CN1322431C - Encryption retention and data retrieve based on symmetric cipher key - Google Patents

Encryption retention and data retrieve based on symmetric cipher key Download PDF

Info

Publication number
CN1322431C
CN1322431C CNB031307744A CN03130774A CN1322431C CN 1322431 C CN1322431 C CN 1322431C CN B031307744 A CNB031307744 A CN B031307744A CN 03130774 A CN03130774 A CN 03130774A CN 1322431 C CN1322431 C CN 1322431C
Authority
CN
China
Prior art keywords
data
key
program
calling program
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB031307744A
Other languages
Chinese (zh)
Other versions
CN1493996A (en
Inventor
P·英格兰
M·佩纳达
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corp filed Critical Microsoft Corp
Publication of CN1493996A publication Critical patent/CN1493996A/en
Application granted granted Critical
Publication of CN1322431C publication Critical patent/CN1322431C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Abstract

In accordance with certain aspects, data is received from a calling progra. Ciphertext that includes the data is generated, using a symmetric cipher, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with other aspects, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertex t of the bit string. The integrity of the data is also verified, and the data is decrypted using a symmetric key. The data is returned to the calling program only if t he calling program is allowed to access the data and if the integrity of the da ta is successfully verified.

Description

Preserve and retrieve data based on symmetric key encryption
Related application
, by name " Secure Store Processor ", application number 17 that propose April in 2002 by Paul England, Marcus Peinado and Bryan M.Willman that the scope that the application is based on and applies for a patent belongs to formerly are No.60/373,505 U. S. application is by with reference to introducing the whole contents of this application.
The disclosed part of this patent documentation comprises the data of deferring to copyright protection.When it appeared in patent and trademark office's patent document or the record, the copyright owner did not oppose that anyone duplicates this patent documentation or patent disclosure, yet in any case at all authority that but all keeps aspect other this copyright.
Technical field
This invention relates to preserves and retrieve data, especially relates to based on symmetric key encryption and preserving and retrieve data.
Background technology
Protected data is so that make data only openly just become important concerning the user to the proper client on computers.The data type that the user wants to protect alters a great deal, such as work relevant or individual classified papers, Bank Account Number, credit number, SSN (social security number) etc.In addition, concerning some third party, protected data is avoided incorrect use or is visited important too on user's computer.For example; the credit card issue person wishes that credit number is protected so that they can rogue program or litigant in being loaded into computing machine not disclosed; music company wishes to protect song so that they can not be replicated, and film workshop wishes to protect film so that they can not be replicated or the like.
A kind of scheme that solves protection data on computers is to abandon universal computing device and use and special-purpose stop the box of distorting to transmit, store and show the protection content.Yet this solution is not desired, because it stops its user to expand their computing machine (for example, the user can not install additional component software and/or nextport hardware component NextPort on the box that such prevention is distorted).Therefore, it will be favourable providing the method for a kind of permission protected data on universal computing device.
Summary of the invention
Described herein based on symmetric key encryption and preserved and retrieve data.
According to an aspect, retrieve data from a calling program.In a kind of mode that only allows one or more target program can from ciphertext, obtain these data, use a symmetric cryptography, produce the ciphertext that comprises these data.
According to another aspect, from a calling program, retrieve bit string.The identifier of checking this calling program is to determine whether this calling program is allowed to visit with this bit string encrypted test mode institute ciphered data.Also verify the integrality of these data, and use a symmetric key to decipher this data.Just these data are turned back to calling program when having only integrality that this calling program is allowed to visit these data and these data by good authentication.
The present invention can be achieved as follows:
A kind of method that in a computing equipment, realizes, this method comprises: receive data from a calling program; And use symmetric cryptography to generate ciphertext, satisfy by enciphered data and one or more needs and to form ciphertext with the condition that shows these data, wherein ciphertext is to generate in the mode that only allows one or more target programs can obtain data from ciphertext, wherein generating ciphertext comprises: generate a bit string, it is the combination of the identifier of the identifier of these data, calling program and one or more target programs; And encrypt this bit string.
A kind of method that in a computing equipment, realizes, this method comprises: receive a bit string from a calling program; Check the identifier of calling program, to determine whether calling program is allowed to visit ciphered data in the ciphertext of bit string; The integrality of verification msg; Use a symmetric key data decryption; And when having only the integrality that is allowed to visit data and data when calling program successfully to be verified, just to the calling program return data.
A kind of method comprises: receive data from a calling program; Use a symmetric cryptography to generate the ciphertext that comprises these data, wherein ciphertext is to generate in the mode that only allows one or more target programs can obtain data from ciphertext; After generating ciphertext, from another calling program, receive bit string; Check the identifier of another calling program, to determine whether another calling program is allowed to visit ciphered data in the ciphertext of bit string; The integrality of verification msg; Use a symmetric key to decipher this data; And when having only the integrality that is allowed to visit data and data when another calling program successfully to be verified, just to another calling program return data.
