Search

US-12621167-B2 - Method of updating device certificate and device for driving the method

US12621167B2US 12621167 B2US12621167 B2US 12621167B2US-12621167-B2

Abstract

A device may include processing circuitry configured to, generate a device identifier associated with the device, and generate a unique endorsement identity (ID) associated with the device identifier, a first layer sub-circuit configured to, receive the device identifier, and generate a first certificate and a second certificate based on the device identifier and the unique endorsement ID, the first certificate and the second certificate including information to authenticate the device, and the processing circuitry is further configured to, receive the first certificate and the second certificate, and verify whether the device has been modified based on the first certificate and the second certificate, wherein, in response to the first layer sub-circuit being modified, the first layer sub-circuit is further configured to, generate an endorsement key based on a new unique endorsement ID, and generate a certificate signing request for the new unique endorsement ID based on the endorsement key.

Inventors

  • Younsung CHU

Assignees

  • SAMSUNG ELECTRONICS CO., LTD.

Dates

Publication Date
20260505
Application Date
20230829
Priority Date
20220831

Claims (18)

  1. 1 . A device comprising: processing circuitry configured to, generate a device identifier associated with the device, and generate a unique endorsement identity associated with the device identifier; a first layer sub-circuit configured to, receive the device identifier, and generate a first certificate and a second certificate based on the device identifier and the unique endorsement identity, the first certificate and the second certificate including information to authenticate the device; and the processing circuitry is further configured to, receive the first certificate and the second certificate, and verify whether the device has been modified based on the first certificate and the second certificate, wherein, in response to the first layer sub-circuit being modified, the first layer sub-circuit is further configured to, generate an endorsement key based on a new unique endorsement identity, and generate a certificate signing request for the new unique endorsement identity based on the endorsement key.
  2. 2 . The device of claim 1 , wherein the processing circuitry is further configured to generate the device identifier by inputting unique device secret data into a first function.
  3. 3 . The device of claim 2 , wherein the processing circuitry is further configured to generate the unique endorsement identity by inputting the unique device secret data into a second function.
  4. 4 . The device of claim 1 , wherein the first layer sub-circuit is further configured to generate an endorsement private key and an endorsement public key.
  5. 5 . The device of claim 4 , wherein the first layer sub-circuit is further configured to generate an endorsement certificate signing request based on the endorsement private key and the endorsement public key.
  6. 6 . The device of claim 1 , wherein the processing circuitry is further configured to verify whether the first layer sub-circuit has been modified based on the second certificate and the certificate signing request.
  7. 7 . The device of claim 6 , wherein the first layer sub-circuit is further configured to: determine whether the first layer sub-circuit has been modified; and update a certificate chain based on the certificate signing request and results of the determination.
  8. 8 . A method of updating a device certificate, the method comprising: generating a device identifier associated with a desired device; generating a unique endorsement identity associated with the device identifier; transmitting the device identifier to a first layer sub-circuit, the transmitting causing the first layer sub-circuit to, generate a first certificate and a second certificate based on the device identifier and the unique endorsement identity, the first certificate and the second certificate including information to authenticate the desired device; receiving the first certificate and the second certificate; and verifying whether the desired device has been modified based on the first certificate and the second certificate, wherein, in response to the first layer sub-circuit being modified, the first layer sub-circuit is further caused to generate the first certificate and the second certificate by generating an endorsement key based on a new unique endorsement identity, and generating a certificate signing request for the new unique endorsement identity based on the endorsement key.
  9. 9 . The method of claim 8 , wherein the generating the device identifier further comprises generating the device identifier by inputting unique device secret data into a first function.
  10. 10 . The method of claim 9 , wherein the generating the unique endorsement identity further comprises generating the unique endorsement identity by inputting the unique device secret data into a second function.
  11. 11 . The method of claim 8 , wherein the generating the endorsement key further comprises generating an endorsement private key and an endorsement public key.
  12. 12 . The method of claim 11 , wherein the generating the first certificate and the second certificate: further comprises generating an endorsement certificate signing request based on the endorsement private key and the endorsement public key.
  13. 13 . The method of claim 8 , wherein the verifying whether the desired device has been modified further comprises determining whether the first layer sub-circuit has been modified based on the first certificate, the second certificate, and the certificate signing request.
  14. 14 . The method of claim 13 , wherein the verifying whether the desired device has been modified further comprises updating a certificate chain of the desired device based on the certificate signing request and results of determining whether the first layer sub-circuit has been modified.
  15. 15 . A method comprising: verifying an intermediate certificate based on a root certificate combined with the intermediate certificate to form a root certificate chain; determining whether a bootloader of a device has been modified by verifying a device certificate based on the intermediate certificate combined with the device certificate to form a device certificate chain; and updating the device certificate chain based on a device certificate signing request, the device certificate signing request generated based on a unique endorsement identity associated with a device identifier associated with the device, and results of the determining whether the bootloader of the device has been modified, wherein the updating the device certificate chain includes, combining a new device certificate and the intermediate certificate, verifying a modification of the bootloader included in the device based on the root certificate, the intermediate certificate, and the device certificate signing request, and updating the device certificate chain based on the device certificate signing request in response to results of determining whether the bootloader has been modified.
  16. 16 . The method of claim 15 , further comprising: generating the device identifier associated with the device; and generating the unique endorsement identity associated with the device identifier by inputting unique device secret data into a first function and a second function, respectively.
  17. 17 . The method of claim 15 , wherein the updating of the device certificate chain comprises: generating an endorsement private key and an endorsement public key; and generating an endorsement key based on the endorsement private key and the endorsement public key.
  18. 18 . The method of claim 17 , wherein the updating of the device certificate chain further comprises: generating an endorsement certificate signing request based on the endorsement private key and the endorsement public key.

