Search

US-20260127299-A1 - DATA ENCRYPTION USING A HARDWARE-BASED ENCRYPTION KEY

US20260127299A1US 20260127299 A1US20260127299 A1US 20260127299A1US-20260127299-A1

Abstract

Embodiments of the present disclosure relate to a method of encrypting a secret storage structure. The method may include storing a secret in a secret storage structure. The secret storage structure may be encrypted by encrypting the secret using a wrap key that is generated based at least on a hardware-based root key and a first context. The secret storage structure may additionally be encrypted by encrypting the secret storage structure using an authentication key that is generated based at least on the hardware-based root key and a second context.

Inventors

  • Taek RYOO
  • Stephen Wolfe
  • Akshay SHARAN
  • Mihir Joshi
  • Mustafa Bilgen
  • Mahesh LAGADAPATI
  • Tao Ye
  • Santosh KATVATE
  • Arun GONA

Assignees

  • NVIDIA CORPORATION

Dates

Publication Date
20260507
Application Date
20251230
Priority Date
20230628

Claims (20)

  1. 1 . A machine comprising: at least one central processing unit (CPU); at least one graphics processing unit (GPU); at least one digital signal processor (DSP); at least one memory device; at least one radio frequency integrated circuit (RFIC); at least one network interface device (NID); a plurality of perception sensors of a plurality of sensor modalities; at least one display unit; and at least one communication bus allowing for communication between components of the machine, wherein the machine is to perform one or more encryption operations comprising: encrypting a dataset stored in a storage structure of the at least one memory device using a first key generated based at least a hardware-based root key; and encrypting the storage structure using a second key generated based at least on the hardware-based root key used to generate the first key.
  2. 2 . The machine of claim 1 , wherein one or more of the first key or the second key is further based at least on a context.
  3. 3 . The machine of claim 2 , wherein the context corresponds to information unique to the machine.
  4. 4 . The machine of claim 2 , wherein the context is the same for the first key and the second key.
  5. 5 . The machine of claim 2 , wherein the context differs between the first key and the second key.
  6. 6 . The machine of claim 1 , wherein the first key includes a wrap key and the second key includes an authentication key.
  7. 7 . The machine of claim 1 , wherein the hardware-based root key is embedded in hardware of the machine.
  8. 8 . The machine of claim 1 , wherein the dataset includes one or more of: an encryption key; personal data; or sensor data.
  9. 9 . A system comprising: at least one central processing unit (CPU); at least one graphics processing unit (GPU); at least one memory device; a plurality of perception sensors of a plurality of sensor modalities; at least one display unit; and at least one communication bus allowing for communication between components of the system, wherein the system is to perform one or more authentication operations comprising: authenticating a storage structure of the at least one memory device, at least, by decrypting the storage structure using an authentication key that is based at least on a hardware-based root key; and decrypting a secret stored in the storage structure using a wrap key that is based on the hardware-based root key.
  10. 10 . The system of claim 9 , wherein: the authentication key is further based at least on a first context; and the wrap key is further based at least on a second context.
  11. 11 . The system of claim 10 , wherein the first context and the second context are the same.
  12. 12 . The system of claim 10 , wherein one or more of the first context or the second context corresponds to information unique to the system.
  13. 13 . The system of claim 9 , wherein the authenticating of the storage structure further includes verifying a unique identifier of the storage structure.
  14. 14 . The system of claim 9 , wherein the hardware-based root key is embedded in hardware of the system.
  15. 15 . The system of claim 9 , wherein the system is included in an autonomous or semi-autonomous machine.
  16. 16 . One or more processors comprising processing circuitry to perform operations comprising: storing a secret in a secret storage structure; encrypting the secret using a wrap key that is based at least on a hardware-based root key; and encrypting the secret storage structure using an authentication key that is based at least on the hardware-based root key.
  17. 17 . The one or more processors of claim 16 , wherein one or more of the wrap key or the authentication key is further based at least on a context.
  18. 18 . The one or more processors of claim 17 , wherein the context corresponds to information unique to a machine.
  19. 19 . The one or more processors of claim 17 , wherein the context is the same for the wrap key and the authentication key.