A system comprises: the device that is used for receiving from a calling program data; And be used to use symmetric key to generate the device of ciphertext, form ciphertext by data and one or more needs being satisfied encrypt with the condition that shows these data, wherein ciphertext is to generate in the mode that only allows one or more target programs can obtain these data from ciphertext, wherein saidly be used to use symmetric key to comprise with the device that generates ciphertext: be used to generate the device of a bit string, it is the combination of the identifier of the identifier of these data, calling program and one or more target programs; And the device that is used to encrypt this bit string.
A system comprises: the device that is used for receiving from a calling program bit string; Be used for checking another calling program identifier, whether be allowed to visit device to determine another calling program in the ciphertext ciphered data of bit string; The device that is used for verification of data integrity; Be used to use a symmetric key to decipher the device of these data; And when being used to have only the integrality that is allowed to visit data and data when calling program successfully to be verified just to the device of calling program return data.
Description of drawings
In whole file, used identical numeral with expression similar elements and/or feature.
Fig. 1 has illustrated an exemplary access control model.
Fig. 2 has shown an access controlled environments example of using four different layerings.
Fig. 3 has provided a process flow diagram that is used to realize the exemplary process of Seal operation.
Fig. 4 has provided a process flow diagram that is used to realize the exemplary process of UnSeal operation.
Fig. 5 has provided a process flow diagram that is used to realize the exemplary process of Store operation.
Fig. 6 has provided a process flow diagram that is used to realize the exemplary process of Seal operation.
Fig. 7 has provided a process flow diagram that is used to realize the exemplary process of Quote operation.
Fig. 8 has provided a process flow diagram that is used to realize the exemplary process of Verify operation.
Fig. 9 has provided a process flow diagram that is used to realize the exemplary process of Seal operation.
Figure 10 has provided a process flow diagram that is used to realize the exemplary process of PKSeal operation.
Figure 11 has provided a process flow diagram that is used to realize the exemplary process of GenSeal operation.
Figure 12 has illustrated a general-purpose computer environment, and it can be used to realize technology described herein.
Embodiment
Fig. 1 has illustrated an exemplary access control model 100.Clientage 102 can ask to visit a shielded resource.Receive this request by protective device 104, wherein protective device 104 is control assemblies to the visit of resource 106.Protective device 104 is checked this request, and based on the access strategy that is used for this resource and out of Memory, such as the clientage's 102 of this request of issue identity, judges whether to permit this request.For convenience of explanation, in Fig. 1 illustrated single clientage 102, protective device 104 and resource 106.Yet, should be noted that access control model 100 can comprise a plurality of clientages 102, a plurality of protective device 104 and/or a plurality of resource 106.
Clientage 102 is meant the assembly or the module of request visit protected data.This request can be one the retrieval protected data request (for example; article one, be used to retrieve the request of an encryption key); perhaps one is used request that protected data comes executable operations (for example; protected data can be an encryption key, and this request can be a request of using this encryption key to encrypt or decipher particular data).Clientage 102 can be used as assembly or the module in hardware, software, the firmware, or the combination of hardware, software and/or firmware.
Protective device 104 is meant assembly or the module of may command to the visit of protected data.Protective device 104 uses access strategy relevant with protected data and out of Memory (visiting the clientage's of protected content identity such as request), to determine whether the allowing clientage to visit protected data.If protective device 104 decisions allow the request clientage to visit protected data, then protective device 104 is made response to this request by rights and (for example, if this request is a request to protected data, then protected data is returned to the clientage; Perhaps, if this request be one to using the request of the particular data that protected data encrypts, then protective device 104 uses protected datas to encrypt this particular data and ciphertext is returned (ciphered data) give the clientage).Should be noted that protective device 104 can be based on the characteristic limitations clientage of request.For example, protective device 104 can allow a specific clientage to have the particular data that uses the protected data signature, but may not allow protected data is returned to specific clientage.
Protective device 104 can also be represented as an open protective device and/or a service protective device.The service protective device answers clientage's request to carry out some operation (for example, encryption, deciphering, digital signature etc.) and needn't disclose protected data with protected data (for example, encryption key).On the other hand, open protective device discloses protected data to the requestor who authorizes.Should be noted that specific protective device 104 can be an open protective device and a service protective device.
Resource 106 can be the data that will limit any kind of its visit.The example of resource 106 comprises encryption key, bank account number, credit number, such as the personal information of SSN (social security number), password etc.In fact resource 106 can also be other things in a computing equipment.For example, resource 106 also can be physical storage (for example, RAM or ROM), light or disk or disk drive, video card, sound card, smart card etc.By another example, resource 106 also can be the operating system abstraction notion, such as processing procedure, file, thread, semaphore or the like.
