During manufacture, keys are provisioned to and stored in the integrated circuit or processor. The keys may be stored in fuses of the integrated circuits or processors and may be unique per type of integrated circuit or processor. The keys may be fed into and consumed by various security engines or co-processors.
Typically, the keys may be categorized as class 1 or class 2 keys. Class 1 keys include random secret keys that are shared with at least one entity such as a key generator. During manufacture of an integrated circuit or processor, the class 1 keys can be either auto-generated, by the integrated circuit or processor, stored therein, and revealed to at least one other entity or the class 1 keys may be externally generated, by a key generating entity, and stored in the integrated circuit or processor. Non-limiting examples of class 1 keys include provisioning keys, customer keys, and conditional access keys. Class 2 keys include secret keys derived from a master secret, which is unknown to the integrated circuit or processor but which is known to at least one entity such as a key generating entity. Unlike class 1 keys, class 2 keys cannot be auto-generated. Class 2 keys are generated, by a key generating entity, and stored, during manufacture, in the integrated circuit or processor. Non-limiting examples of class 2 keys include High-bandwidth Digital Content Protection (HDCP) keys, Enhanced Privacy Identifier (MD) keys, and Advanced Access Content System (AACS) keys.
Keys may be stored in non-volatile memory—having a special type of security fuses. Security fuses may have a number of security countermeasures in place that make them less susceptible than regular fuses to physical attacks. However, these security countermeasures make the security fuses more costly, in terms of die area, than regular fuses such as general-purpose high-density fuses.