US 12,470,379 B2
Link encryption and key diversification on a hardware security module
Alexandre Berzati, Fuveau (FR); Loic Bonizec, Saint Maximin (FR); Dmitry Ryumkin, Kanata (CA); and Darren Johnson, Ottawa (CA)
Assigned to THALES DIS CPL USA, INC., Austin, TX (US)
Filed by THALES DIS CPL USA, INC., Austin, TX (US)
Filed on Nov. 7, 2022, as Appl. No. 17/981,548.
Prior Publication US 2024/0154799 A1, May 9, 2024
Int. Cl. H04L 9/08 (2006.01); G06F 13/42 (2006.01); H04L 9/06 (2006.01); H04L 9/32 (2006.01)
CPC H04L 9/0877 (2013.01) [G06F 13/4282 (2013.01); H04L 9/0631 (2013.01); H04L 9/3239 (2013.01); G06F 2213/0026 (2013.01)] 10 Claims
OG exemplary drawing
 
1. An electronic hardware sub-system within a Hardware Security Module (HSM) suitable for use in securely servicing cryptographic requests from multiple tenant applications thereon to preserve end-to-end privacy, the electronic hardware sub-system comprising:
a hardware Main Processor (MP) incorporating more than one Virtual Functions (VFs) providing cryptographic services over more than one Peripheral Component Interconnect Express (PCIe) Physical Function (PF); and
a hardware Security Processor (SP) responsive and supportive to the cryptographic services over a PCle communication channel by way of one or more Crypto Units (CU) thereon communicatively coupled to the more than one Peripheral Component Interconnect Express (PCle) Physical Function (FP);
wherein the MP includes its own Key Diversification Function (KDF) to produce VF Keys specific to each particular VF thereon, and the SP includes its own KDF to produce same VF Keys specific to a corresponding designated CU thereon for establishing a secure PCle communication channel there between;
whereby the KDF produces a VF Key that logically isolates a particular VF from other VFs that all share the corresponding designated CU of the one or more CUs via end-to-end encryption of data lines terminating on a respective cryptographic block of the particular VF and the designated CU,
the KDF receiving as input: a Session Key, a Virtual Function (VF) Identifier (ID), a Nonce, and an optional Initialization Vector (IV),
wherein the MP executes its own Key Diversification Function and mixes sensitive data, encrypted by the VF Key, with non-sensitive data, encrypted by the Session Key, for both the particular VF and the other VFs in a same packet, and
sends the packet to the SP with a packet header that logically isolates the particular VF from the other VFs;
wherein the SP executes its own Key Diversification Function and identifies the designated CU from a VF Number and an encoding flag in the packet header;
wherein the designated CU:
checks in its VF Key Cache indexed by the Nonce and the VF Number recovered from the packet header if the VF Key is available for that designated CU to use, otherwise,
generates the VF Key by way of the KDF with the inputs;
wherein the SP decrypts from the same packet, the sensitive data using the VF Key according to the encoding flag;
wherein a request comprises a mix of secure and non-secure data, and the packet header for the request indicates which data are encrypted and not encrypted so that the designated Crypto Unit will respectively decrypt and not decrypt the data received;
whereby the KDF provides a Link Encryption and Key Diversification interoperability between the MP and the SP providing cryptographic and logical isolation between each particular VF of the MP and the corresponding CU of the SP over the secure PCle communication channel for multiple tenant applications hosted by the MP on the HSM individually using and sharing the more than one PCle PF over the more than one Virtual Function (VF) to the one or more Crypto Units (CU) for satisfying the request of the cryptographic services.