Disclosed herein, mainly be that just the realization on single computing equipment comes description of access control model 100.Yet, should be appreciated that the different piece of model can realize on different computing equipments.For example, clientage 102 can be on a computing equipment, and protective device 104 and resource 106 can be on another computing equipments.
Clientage on one computing equipment and protective device can be classified into the layering I of any number n nFig. 2 has shown an access controlled environments example of using four different layerings.In an implementation procedure, layer I 1Be hardware or security kernel layer, layer I 2Be a basic input/output (BIOS) layer, layer I 3Be an operating system (0S) layer, and layer 1 4It is an application layer.
In the Sample Environment of Fig. 2, lowermost layer (layer I 1) Root Resource of protection.Middle layer (layer I 2And I 3) in program play the effect that can ask to visit from the clientage of next lower level, and play the effect that can protect the clientage in the next higher level simultaneously.Therefore the middle layer can increase function for the clientage in higher level.
For instance, suppose the Root Resource 128 of program 120 hope retrievals by protective device 126 protections.Program 120 plays an effect from the clientage of module 122 request visit Root Resources 128, and wherein module 122 plays the effect of resource protective device.If module 122 have resource 128 copy (for example, before from protective device 126, obtained to respond previous layer I 4In program 120 or other program to the request of this resource, perhaps when module 122 is initialised in computing equipment and loads), then whether module 122 scrutiny programs 120 are allowed to retrieve this resource.If program 120 is allowed to retrieve resources, then module 122 is returned resource and is given program 120.
Yet if module 122 does not have the copy of resource 128, module 122 plays an effect from the clientage of module 124 request visit Root Resources, and wherein module 124 plays the effect of this resource protective device.If module 124 have resource 128 copy (for example, before from protective device 126, obtained to respond previous layer I 3In module 122 or other module to the request of this resource, perhaps when module 124 is initialised in computing equipment and loads), then module 124 checks whether modules 122 are allowed to retrieve this resource.If module 122 is allowed to retrieve this resource, then module 124 is returned resource and is given module 122.If program 120 is allowed to retrieve resources, then module 122 is returned resource and is given program 120.
Yet if module 122 does not have the copy of resource 128, module 122 plays an effect from the clientage of protective device 126 request visit Root Resources.Protective device 126 checks whether modules 124 are allowed to retrieve resources, and if module 124 be allowed to retrieve resources then return resource and give module 124.If module 122 is allowed to retrieve resources, then module 124 is returned resource and is given module 122, and if program 120 be allowed to retrieve resources, then module 122 is returned resource and is given program 120.
In the discussion herein, introduce with the verification operation that allows software using the access control model 100 among Fig. 1.Usually, shielded resource is an encryption key in the verification operation of software.Yet, should be appreciated that the verification operation of software only uses access control model 100 these examples.
Another example that uses access control model 100 is to a computing machine checking user.Most modern computer all has an access control system.The user signs in on the computing machine, whom is so that make computing machine know this user.After login, the user moves the program that needs access system resources (for example read file, be written to window on the screen etc.) usually.Typically, the access control system of consulting in the computing machine (for example, " and user x can be on resource z executable operations y? ").If answer is a "No", then program can not access resources.
Another example that uses access control model 100 is to a remote service checking user.Be considered to have access control system such as the such remote service in website (for example, online middle man or bank).Resource is people's bank account, their money and their stock.After the user signs in to the website, access control system will determine whether this user is authorized to carry out by the visit that the user was asked, such as visiting to " reading " visit (to retrieve nearest bank statement) of resource " bank account data " or to " account transfer " of resource " De $1000 in bank account 12345 ".
Using another example that also has of access control model 100 is the physical access of restriction to specific buildings or zone.For example, when the user when arrive the work place morning, the user shows he or she badge and in resource " Qianmen " request of going up " opening " operation.Some electronic system (protective device) determines based on the information that is stored on the badge whether the user is allowed to enter this buildings and opens this door in view of the above.
If might make program (from an open protective device or from a service protective device) obtain the shielded visit at least one encrypt asset, then computing equipment is enabled the verification operation of program (software).In certain embodiments, as described below, a computing equipment permission verification operation that allows checking and isolate.
If satisfy following 2 points, then program C can be called as with another program D and isolates: (1) has the storer that can be visited by program C rather than program D; And (2) program D can not start-up routine C execution (except may be the place, an entrance that determines by program C).Transition rule (executable code) and its original state (initial value of entrance or instruction pointer IP) by a program are come given this program.Since data can be stored in can not storer by program D visit in, so even there is the agonistic behavior of program D, first has also guaranteed the program code of program C and the integrality of status information.This point also allows program C protection confidential data (for example, encryption key) not observed by program D.The second promise D can not select the entrance to destroy the behavior of C by antagonism ground.
