a logical block address (LBA), in response to a read command. The retrieved user data includes a first hash received through a host interface in a prior host data transmission. The processor further performs error correction on the user data to generate error-corrected user data. The processor further causes a cryptographic engine to produce a second hash of the error-corrected user data. The first hash is compared to the second hash associated with the error-corrected user data to determine a match result. A notification is generated in response to the match result.

Abstract: Disclosed are methods for utilizing a memory device as a security token. In one embodiment, a method includes receiving a request to perform an operation; transmitting a nonce to a memory device; receiving a second nonce from the memory device, the second nonce encrypted using a private key of the memory device; verifying the second nonce using a public key of the device, held by the host system; and executing the operation upon successfully verifying the second nonce.