Search

US-12619791-B2 - Encrypted key management

US12619791B2US 12619791 B2US12619791 B2US 12619791B2US-12619791-B2

Abstract

Examples of systems and methods described herein provide for erasing an encrypted key used for data access to a non-volatile memory device. A memory controller may generate an encrypted key for data access to non-volatile memory devices; and, to provide security of data stored on the non-volatile memory devices, the memory controller may store the encrypted key in a local cache of the memory controller. The encrypted key may be erased responsive to losing power or powering down of memory controller. Advantageously, the data stored at the non-volatile memory device may not be accessed when the memory controller (or a computing device implementing the memory controller) loses power. Accordingly, if a malicious actor were to physically remove (or steal) a computing device implementing the memory controller (e.g., a laptop computer), in an attempt to acquire the data, the data stored on the non-volatile memory devices could not be accessed.

Inventors

  • DAVID HULTON
  • Jeremy Chritz

Assignees

  • MICRON TECHNOLOGY, INC.

Dates

Publication Date
20260505
Application Date
20210111

Claims (20)

  1. 1 . A method comprising: writing, to a cache coupled to a volatile memory device and a memory controller, an encrypted key to provide authenticated access to encrypted data stored at a plurality of non-volatile memory devices coupled to the volatile memory device and the memory controller, wherein the encrypted data is accessible at a host coupled to the plurality of non-volatile memory devices using the memory controller, wherein the encrypted key is specific to data associated with a memory address of a memory access request, and wherein the memory address of the memory access request corresponds to a memory address of at least one of the plurality of non-volatile memory devices; detecting, by the memory controller a loss of power by comparing a received voltage to a threshold operating voltage; determining, by the memory controller and using a timing circuit, that a duration of the loss of power exceeds a threshold amount of time; and responsive to the determination that the duration of the loss of power exceeds the threshold amount of time, erasing the stored encrypted key for the plurality of non-volatile memory devices.
  2. 2 . The method of claim 1 , further comprising: receiving a power down indication for the volatile memory device that is electrically connected to at least one non-volatile memory device of the plurality of non-volatile memory devices.
  3. 3 . The method of claim 2 , wherein the volatile memory device that is electrically connected to the at least one non-volatile memory device is powered by a computing device electrically connected to a power source.
  4. 4 . The method of claim 3 , wherein the computing device electrically connected to the power source is the memory controller.
  5. 5 . The method of claim 1 , wherein the plurality of non-volatile memory devices comprise at least one of a NAND memory device or a 3D XPoint memory device.
  6. 6 . The method of claim 1 , further comprising: receiving a pseudorandom value from a pseudorandom number generator; encrypting a key for at least one non-volatile memory device of the plurality of non-volatile memory devices based partly on the pseudorandom value; and providing the encrypted key for the at least one non-volatile memory device to the at least one non-volatile memory device.
  7. 7 . The method of claim 6 , wherein encrypting the key for the at least one non-volatile memory device based partly on the pseudorandom value comprises using an authenticated stream cipher to generate the key.
  8. 8 . The method of claim 7 , wherein the authenticated stream cipher comprises an advanced encryption standard (AES) cipher that uses the pseudorandom value as an initialization vector.
  9. 9 . The method of claim 1 , wherein the threshold amount of time is set by a user, or wherein the threshold amount of time is based on a flicker metric.
  10. 10 . The method of claim 1 , wherein erasing the stored encrypted key includes terminating, by the memory controller, a connection between the cache and a power supply.
  11. 11 . A method comprising: receiving, from a host computing device coupled to a plurality of non-volatile memory devices, a memory access request for a non-volatile memory device of the plurality of non-volatile memory devices; responsive to the memory access request, encrypting, at encryption logic comprising an advanced encryption standard (AES) cipher, a key for data associated with the memory access request, wherein the key is to provide authenticated access, by the host computing device, to encrypted data stored at the plurality of non-volatile memory devices, wherein the encrypted key is specific to data associated with a memory address of the memory access request, and wherein the memory address of the memory access request corresponds to a memory address of at least one of the plurality of non-volatile memory devices; writing, to a cache of a memory controller, the key for the plurality of non-volatile memory devices; providing, to at least one non-volatile memory device, the key for accessing, by the host computing device, data associated with the memory access request; detecting, by the memory controller, a loss of power by comparing a received voltage to a threshold operating voltage; determining, by the memory controller and using a timing circuit, that a duration of the loss of power exceeds a threshold amount of time; and erasing, by the memory controller, the key when the duration of the loss of power exceeds the threshold amount of time.
  12. 12 . The method of claim 11 , further comprising: powering down the memory controller.
  13. 13 . The method of claim 11 , further comprising: receiving a power down indication for the memory controller; and disconnecting an electrical connection to the memory controller.
  14. 14 . The method of claim 13 , wherein the host computing device comprises the memory controller, and wherein disconnecting the electrical connection to the memory controller comprises disconnecting an electrical connection of host computing device.
  15. 15 . The method of claim 11 , wherein writing, to the cache of a memory controller, the key for the at least one non-volatile memory device comprises configuring the cache of the memory controller to be associated with the AES cipher.
  16. 16 . The method of claim 11 , further comprising: providing/retrieving, to/from the at least one non-volatile memory device, the data associated with the memory access request using the key.
  17. 17 . The method of claim 16 , when retrieving from the at least one non-volatile memory device the data associated with the memory access request, the method further comprising: decrypting the data associated with the memory request using the key.
  18. 18 . An apparatus comprising: encryption logic configured to encrypt a key configured to provide authenticated access, by a host, to encrypted data stored at a plurality of non-volatile memory devices coupled to the host, wherein the encrypted key is specific to data associated with a memory address of a memory access request and wherein the memory address of the memory access request corresponds to a memory address of at least one of the plurality of non-volatile memory devices; a cache of a volatile memory configured to store the key; a memory bus coupled to the plurality of non-volatile memory devices, the encryption logic further configured to provide, via the memory bus, the key to at least one non-volatile memory device of the plurality of non-volatile memory devices coupled to the host; and a memory controller configured to detect a loss of power by comparing a received voltage to a threshold operating voltage and to erase the key from the cache when a duration of the loss of power exceeds a threshold amount of time.
  19. 19 . The apparatus of claim 18 , wherein the at least one non-volatile memory device comprises a NAND memory device and the memory bus comprises an NVDIMM bus.
  20. 20 . The apparatus of claim 18 , wherein the encryption logic is further configured to receive the memory access request from the host via a PCIe bus and to provide the key with the memory access request.