In addition, can say so, if program C can identify transition rule (program code) and the original state of program D, then program C can proving program D.With regard to each layer j less than i, computing equipment allows for arbitrary program C isolation other any program D except that single program Ej, and wherein i is the layer of program C.This defence program is not subjected to remove program C request by the sequence E in the protective device of its its resource of visit 1, E 2..., E I+1Outside the observation and the interference of any program.In addition, take up the post of one deck i, program verification some program at least in layer i+1 that the computing equipment permission is carried out in layer i.This requires to allow a program to play an effect that is used for from the protective device of the request of descending one deck Central Committee to ask someone.These two observations draw the conclusion of a conclusion: the program in one deck in office can play the effect of resource protective device by request from their preceding one deck access resources, the request of asking someone from one deck Central Committee down by their integrality of insulation blocking and resource and checking.
Can realize isolating by using physical storage to protect.This method is called as " isolating " or " space isolation " in the space.For example, annular that finds in many Modern microprocessor and virtual memory are enough to be implemented in the isolation in the space.The operating system kernel that moves under privileged mode (layer i) can be provided for the page table of application program (layer i+1), is operated system core selection those parts with the physical storage in the virtual address space that is mapped to application program so that Any Application can only be visited.In addition, the privilege of core limits application is so that make them can not change memory mapping, and guarantees that application program only can start the execution (system call) of core code at the place, entrance of a good definition.
Between two-layer, realize that the another kind of method of isolating is to separate their execution by the time.This method is called as " isolating " or " time isolation " in the time.When the program in ground floor i is carried out and finished, make some resource unavailable, stop then.Subsequently, control transmission is arrived one deck i+1 down.
Between layer (j=i+1) subsequently, verify.The program (transition rule) of program C checking j and configuration original state.Can be by allowing the program of program C inspection in layer j verify this program.That is, typically, program C reads the storer that comprises the program that is used for layer j, and calculates the cryptographic digest on this memory area.Should be noted that this moment, purpose only was to determine the identity of code, do not calculate the statement of account that proposes relevant this code by other clientage.Therefore, this moment, certificate there is no need.
Second original state that task is sign program D of program C.Usually, the execute phase determines that the original state of a program is difficult to arbitrarily at one.Therefore, the original state of program C control program D.In fact, this means if program C has started the execution of program D at the σ place then program C can only determine the original state σ of program D.
In a word, for proving program D, program C checks that it thinks relevant memory content (program may also have data), and calculates cryptographic digest.After that, program C shifts the place, a well-defined entrance that carries out program D.
Resource is under the situation of encryption key therein, and verification operation allows each operating system and application program to have exclusive visit to one or more secrets.Each secret of the insulation blocking of above-mentioned discussion is not subjected to the attack of antagonism code.The program verification of above-mentioned discussion allows program to be identified, so that make each secret only open to the program that has it.
Usually, suppose a request that has from a program (clientage 102 among Fig. 1), protective device 104 is determined the identity (that is protective device 104 these programs of checking) of this program.If program is not the owner of the secret (resource 106) of being asked, then protective device 104 these requests of refusal.Otherwise protective device 104 calculates some function (it can be secret own) of this secret, and talks about possibly, and the information that is provided by this program also is provided, and return results.Alternatively, be not to accept or refuse request clearly, but protective device 104 can be served this request, still the identity binding of caller in the result.This replacement method is suitable, for example, if the result who is returned by protective device does not comprise confidential information (for example, using secret to produce the request of a digital signature).Used term gating (gating) function with the indication both of these case herein.
In addition, no matter be in which kind of situation, protective device 104 checking callers (clientage 102).Checking clientage 102 is also referred to as function ID () at this, and it returns the summary of calling program (calling the gating functional programs of protective device 104).Can be with any generation summary in the multiple traditional approach, such as use multiple cryptographic hash function (being also referred to as one-way hash function), such as SHA1 (Secure Hash Algorithm 1, Secure Hash Algorithm 1), MD5 (Message Digest 5, eap-message digest 5), any one among MD2 (Message Digest 2, eap-message digest 2) etc. or a plurality of; Use the MAC (Message Authentication Code, Message Authentication Code) that keys in; Etc. like that.
A class gating function described here has realized sealed storage.The purpose of sealed storage is to allow the procedure stores secret, so that make one or more programs (by this secret program definition of storage) of having only a particular group can retrieve this secret.In one implementation, have only that program of this secret of initial preservation (sealing) can recover (unpacking) this secret.Usually, this limit of the use of these secrets will be above the independent execution time of this program.The secret of using the term of execution of the single of a program can be saved (sealing), perhaps isolate, and randomizer also allows a program to keep secret term of execution of single.Sealed storage also allows a program may keep secret on nonoverlapping different execution in time.Layer I iBy means of the downward one deck 1 of following interface (for example, using " Seal " and " UnSeal " operation and/or PKSeal and PKUnseal operation) I+1Expose sealed storage.