Description

CROSS-REFERENCE TO RELATED APPLICATION This U.S. non-provisional application is based on and claims the benefit of priority under 35 U.S.C. § 119 to Korean Patent Application No. 10-2022-0110324, filed on Aug. 31, 2022, in the Korean Intellectual Property Office, the disclosure of which is incorporated by reference herein in its entirety. BACKGROUND Various example embodiments of the inventive concepts relate to a method of updating a device certificate, a non-transitory computer readable medium including computer readable instructions for performing the method, and/or a device for performing the method, etc., and more particularly, to a method of verifying a certificate for identification of a device and updating a certificate chain when a device is changed, updated, and/or modified, etc. Generally, in a public key infrastructure (PKI), a digital signature is generated between devices by using a private key, and the digital signature is verified by using a public key. In the PKI, a certificate authority issues a certificate to endorse the public key, and verify whether a public key issued by the certificate authority is correct through chain verification of the certificate to verify the public key of a device. When a manufacturing subject of a device is changed, the certification authority issues a new certificate. In this case, a secure protocol and data model (SPDM) is used. SUMMARY According to at least one example embodiment, a device generating a security signal associated with a secure protocol and data model (SPDM) may include read-only memory (ROM), a device identify certificate engine, a bootloader, and/or firmware, etc., and in response to the bootloader being updated by the subject of usage of the device, an error may occur while the device is driven. Various example embodiments of the inventive concepts provide a method of updating a certificate, wherein the method enables a normal operation of a device even when a bootloader is changed. According to at least one example embodiment of the inventive concepts, there is provided a device including processing circuitry configured to, generate a device identifier associated with the device, and generate a unique endorsement identity (ID) associated with the device identifier, a first layer sub-circuit configured to, receive the device identifier, and generate a first certificate and a second certificate based on the device identifier and the unique endorsement ID, the first certificate and the second certificate including information to authenticate the device, and the processing circuitry is further configured to, receive the first certificate and the second certificate, and verify whether the device has been modified based on the first certificate and the second certificate, wherein, in response to the first layer sub-circuit being modified, the first layer sub-circuit is further configured to, generate an endorsement key based on a new unique endorsement ID, and generate a certificate signing request for the new unique endorsement ID based on the endorsement key. According to at least one example embodiment of the inventive concepts, there is provided a method of updating a device certificate, the method including generating a device identifier associated with a desired device, generating a unique endorsement identity (ID) associated with the device identifier, transmitting the device identifier to a first layer sub-circuit, the transmitting causing the first layer sub-circuit to, generate a first certificate and a second certificate based on the device identifier and the unique endorsement ID, the first certificate and the second certificate including information to authenticate the desired device, receiving the first certificate and the second certificate, and verifying whether the desired device has been modified based on the first certificate and the second certificate, wherein, in response to the first layer being modified, the first layer sub-circuit is further caused to generate the first certificate and the second certificate by generating an endorsement key based on a new unique endorsement ID, and generating a certificate signing request for the new unique endorsement ID based on the endorsement key. According to at least one example embodiment of the inventive concepts, there is provided a method of updating a certificate of a device, the method including, verifying an intermediate certificate based on a first certificate chain of a root certificate, verifying whether a bootloader of the device has been modified based on a second certificate chain of the intermediate certificate, and updating a device certificate chain to the intermediate certificate based on a device certificate signing request and results of the verifying whether the bootloader of the device has been modified. BRIEF DESCRIPTION OF THE DRAWINGS Various example embodiments of the inventive concepts will be more clearly understood from the following detailed description