Description

TECHNICAL FIELD Embodiments of the disclosure relate generally to memory, and more particularly, in one or more of the illustrated embodiments, to erasing an encrypted key used for data access to a non-volatile memory device. BACKGROUND Emerging memory architectures are designed to handle a range of memory access requests and may include memories with different characteristics. For example, memory may include dynamic random-access memory (DRAM) and phase-change memory (PCM)). Non-volatile memories may be highly non-uniform. For example, certain NAND flash memories (e.g., based on page type) may be faster to read or write than others, with latencies changing as they wear out, or with different levels of cell (e.g., multi-level-cells (MLC)), among different NAND flash memories. Emerging memory architectures may also utilize non-volatile dual in-line memory modules (NVDIMMs), such as NVDIMM-P or NVDIMM/M-F. NVDIMMs generally include both a non-volatile and a volatile memory device. Non-volatile memory generally retains its contents even when power is temporarily or permanently removed, such as NAND memory. Volatile memory generally would lose its contents when power is permanently, or in some cases temporarily, removed from the device. However, volatile memory may have some improved characteristics over non-volatile memory (e.g., volatile memory may be faster). BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic illustration of a memory system interacting in accordance with examples described herein. FIG. 2 is a schematic illustration of a memory system interacting in accordance with examples described herein. FIG. 3 is a schematic illustration of a method in accordance with examples described herein. FIG. 4 is a schematic illustration of a method in accordance with examples described herein. DETAILED DESCRIPTION Cryptographic methods may use block ciphers to provide security for data, e.g., to authenticate data using a cryptographic key. For example, a cryptographic key may transform data from plaintext to ciphertext when encrypting; and vice-versa when decrypting. A block cipher provides a block transformation of information bits to encrypt (or conversely, to decrypt) data. For example, the Advanced Encryption Standard (AES) is a type of block cipher. Additionally, a block cipher may operate in different modes within a cryptographic device/method, e.g., as a “stream cipher” in which a counter is used. For example, the counter may be used as a basis to alter the underlying cryptographic key used by the block cipher, such that the cryptographic key changes over time; to, in turn, alter data in an encrypted stream of data. For example, Galois/Counter Mode (GCM) is a type of stream cipher. It may be complex and cumbersome to secure NVDIMM devices. Examples of systems and methods described herein provide for erasing an encrypted key used for data access to a non-volatile memory device. Computing devices that regularly access memory devices may do so through a memory controller. For example, a host computing device may generate memory access requests which are routed through a memory controller that controls access to various coupled memory devices, which may be non-volatile memory devices. Generally, a memory access request can be or include a command and an address, for example, a memory command and a memory address. In various implementations, the memory access request may be or include a command and an address for a read operation, a write operation, an activate operation, or a refresh operation at coupled non-volatile memory devices. Generally, a received command and address may facilitate the performance of memory access operations at coupled memory devices, such as read operations, write operations, activate operations, and/or refresh operations for the coupled memory devices. Using the systems and methods described herein, a memory controller may generate an encrypted key that may be used to access data stored in one or more non-volatile memory devices. For example, the encrypted key may be written to a cache coupled to a volatile memory device or a cache that is a volatile memory device. To provide security of data stored on the non-volatile memory devices, the memory controller may store the encrypted key in a local cache of the memory controller. For example, the local cache at the memory controller may be a volatile memory device. In the example, because the encrypted key is stored in a volatile memory device of the memory controller, the encrypted key is erased when the memory controller loses electrical connection to a power source or is powered down. For example, the encrypted key may be erased responsive to the powering down (e.g., a power down indication received), or by virtue of the volatile memory device having lost power. Accordingly, the data stored at the non-volatile memory device may not be accessed when the memory controller (or a computing device implementing the memory controller) l