Method and device for secure processing of encrypted data

Abstract

A method for secure processing of encrypted data within a receiver includes receiving a packet of encrypted compressed data and allocating a region of memory for storing a decrypted version of the packet of encrypted compressed data. The allocation is in response to, and after, reception of the encrypted compressed data. A size of the region of the memory allocated is equal to a size of the packet of encrypted compressed data that is received. The method further includes modifying a configuration of an access authorization filter for defining access rights to the allocated region, decrypting the packet of encrypted compressed data, and storing, in the allocated region, the decrypted compressed data of the packet. The aforementioned allocation, modification, decryption, and storage steps are repeated in response to each new reception of a packet of encrypted compressed data so as to dynamically modify the configuration of the access authorization filter.

Claims

1. A method, comprising: receiving a data packet comprising encrypted compressed data; allocating a region of a memory for storing a decrypted version of the encrypted compressed data, wherein allocating the region of the memory is performed in response to, and after, reception of the data packet; first defining access rights to the region of the memory by modifying a parameter of a configurable access authorization filter coupled to the memory; decrypting the encrypted compressed data of the data packet to form the decrypted version of the encrypted compressed data; storing the decrypted version of the encrypted compressed data in the region of the memory; and repeating the allocating, the first defining, the decrypting, and the storing at least once in response to each new reception of subsequent data packets comprising further encrypted compressed data so as to dynamically modify the parameter of the configurable access authorization filter with each new reception of the subsequent data packets.

2. The method of claim 1, wherein the decrypted version of the encrypted compressed data comprises decrypted and compressed data.

3. The method of claim 1, wherein a size of the region of the memory allocated for storing the decrypted version of the encrypted compressed data is equal to a size of the encrypted compressed data that is received.

4. The method of claim 1, wherein first defining access rights to the region of the memory by modifying the parameter of the configurable access authorization filter comprises modifying at least one parameter of a graph modelling memory storage regions of the memory.

5. The method of claim 1, further comprising disabling an allocation of any region of the memory to store the decrypted version of the encrypted compressed data at a power-up of an electronic device comprising the memory.

6. A method comprising: receiving a data packet comprising encrypted compressed data; allocating a region of a memory for storing a decrypted version of the encrypted compressed data, wherein allocating the region of the memory is performed in response to, and after, reception of the data packet; first defining access rights to the region of the memory by modifying a parameter of a configurable access authorization filter coupled to the memory; decrypting the encrypted compressed data of the data packet to form the decrypted version of the encrypted compressed data; storing the decrypted version of the encrypted compressed data in the region of the memory; and repeating the allocating, the first defining, the decrypting, and the storing at least once in response to each new reception of subsequent data packets comprising further encrypted compressed data so as to dynamically modify the parameter of the configurable access authorization filter with each new reception of the subsequent data packets, wherein first defining access rights to the region of the memory by modifying the parameter of the configurable access authorization filter comprises identifying one or more first electronic circuits authorized to access the region of the memory storing the decrypted version of the encrypted compressed data.

7. The method of claim 6, further comprising second defining access rights of one or more second electronic circuits in communication with the one or more first electronic circuits authorized to access the region of the memory storing the decrypted version of the encrypted compressed data.

8. The method of claim 7, further comprising repeating the second defining with the allocating, the first defining, the decrypting, and the storing at least once in response to each new reception of the subsequent data packets.

9. The method of claim 7, wherein second defining access rights of one or more second electronic circuits in communication with the one or more first electronic circuits comprises identifying the one or more second electronic circuits authorized to communicate with the one or more first electronic circuits.

10. The method of claim 7, wherein identifying the one or more first electronic circuits authorized to access the region of the memory storing the decrypted version of the encrypted compressed data comprises identifying the one or more first electronic circuits authorized to read from or write to the region of the memory storing the decrypted version of the encrypted compressed data.