The discussion of relevant sealed storage herein relates to the encryption key that is used to the encryption and decryption data.These encryption keys are the relevant keys of protective device (for example, the protective device among Fig. 1 104) of visiting with resources conseravtion.
Discussion herein also relates to the identifier (for example, the identifier or be allowed to that calls or enable the program of an operation is visited the identifier of a target program of a resource) of program.Be commonly called summary at these these identifiers.Yet, should be appreciated that summary only is an example of program identifier.Can use and be the tolerance of program or other expression and allow identifier other type of any change of this program.If this program (has for example been carried out any change; change one or more instructions to attempt to visit mala fide and use protected data by an adversary); then the identifier of program should reflect that change (for example, the identifier that is used for unaltered program will be different from the identifier of altered program).
The Seal operation handlebar receives sealed data (for example, secret) as input.Seal operation also optionally when having identified and/or whom may disclosing (unpacking) secret condition to receives as importing.In one implementation, this condition is the summary that is allowed to a target program of retrieval (unpacking) data.Alternatively, will be allowed to the retrieval (unpacking) data program can otherwise be identified.For example, program can be identified by a Public key of the one or more certificates of checking, and wherein each certificate is relevant with one or more programs.
Alternatively, except the identifier of a target program or instead, can use other condition.For example, when this condition just can comprise can disclose the special time restriction of (unpacking) data, and the special time such as certain day in a week or some day can disclose (unpacking) secret at these time durations.By another example, a password that must provide in order to make secret revealed (unpacking) can be provided this condition or the identifier of other data---for example, secret can only be by the program unpacking of known this password.
By another example that also has, this condition can be a logical formula (for example, any statement of writing with first order logic, any statement of writing with decision logic, etc.).Calculate this logical formula (for example), and have only and return one when estimation and just disclose (unpacking) secret when really indicating by protective device.
In another example that also has, this condition can be with certain language (for example, Java, C *, Javascript, VBScript etc.) an executable program (for example by protective device) carry out this program, and have only certain indication of returning " very " or " satisfying " when program the time just to disclose (unpacking) secret.
In condition is under the situation of the summary of target program rather than the summary that is provided target program, and the Seal operation can be used the summary (impliedly importing the summary of target program thus) of the program of calling the Seal operation.In addition, can be input to the Seal operation to the summary of a plurality of target programs, allow a plurality of target program retrieval (unpacking) data whereby.
The identifier of its input (conditions of data and permission retrieval (unpacking) data) together with caller encrypted in the Seal operation.The Seal operation is returned input data (as ciphertext) with encrypted form.A value (for example, Message Authentication Code (MAC) value) that can be used to verify the sealing data integrity is also returned in the Seal operation.The data that these data of returning allow to be stored are cited in UnSeal operation subsequently, and are as discussed in detail below such.
In the Table I illustrated be used for the false code of Seal operation.In the false code of Table I, ID () is ID discussed above () function, e be return to caller value (for example, bit string or bit sequence), data are with sealed data, and [t1 ..., tm] be the summary that is allowed to one or more (m) target program of retrieval (unpacking) data (perhaps one or more other condition).
Table I
d=ID() e=store(data,[t 1,...,t m],d) return?e
Fig. 3 is one a process flow diagram that is used to realize the exemplary process 200 of Seal operation has been described.Processing procedure 200 is carried out by the protective device among Fig. 1 104, and can realize with hardware, software, firmware or their combination.
At first, receive sealed secret (action 202) from caller.Secret encrypted, so that make the secret can only be by a specific objective program search (action 204), if or satisfied one or more specified conditions and could retrieve secret.Then the ciphertext that comprises encrypted secret is returned to caller (action 206).Can such as the summary of caller and/or the summary of target program, return to caller (separating) in addition to additional information as the part of ciphertext or from ciphertext.
When the sealing data (for example encryption key) of calling program were wished retrieval now, the bit string that the UnSeal operation handlebar is returned by the Seal operation received as input.The UnSeal operation obtains to be used to disclose the condition of data, and checks whether those conditions have been satisfied.For example, if condition comprises the summary of one or more target programs that is allowed to retrieval (unpacking) data, then the UnSeal operation obtains those summaries, and the inspection calling program whether be one or more target programs one of them.If calling program be not one or more target programs one of them, UnSeal operation failure then, and the data of being asked do not return to caller.Yet, if calling program be one or more target programs one of them, UnSeal operates successfully, and the data of being asked are returned to caller.The summary of the program of sealing data is also optionally returned by the UnSeal operation.
