Castles Technology Co., Ltd.
Confidential • All Right Reserved.
Pg.
31
updating, the kernel CAP files must be “signed” via ULD User Key to get
the user permission. For simple expression, we call the kernel CAP files
generated by the manufacturer as “unsigned kernel CAP(s)” and call the
kernel CAP files “signed” by the user later as “signed kennel CAP(s)”.
Notes:
1. The kernel modules are encrypted by a random-generated 3DES
key, which is retrieved from the Key Encryption Block of the CAP by
ULD Manufacturer Key Encryption Key, not directly encrypted by ULD
RSA Key.
2. The “sign” action via ULD User Keys actually is done by” the second
encryption”. “The second encryption” is done by using the random-
generated 3DES key, which is encrypted by ULD User Key Encryption
Key, to perform Triple DES encryption again on the cipher data segment
of the kernel CAP files. This ensures that the system cannot retrieve the
correct data from the kernel CAPs without the user permission.