11. A device, comprising: an input terminal configured to receive a data packet comprising encrypted compressed data; a decryption circuit configured to decrypt the encrypted compressed data of the data packet to form a decrypted version of the encrypted compressed data; a memory comprising a region for storing the decrypted version of the encrypted compressed data; and a processor coupled to the memory and configured to: allocate the region of a memory for storing the decrypted version of the encrypted compressed data, wherein allocating the region of the memory is performed in response to, and after, reception of the data packet at the input terminal; first define access rights to the region of the memory by modifying a configurable access authorization filter parameter; store the decrypted version of the encrypted compressed data in the region of the memory; and repeat the allocating, the first defining, the decrypting, and the storing at least once in response to each new reception of subsequent data packets comprising further encrypted compressed data so as to dynamically modify the configurable access authorization filter parameter with each new reception of the subsequent data packets.

12. The device of claim 11, wherein the decrypted version of the encrypted compressed data comprises decrypted and compressed data.

13. The device of claim 11, wherein a size of the region of the memory allocated for storing the decrypted version of the encrypted compressed data is equal to a size of the encrypted compressed data that is received.

14. The device of claim 11, wherein the processor is further configured to disable an allocation of any region of the memory to store the decrypted version of the encrypted compressed data at a power-up of the device.

15. The device of claim 11, wherein the processor is configured to first define access rights to the region of the memory by modifying the configurable access authorization filter parameter by modifying at least one parameter of a graph modelling memory storage regions of the memory.

16. The device of claim 11, wherein the processor is configured to first define access rights to the region of the memory by modifying the configurable access authorization filter parameter by identifying one or more first electronic circuits authorized to access the region of the memory storing the decrypted version of the encrypted compressed data.

17. The device of claim 16, wherein the processor is further configured to second define access rights of one or more second electronic circuits in communication with the one or more first electronic circuits authorized to access the region of the memory storing the decrypted version of the encrypted compressed data.

18. The device of claim 17, wherein the processor is further configured to repeat the second defining with the allocating, the first defining, the decrypting, and the storing at least once in response to each new reception of the subsequent data packets.

19. The device of claim 17, wherein the processor is configured to second define access rights of one or more second electronic circuits in communication with the one or more first electronic circuits by identifying the one or more second electronic circuits authorized to communicate with the one or more first electronic circuits.

20. The device of claim 17, wherein identifying the one or more first electronic circuits authorized to access the region of the memory storing the decrypted version of the encrypted compressed data comprises identifying the one or more first electronic circuits authorized to read from or write to the region of the memory storing the decrypted version of the encrypted compressed data.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Other advantages and features of the invention will become apparent upon examining the detailed description of one non-limiting embodiment and the appended drawings, in which:

(2) FIG. 1 shows schematically a flow diagram of a method for secure processing of encrypted data within a receiver according to one embodiment of the invention; and

(3) FIG. 2 shows schematically a processing device capable of implementing the method in FIG. 1.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

(4) FIG. 1 shows schematically a flow diagram of a method for secure processing of encrypted data within a receiver according to one embodiment of the invention.

(5) The method is implemented in a global data processing system receiving a plurality of data packets, the packets containing encrypted compressed data or else unencrypted compressed data.

(6) In a first step 100 of the method, a group of packets of encrypted compressed data is received.

(7) In a step 110, a memory storage region is created in a memory of the system implementing the processing method. The memory storage region has a size allowing the decrypted compressed data of the packets of data of the group of received packets to be stored.

(8) In a step 120, a group of electronic systems considered as reliable is defined and the parameters of the part of the access authorization filter (CAF) of the system relating to the memory storage region created is modified. The parameters of the CAF are modified in such a manner as to define authorizations for access to the memory storage region created in step 120.

(9) In a following step 130, the encrypted compressed data of each packet received is decrypted by a reliable electronic system.

(10) In a step 140, the decrypted compressed data of the packets of the received group is recorded in the memory storage region defined in step 120.