In the Table II illustrated be used for the false code of UnSeal operation.In the false code of Table II, data are just requested data (with previous sealed data), [t 1... t m] be the summary that is allowed to one or more (m) target program of retrieval (unpacking) data (perhaps one or more other condition), e is to the input of UnSeal operation (output of normally previous Seal operation), and d is the summary of the program of sealing data.
Table II
(data,[t 1,...t m,d)=retrieve(e) if?ID()is?in[t 1...,t m]then?return(data,d) else?fail
Fig. 4 is one a process flow diagram that is used to realize the exemplary process 220 of UnSeal operation has been described.Processing procedure 220 is carried out by the protective device among Fig. 1 104, and can realize with hardware, software, firmware or their combination.
At first, receive and to have the ciphertext (action 222) that caller is wished the enciphered data retrieved.Whether be allowed to retrieve data inspection (action 224) with regard to caller, and whether be allowed to retrieve data and continue processing based on caller.If caller is allowed to retrieve data, then (deciphering) data are returned to caller (action 228).If caller is not allowed to retrieve data, then handles failure (action 230), and data are not returned to caller.
Can realize sealed storage in a different manner.In one implementation, use physically protected non-volatile memory to realize sealed storage.In this was realized, computing equipment was associated different protective devices with the different piece of protected non-volatile memory, and allows each protective device only to visit those parts relevant with that protective device.In this was realized, the Store and the Retrieve operation of quoting in Seal and UnSeal operation were called, so that computing equipment is stored and retrieve data in the protected non-volatile memory relevant with protective device respectively.
For instance, memory device (such as hard disk drive) can be realized protective device.Be not unconditionally to carry out the read and write order to memory device simply, but storage device identification is attempted clientage's (for example, based on clientage's summary) of accessing storage device, and only allow a specific clientage to visit this memory device.Alternatively, different clientages can be limited to the only specific part of accessing storage device (for example, particular sector or address area).
In another is realized, access to your password to learn and realize sealed storage.Being described as follows of an exemplary realization of the sealed storage of learning accessing to your password.
When learn realizing sealed storage when accessing to your password, resource is key K rather than Guared memory physically.Its input is not stored in the Store operation physically.On the contrary, the Store operation produces the output c of a cryptoguard, and it is the input with Store operation that encrypt and the shielded form of integrality.Encryption is the result who uses symmetric cryptography to input.The character of back is owing to (before or after encrypting input) produces to input application message identifying code (MAC).
In the Table III illustrated be used for the false code of Store operation.In the false code of Table III, b is the bit string that is input to the Store operation, and c is that K1 is the first of key K by the bit string of Store operation output, and K2 is the second portion of key K.Key K is to realize the symmetric key of the protective device of Seal and Store operation.
Table?III
m=MAC K1(6) c=(m,Encrypt K2(b)) return?c
Therefore, as seeing in the Table III, produce a value (m) by using MAC to the bit string that is input to the Store operation.MAC is keyed into the part (K1) of key K.The bit string that is input to the Store operation also uses the second portion (K2) of key K to encrypt.Be returned to the caller that Store operates then by the value of using MAC to the input bit string and produce by encryption input bit string.
Key K is divided into two independently key K 1 and K2, in order to avoid be that MAC uses identical key with password.Any realize of this division in can be in many ways.Division can be used the not coordination of key K, perhaps can use one or more identical positions.For example, suppose that key K is 1024, then low 512 can be used as key K 1, and high 512 can be used as key K 2, even bit ( position 0,2,4,6,8,10 ..., 1022) can be used as key K 1, odd bits ( position 1,3,5,7,9,11 ..., 1023) can be used as key K 2, low 650 can be used as key K 1, and high 650 can be used as key K 2 (causing some position to be used to K1 and K2), or the like like that.Alternatively, can use identical key K with password for MAC.
False code in the Table III illustrated realizes the Store operation by calculate MAC, enciphered data and output MAC and ciphertext on data.Alternatively, the Store operation can realize in a different manner.For example, the Store operation is enciphered data at first, counts MAC then on ciphertext, and output ciphertext and MAC.By another example, Store operation can be calculated MAC on data, enciphered data and MAC then, and output ciphertext.
The encryption that realizes by the password of Store operation can be used any realization the in the multiple symmetric encipherment algorithm.Usually, symmetric encipherment algorithm uses identical key to be used for encryption and decryption.The example of such algorithm comprise triple des (Data Encryption Standard), AES (Advanced Encryption Standard), or the like.
Similarly, MAC can be any one in a plurality of Message Authentication Codes, such as in, Lecture Notesin CS in 1996, No. 1109 of Advances in Cryptology-Cryto ' 96, by M.Bellare, the MAC that describes among " the Keying hash functions for message authentication " that R.Canetti and H.Krawczyk showed.As selection, can be by replacing MAC to protect integrality with a Public key digital signature.