  20. 20 . The one or more processors of claim 17 , wherein the context differs between the wrap key and the authentication key.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application is a continuation of U.S. patent application Ser. No. 18/353,727 filed on Jul. 17, 2023, the entire disclosure of which is hereby incorporated in this document by this reference. BACKGROUND Many systems may be configured to protect at least a subset of data as secret, such as, for example, sensor data, encryption keys, video streams, medical data, client-specific data, device secrets, and/or other sensitive information that may be designated for protection from disclosure, substitution, and/or compromise. Some systems may be configured to protect data as secret using a variety of cryptographic encryption and/or authentication techniques. For example, secrets may be encrypted using various applications of symmetric and asymmetric encryption, where encryption and subsequent decryption may be facilitated through one or more generated keys. In some instances, these systems may use these secrets to perform one or more tasks. For example, a system may correspond to a system of an ego-machine—such as autonomous vehicles, semi-autonomous vehicles, drones, robots, etc.—that may use data protected as secret to perform one or more control operations (e.g., controlling the ego-machine from point A to point B). By way of example and not limitation, in the context of an autonomous vehicle, the vehicle may use substantially real-time video, location data, and/or user information to properly control the vehicle from point A to point B. Continuing the example, the substantially real-time video, location data, and/or user information may be sensitive such that protection from hackers and outside entities attempting to collect and use that information may be useful or required—e.g., to ensure safety of the system and/or to protect personal information. In some instances, one or more secrets may be protected because of the preference of the user. Additionally or alternatively, some industries, companies, and/or standards—such as ISO 26262 related to functional safety of road vehicles—may require that certain types of data or information are protected as secret. Some approaches to securely storing information include embedding the sensitive information into hardware of a system (e.g., one or more fuses included in the hardware). One limitation of storing sensitive information on hardware associated with the system is the limited storage space. For example, a system may include a finite number of fuses where information may be embedded. Furthermore, sensitive information stored by embedding the information into one or more fuses may not be easily accessible and may not be easily shared with other users, systems, devices, and/or entities that may need access to the sensitive information. As such, storing all sensitive information on hardware may not be feasible. Other techniques for encrypting sensitive information may use one or more encryption techniques only associated with the software package storing the sensitive information. However, such an approach may not be secure enough and may be prone to leaking information, access by hackers, and/or may not be tied to a structure, hardware, and/or embedded platform. Such problems are exacerbated in product lines where manufacturing and development processes may include multiple parties exchanging parts and information. SUMMARY According to one or more embodiments of the present disclosure, a secret storage structure may be implemented, and associated secrete data stored within the secret storage structure may be encrypted and authenticated. In particular, the data stored within the secret storage structure may correspond to one or more secrets, and both the secrets and the secret storage structure may be encrypted. In some embodiments, the secrets may be encrypted using an encryption key (a “wrap key”) and/or the secret storage structure itself may be encrypted with a second encryption key (an “authentication key”). In some embodiments, the wrap key and the authentication key may be derived from a hardware-based root encryption key where the wrap key is derived using a first context (a “wrap context”) and the authentication key may be derived using a second context (an “authentication context”). In some embodiments, the secret storage structure may be authenticated by decrypting the secret storage structure using the authentication key and subsequently verifying the unique identifier using a cryptographic algorithm. Additionally or alternatively, the one or more secrets may be accessed by decrypting the one or more secrets in the secret storage structure using the wrap key. In some embodiments, the hardware-based root key may be embedded in hardware of a system associated with the one or more secrets and/or the secret storage structure. For example, the hardware-based root key may be burned into one or more fuses of the system. Additionally or alternatively, the authentication key and the wrap key may be derived from the hardw