Patents by Inventor Paul C. Kocher
Paul C. Kocher has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11895109Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.Type: GrantFiled: April 15, 2022Date of Patent: February 6, 2024Assignee: Cryptography Research, Inc.Inventors: Michael Hamburg, Benjamin Che-Ming Jun, Paul C. Kocher, Daniel O'Loughlin, Denis Alexandrovich Pochuev
-
Patent number: 11797683Abstract: A method for performing a security chip protocol comprises receiving, by processing hardware of a security chip, a message from a first device as part of performing the security chip protocol. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware determines a path through a key tree based at least in part on the message. The processing hardware derives a validator at least in part from the secret value using a sequence of entropy redistribution operations associated with the path through the key tree. The processing hardware exchanges the validator between the security chip and the first device as part of the security chip protocol in order to authenticate at least one of the security chip or the first device.Type: GrantFiled: July 21, 2021Date of Patent: October 24, 2023Assignee: Cryptography Research, Inc.Inventors: Paul C. Kocher, Pankaj Rohatgi, Joshua M. Jaffe
-
Publication number: 20220329587Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.Type: ApplicationFiled: April 15, 2022Publication date: October 13, 2022Inventors: Michael Hamburg, Benjamin Che-Ming Jun, Paul C. Kocher, Daniel O'Loughlin, Denis Alexandrovich Pochuev
-
Patent number: 11310227Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.Type: GrantFiled: February 28, 2020Date of Patent: April 19, 2022Assignee: Cryptography Research, Inc.Inventors: Michael Hamburg, Benjamin Che-Ming Jun, Paul C. Kocher, Daniel O'Loughlin, Denis Alexandrovich Pochuev
-
Publication number: 20220083665Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.Type: ApplicationFiled: July 21, 2021Publication date: March 17, 2022Inventors: Paul C. Kocher, Pankaj Rohatgi, Joshua M. Jaffe
-
Patent number: 11074349Abstract: A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree. The first device then sends the validator to the second device.Type: GrantFiled: January 4, 2019Date of Patent: July 27, 2021Assignee: CRYPTOGRAPHY RESEARCH, INC.Inventors: Paul C. Kocher, Pankaj Rohatgi, Joshua M. Jaffe
-
Patent number: 10902096Abstract: A media storage device includes a media security controller circuit and a memory to store data that relates to a media item to be rendered by a rendering device. The media security controller circuit sends a message to the rendering device that causes the rendering device to obtain a portion of data from memory of the media storage device and provide it to the media security controller circuit. The portion is received and transformed by the media security controller circuit. The media security controller circuit sends the transformed portion to the rendering device.Type: GrantFiled: October 28, 2019Date of Patent: January 26, 2021Assignee: Cryptography Research, Inc.Inventors: Paul C. Kocher, Helena Handschuh
-
Publication number: 20200267142Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.Type: ApplicationFiled: February 28, 2020Publication date: August 20, 2020Inventors: Michael Hamburg, Benjamin Che-Ming Jun, Paul C. Kocher, Daniel O'Loughlin, Denis Alexandrovich Pochuev
-
Publication number: 20200125697Abstract: A media storage device includes a media security controller circuit and a memory to store data that relates to a media item to be rendered by a rendering device. The media security controller circuit sends a message to the rendering device that causes the rendering device to obtain a portion of data from memory of the media storage device and provide it to the media security controller circuit. The portion is received and transformed by the media security controller circuit. The media security controller circuit sends the transformed portion to the rendering device.Type: ApplicationFiled: October 28, 2019Publication date: April 23, 2020Inventors: Paul C. Kocher, Helena Handschuh
-
Patent number: 10581838Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command. The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.Type: GrantFiled: June 11, 2018Date of Patent: March 3, 2020Assignee: Cryptography Research, Inc.Inventors: Michael Hamburg, Benjamin Che-Ming Jun, Paul C. Kocher, Daniel O'Loughlin, Denis Alexandrovich Pochuev
-
Publication number: 20190377879Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.Type: ApplicationFiled: January 4, 2019Publication date: December 12, 2019Inventors: Paul C. Kocher, Pankaj Rohatgi, Joshua M. Jaffe
-
Patent number: 10460084Abstract: A media storage device includes a media security controller circuit and a memory to store data that relates to a media item to be rendered by a rendering device. The media security controller circuit sends a message to the rendering device that causes the rendering device to obtain a portion of data from memory of the media storage device and provide it to the media security controller circuit. The portion is received and transformed by the media security controller circuit. The media security controller circuit sends the transformed portion to the rendering device.Type: GrantFiled: September 5, 2018Date of Patent: October 29, 2019Assignee: Cryptography Research, Inc.Inventors: Paul C. Kocher, Helena Handschuh
-
Patent number: 10262141Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.Type: GrantFiled: December 30, 2016Date of Patent: April 16, 2019Assignee: Cryptography Research, Inc.Inventors: Paul C. Kocher, Pankaj Rohatgi, Joshua M. Jaffe
-