Fig. 5 is a process flow diagram that the example process 250 that is used to realize the Store operation has been described.Processing procedure 250 is carried out by the protective device among Fig. 1 104, and can realize with hardware, software, firmware or their combination.
At first, receiving will stored data (action 252).Use a symmetric cryptography (action 254) and use a Message Authentication Code (MAC) (action 256) to these data to these data.Enciphered data that produces in action 254 and the MAC value that produces in action 256 are returned to caller (action 258) then.
Search operaqtion receives an input bit string that comprises MAC value and ciphertext.Decipher this ciphertext and expressly produce a MAC value to produce expressly and for this.If for this MAC value that expressly produces with identical as a part of received MAC value of this input bit string, then this expressly is returned to caller.Yet, if for this MAC value that expressly produces with different as a part of received MAC value of this input bit string, Retrieve operation failure and this plaintext do not turn back to caller.Be understood that and realize that the Retrieve operation is to depend on the mode that realizes the Store operation from input bit string acquisition MAC and ad hoc fashion expressly.
In the Table IV illustrated be used for the false code of Retrieve operation.In the false code of Table IV, c is the bit string that is input to the Retrieve operation, b is the bit string by Retrieve operation output, m is the MAC value part that is input to the bit string of Retrieve operation, d is the ciphertext part that is input to the bit string of Retrieve operation, K1 is the first of key K, and K2 is the second portion of key K.K1 and K2 key are the same sections of the above key K that operation is discussed with regard to Store.
Table IV
Let(m,d)=c
b=Decrypt K2(d)) ifm=MAC K1(b)then?return?b else?fail
Therefore, as seeing in the Table IV, the bit string that is input to the Retrieve operation by deciphering produces a value (b).Produce a MAC value for value (b) then.If the MAC value that is produced by the Retrieve operation is identical with the MAC value that is received as a bit string part that is input to the Retrieve operation, then value (b) is returned to the caller of Retrieve operation, otherwise the Retrieve operation failure.
False code in the Table IV wherein in the Store operation, is calculated MAC based on the realization of Store operation on data, enciphered data, and output MAC is together with ciphertext the effect of the input bit string of Retrieve operation (and play).If Store operation is implemented as at first enciphered data, calculates MAC and output ciphertext and MAC then on ciphertext, then the Retrieve operation will be implemented as the MAC of calculating ciphertext and it and the MAC value that receives as an input bit string part will be compared, decrypting ciphertext then, and if the MAC value be complementary then return decrypted data.If Store operation is implemented as and calculates MAC, enciphered data and MAC then on data, then the Retrieve operation will be implemented as deciphering input bit string, calculate MAC on the data in the input bit string then, and MAC that calculates and the MAC value in the deciphering string are compared, and if the MAC value be complementary then return data.
Be similar to the discussion of above relevant Store operation, can manipulate any in the multiple decipherment algorithm by Retrieve.Yet decipherment algorithm should be corresponding to cryptographic algorithm, so that make the encrypted data can be decrypted.Similarly, any in the multiple Message Authentication Code can be used as MAC, but the Message Authentication Code that is to use should be identical with the Message Authentication Code of being manipulated by Store.
Fig. 6 is one a process flow diagram that is used to realize the exemplary process 270 of Seal operation has been described.Processing procedure 270 is carried out by the protective device among Fig. 1 104, and can realize with hardware, software, firmware or their combination.
At first, receive ciphertext and MAC value (action 272).Ciphertext is decrypted to produce clear data (action 274).Producing a MAC value (action 276), and the MAC value whether the MAC value that just produces in action 276 equals reception in action 272 is checked (moving 278) to clear data application message identifying code (MAC).The MAC value that whether equals to be received based on the MAC value that is produced proceeds to handle (action 280) then.If the MAC value that produces equals the MAC value that received, then clear data is returned to caller (action 282).Yet, if the MAC value that produces is not equal to the MAC value that is received, processing procedure failure (action 284), and clear data is not returned to caller.
Therefore, the cryptography method of sealed storage has been guaranteed in fact: any misuse of value c (Store operation output) can both be detected, and value b (input of operating to Store) can not be retrieved under the situation of access key K2 (by the key of password use with secret value b) not.
Another kind of gating function has realized remote validation.Even the purpose of remote validation is the permission program also can be verified under the situation of the firm physical connection that lacks the identifier (for example, using server or smart card).In this case, checking is based on cryptography.That is, two entities are by a kind of encrypted authentication agreement.This relates to the configuration that has had being verified of a secret visit, and wherein secret depends on agreement, a private cipher key or a symmetrical key typically.In addition, computing equipment can be tied to the secret use of these checkings the configuration identity (for example, processor and/or software) of their use of request.Therefore, the identifier can determine the identity of computing equipment, and the software of carrying out on it.