(11) The parameters of the parts of the CAF relating to the electronic means or circuitry in direct or indirect communication with the decrypted decompressed data stored in the memory storage region are also modified. Indirect communication is understood to mean an exchange of information with electronic means or circuitry of communication having processed decrypted decompressed data or having the right to access an electronic means in communication with an electronic means in direct or indirect communication with decrypted decompressed data.

(12) The CAF comprises the identifiers of the electronic modules authorized to access other electronic modules and notably certain memory spaces. When the parameters of a part of the CAF are modified, the parameters of the graph modelling the memory storage regions are modified, and the identifiers of the electronic means authorized to access the memory storage region on the one hand, together with the identifiers authorized to access the electronic means in direct or indirect communication with the data recorded in this memory storage region, are reported.

(13) In a following step 150, one or more processing operation(s) on the decrypted compressed data are carried out while again recording the decrypted compressed data in the same memory storage region after each processing operation.

(14) In a following step 160, a decompression of the decrypted compressed data is carried out. The decompression allows the video data to be displayed in the case of a video data stream. Once decompressed, the decompressed decrypted data occupies a much larger storage space and is then no longer stored in the memory storage region created in the step 120. It is stored in another memory unsecured storage region and the memory storage region created in step 120 is once again free to be used for the processing of other encrypted or non-encrypted compressed data.

(15) FIG. 2 shows an electronic device capable of implementing the method in FIG. 1.

(16) The electronic device 1 for processing encrypted data comprises memory means 2 and a filter 3 for authorizing access to these memory means 2.

(17) The device 1 comprises at the input means 4 for receiving packets of encrypted compressed data coupled at the output to means 5 of decrypting received encrypted compressed data.

(18) The decryption means 5 are coupled to allocation means 6 determining the size of the packets to be recorded in the same memory storage region and are capable of defining, in operation, a memory storage region based on the memory available for recording the packets of compressed data decrypted by the decryption means 5. The allocation means 6 are coupled to the memory means 2 for defining and assigning the memory storage region.

(19) The device 1 furthermore comprises control means 7 designed to control the recording of the decrypted compressed data in the allocated region of the memory 2. The control means 7 are coupled to the allocation means 6 in order to be informed of the memory storage region allocated, to the decryption means 5 and for controlling the recording of the decrypted compressed data to the memory means 2.

(20) The device 1 also comprises adjustment means 8 designed to configure the filter 3 for authorizing access to the data for defining the access rights to at least a part of the memory means 2 after the reception of the data. The adjustment means 8 are designed to reset at least a part of the filter 3 for authorizing access with new parameters at each new reception of at least one data packet.

(21) The adjustment means 8 receive at the input the information relating to the memory spaces created by the allocation means 6.

(22) The device 1 furthermore comprises a means 9 for processing the encrypted data such as a video stream decoder, or an audio stream decoder.

(23) Each modification of the parameters of the access authorization filter 3 is carried out by the adjustment means 8 in such a manner as to, on the one hand, prohibit, to an unreliable electronic system, any read access to a memory storage region of the memory means 2 comprising decrypted compressed data, and on the other hand, to prohibit, to a computer operating system, any read and/or write access to any electronic processing means 9 receiving decrypted compressed data.

(24) The method for secure processing of encrypted data allows the access to the critical data once decrypted to be preserved before it is decompressed by virtue of a dynamic management of the access to the critical data, while at the same time optimizing at all times the memory space used for the critical data and for the initially non-encrypted data.

(25) The various means of the device 1 for processing encrypted data may be formed by software means within a microprocessor and/or by specific logic circuits.

(26) The method and the device presented in FIGS. 1 and 2 are applied to the protection of data that is encrypted then decoded. The invention is not limited to these exemplary embodiments. The invention allows any data recorded in memory and judged to be sensitive to be protected such as, for example, an application or service executable code which must not be altered, or again an isolation of personal data with respect to type open source applications.