Publication number: 20190018934Abstract: A media storage device includes a media security controller circuit and a memory to store data that relates to a media item to be rendered by a rendering device. The media security controller circuit sends a message to the rendering device that causes the rendering device to obtain a portion of data from memory of the media storage device and provide it to the media security controller circuit. The portion is received and transformed by the media security controller circuit. The media security controller circuit sends the transformed portion to the rendering device.Type: ApplicationFiled: September 5, 2018Publication date: January 17, 2019Inventors: Paul C. Kocher, Helena Handschuh
-
Patent number: 10120985Abstract: A media storage device includes a media security controller and a memory to store data that relates to a media item to be rendered by a rendering device. The media security controller sends a message in response to the rendering device reading an authorization file. The message being for the rendering device to read a portion of data from the memory and to provide the portion of data to the media security controller. The media security controller receives the portion of the data from the rendering device, trans forms the portion of the data, and sends the transformed portion of the data to the rendering device.Type: GrantFiled: July 17, 2013Date of Patent: November 6, 2018Assignee: Cryptography Research, Inc.Inventors: Paul C. Kocher, Helena Handschuh
-
Publication number: 20180295127Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to create a Module and executes a Module Template to generate the Module in response to the first command The RA device receives a second command to create a deployment authorization message. The Module and the deployment authorization message are deployed to an Appliance device. A set of instructions of the Module, when permitted by the deployment authorization message and executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device.Type: ApplicationFiled: June 11, 2018Publication date: October 11, 2018Inventors: Michael Hamburg, Benjamin Che-Ming Jun, Paul C. Kocher, Daniel O'Loughlin, Denis Alexandrovich Pochuev
-
Patent number: 10015164Abstract: The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a command to create a Module and executes a Module Template to generate the Module in response to the command. The Module is deployed to an Appliance device. A set of instructions of the Module, when executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device. The Appliance device is configured to distribute the data asset to a cryptographic manager (CM) core of the target device.Type: GrantFiled: November 6, 2014Date of Patent: July 3, 2018Assignee: Cryptography Research, Inc.Inventors: Michael Hamburg, Benjamin Che-Ming Jun, Paul C. Kocher, Daniel O'Loughlin, Denis Alexandrovich Pochuev
-
Patent number: 9940772Abstract: Chip cards are used to secure credit and debit payment transactions. To prevent fraudulent transactions, the card must protect cryptographic keys used to authenticate transactions. In particular, cards should resist differential power analysis and/or other attacks. To address security risks posed by leakage of partial information about keys during cryptographic transactions, cards may be configured to perform periodic cryptographic key update operations. The key update transformation prevents adversaries from exploiting partial information that may have been leaked about the card's keys. Update operations based on a hierarchical structure can enable efficient transaction verification by allowing a verifying party (e.g., an issuer) to derive a card's current state from a transaction counter and its initial state by performing one operation per level in the hierarchy, instead of progressing through all update operations performed by the card.Type: GrantFiled: October 24, 2007Date of Patent: April 10, 2018Assignee: CRYPTOGRAPHY RESEARCH, INC.Inventor: Paul C. Kocher
-
Patent number: 9923890Abstract: The embodiments described herein describe technologies for pre-computed data (PCD) asset generation and secure deployment of the PCD asset to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a first command to generate a unique PCD asset for a target device. In response, the RA device generates the PCD asset and packages the PCD asset for secure deployment of the PCD asset to the target device and to be used exclusively by the target device. The RA device deploys the packaged PCD asset in a CM system for identification and tracking of the target device.Type: GrantFiled: November 6, 2014Date of Patent: March 20, 2018Assignee: Cryptography Research, Inc.Inventors: Michael Hamburg, Benjamin Che-Ming Jun, Paul C. Kocher, Daniel O'Loughlin, Denis Alexandrovich Pochuev
-
Patent number: 9852572Abstract: Methods and apparatuses for increasing the leak-resistance of cryptographic systems are disclosed. A cryptographic token maintains secret key data based on a top-level key. The token can produce updated secret key data using an update process that makes partial information that might have previously leaked to attackers about the secret key data no longer usefully describe the new updated secret key data. By repeatedly applying the update process, information leaking during cryptographic operations that is collected by attackers rapidly becomes obsolete. Thus, such a system can remain secure against attacks involving analysis of measurements of the device's power consumption, electromagnetic characteristics, or other information leaked during transactions. Transactions with a server can be secured with the token.Type: GrantFiled: September 26, 2011Date of Patent: December 26, 2017Assignee: CRYPTOGRAPHY RESEARCH, INC.Inventor: Paul C. Kocher