Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-01-27
2001-03-13
Swann, Tod R. (Department: 2767)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06202152
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates generally to access of encrypted memory. More particularly, this invention relates to a system and method for reducing the number of memory access requests to encrypted memory where the encrypted information is decrypted in fixed-size, multiple-byte blocks.
BACKGROUND OF THE INVENTION
Cryptography, the science of keeping data secure, has expanded significantly in the private sector over the last decade. What was once almost exclusively the domain of the military is now practiced by private citizens and business entities worldwide to ensure secrecy of information and messages. Rights of privacy, business and political strategies are just a few of the many reasons why data encryption may be desired. The proliferation of computer use and global computer networks has caused the demand for secure computer practices to increase dramatically.
Various encryption techniques have resulted from the great demand for information security. Other encryption techniques have existed for quite some time, and although were originally conceived for use by the military, are used extensively by the public. Once such encryption technique is the data encryption standard (DES) which has been a worldwide standard for over 20 years. DES inputs a 64-bit block of plaintext, and outputs a 64-bit block of encrypted data using a digital key. The same algorithm that is used to encrypt the information is also used to decrypt information that was DES encrypted.
Many encryption techniques, such as DES, work as block ciphers which encrypt and decrypt data in blocks of a predetermined number of bits. For example, DES encrypts and decrypts data in 64-bit blocks which therefore requires a 64-bit input. However, there are many situations where a smaller data segment is being used. For example, where a 16-bit data segment is to be read from an encrypted memory, 64-bits are read into the DES engine to perform the decryption. This results in inefficiencies which directly affect the speed of the system.
It would be desirable for users to be able to use known encryption standards such as DES without accepting an efficiency penalty. Some prior art systems have simply accepted this penalty in accessing information of lesser byte counts than the encryption block supports. Other prior art systems have incorporated cache memories to store blocks of decrypted data. However, cache memory is complex and expensive.
The problem of fixed-size encryption/decryption algorithms is particularly evident in the context of computer power up and initialization. In less sophisticated computer systems of the past, information stored in boot ROMs (read-only memories) may have been held to a minimum. In today's computer systems, the boot ROM may involve very complicated algorithms in which information security may be desired. Encrypting the information stored in the boot ROM can provide this security, but at a cost. Because many computer systems access boot ROM information in segments much less than the 8-byte input required in decryption engines such as DES, each data segment requested results in eight bytes being fetched from the boot ROM to the decryption engine. This is very inefficient, particularly where only one or two bytes were requested at a time. If each successive boot ROM request of one or two bytes requires fetching eight bytes, the resulting inefficiency can cause significant delay during the bootstrap process.
Accordingly, there is a need for a system and method to allow utilization of encryption/decryption techniques that operate on data widths larger than the data width of the requested data, without suffering the aforementioned efficiency penalties. The present invention provides a solution to this and other shortcomings of the prior art, and offers other advantages over the prior art.
SUMMARY OF THE INVENTION
The present invention is directed to a system and method for reducing the number of memory access requests to encrypted memory where the encrypted information is decrypted in fixed-size, multiple-byte blocks having a greater number of bytes than the number of information bytes requested by each memory access request.
In accordance with one embodiment of the invention, a method for accelerating information transfers from an encrypted memory to a requesting device in a system utilizing a decryption engine is provided. The decryption engine fetches and decrypts a first information block, which is a block of information having a greater byte count than the number of bytes of requested information. A current address, which corresponds to a storage device address of the decrypted first information block residing at the output of the decryption engine, is compared to a requested address. The requested address corresponds to a storage device address of a second information block of which the requested information is a subset thereof. The second information block has a byte count equivalent to the byte count of the first information block which was decrypted by the decryption engine. A new block fetch of encrypted information from the encrypted storage device is initiated when the current address and the requested address are unequal. When the current address and requested address are equal, the requested information is accessed from the first information block currently available at the decryption engine output, which allows a new block fetch of encrypted information to obtain the requested information to be averted.
In accordance with another embodiment of the invention, a method for minimizing redundant data fetches initiated by a requesting unit to an encrypted memory is provided. The method utilizes extraneous data provided at the output of a decryption unit which operates on a fixed-byte basis. The decryption unit fetches, decrypts, and outputs fixed-byte blocks of encrypted information, where the fixed-byte blocks have a greater byte count than the byte count of the requested information. A first memory access request is issued for first requested information in response to the requesting unit. A first block of encrypted information is fetched from the encrypted memory in response to the first memory access request. The first block of encrypted information will include the first requested information and extraneous information. The extraneous information is the superfluous data which is not part of the requested data, and is provided as a result of the decryption unit operating on a fixed-byte basis which is larger than the byte size of the requested information. The first requested and the extraneous information are decrypted to provide decrypted requested information and decrypted extraneous information at the output of the decryption unit. The decrypted requested information is provided to the requesting unit. A second memory access request is issued in response to a request for second requested information from the requesting unit. At least a portion of the decrypted extraneous information—the portion that corresponds to the second requested information—is provided to the requesting unit when the second requested information is included within the decrypted extraneous information.
In accordance with another embodiment of the invention, a system for accelerating instruction execution from an encrypted memory is provided. A processor generates read requests for requested data bytes. A block decipher, i.e., decryption module, is coupled to the encrypted memory to receive the requested data bytes. The block decipher decrypts a predetermined number of input bytes to provide a decrypted data block, where the predetermined number is greater than the number of the requested data bytes. The system includes an address comparator to compare a requested address of a subsequent data byte request to a data block address corresponding to the predetermined number of input bytes which were decrypted by the block decipher. The address comparator provides a signal to enable the portion of the decrypted data block corresponding to the subsequently requested data bytes to be drive
Evoy David
Takahashi Richard
Yuenyongsgool Yongyut
Philips Semiconductors Inc.
Smithers Matthew
Swann Tod R.
LandOfFree
System and method for accessing information decrypted in... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for accessing information decrypted in..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for accessing information decrypted in... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2510680