Two operations, Quote operation and PKUnseal operations are the corresponding gating functions that are used for Public key signature and Public key deciphering.The protective device of realizing these gating functions has the visit to a signature key Ks and a decryption key Kd.Signature key Ks conciliates the private cipher key that key K d is also referred to as public/private cipher key centering.This public/private cipher key is to being to realize that the key of protective device of Quote and PKUnseal operation is right.
Quote operates in the input of Quote operation and when has identified and/or can return a Public key signature in the combination (for example, connecting) of the condition who bares a mystery.Be similar to Seal discussed above and UnSeal operation, secret announcement can be limited to any in the multiple condition.In one implementation, condition is the identifier (for example summary) of calling program.
In signature, have plenty of admittedly should the calling program that identify the asserting of request executable operations.Quote operation is worked together with the Verify operation, and wherein (for example, on a remote server equipment, first-class at a smart card) carried out in the Verify operation usually being different from the equipment carrying out the Quote apparatus operating thereon.The Public key signature verification is carried out in the Verify operation, and the identifier (and/or other condition that is used to bare a mystery) of retrieval and estimation calling program.
In the Table V illustrated be used for the false code of Quote operation.In the false code of Table V, ID () is ID discussed above () function, and a is the data that are input to the Quote operation, and Ks is a signature key.
Table V
d=ID()
return?sn=Signature Ks(d,a)
Therefore, as seeing in the Table V, the Quote operation obtains the summary of calling program, and receives an input value a.Quote manipulates signature key Ks and produces the digital signature (MSN) of input value a and the summary of calling program.Input value a can be produced by calling program, perhaps can be the value from another assembly or equipment (for example, from carrying out the Verify apparatus operating) reception.Use public key cryptography to produce digital signature.
Fig. 7 is one a process flow diagram that is used to realize the exemplary process 300 of Quote operation has been described.Processing procedure 300 is carried out by the protective device among Fig. 1 104, and can realize with hardware, software, firmware or their combination.
At first, receive input data (action 302) from caller.Obtain the identifier (being used for retrieving other condition one or more of input data) (action 304) of caller, and be created on the digital signature (action 306) in the combination of input data and caller identifier (and/or one or more other condition).Then the digital signature that is generated is returned to caller (action 308).
The Public key signature verification is carried out in the Verify operation, and the identifier of retrieval and estimation calling program.The Verify operation is different from the digital signature that receives the equipment carrying out the Verify apparatus operating thereon by Quote operation generation from one usually.The summary of the program of calling the Quote operation (, application program, operating system, firmware program etc.) is extracted in Verify operation from the digital signature that is received, and calculates that summary to determine how to carry out.
In the Table VI illustrated be used for the false code of Verify operation.In the false code of Table VI, d is the summary that calls the program of Quote operation, and a is the value that is imported into the Quote operation, and Sn is the digital signature that is received the conduct input by the Verify operation.
Table VI
(d,a)=Extract Kv(Sn) Evaluate(d)
Therefore, as seeing in the Table VI, the Verify operation receives a digital signature, and uses authentication secret Kv (it is the Public key that comprises public/private cipher key centering of signature key Ks) to extract summary d and value a from signature.Therefore the Verify program can calculate the summary d of the program of calling the Quote operation.The mode of calculating summary d can change.For example, calculating may relate to a summary d and " approval " or " trust " the application list compares.
Fig. 8 is one a process flow diagram that is used to realize the exemplary process 320 of Verify operation has been described.Processing procedure 320 is carried out by the protective device among Fig. 1 104, and can realize with hardware, software, firmware or their combination.
At first, receive digital signature (action 322).(use Quote operation) quoted the identifier (and/or be used for retrieving one or more other conditions of the input value) and the input value itself of the caller of an input value and all extracted (action 324) from digital signature.The identifier (and/or one or more other extraction conditions) that calculates caller then is to determine how to utilize input value to proceed (action 326).
The PKUnseal operation is the Public key decrypt scheme, and its identity based on caller (for example, the summary of calling program) or one or more other condition are by gating.Be interpreted as to the Public key decrypted result of the input c of PKUnseal operation that a pair of (d, s), wherein s is secret, and d has identified the configuration (for example, the summary of calling program) that can disclose s to it.If the caller of PKUnseal is not d, then the PKUnseal operation failure.Input c to the PKUnseal operation is generated by the second operation PKSeal, wherein PKSeal operation can (for example be carried out being different from the equipment carrying out the PKUnseal apparatus operating thereon, on a remote server equipment, first-class) at a smart card.A pair of (d, public-key encryption s) are carried out in the PKSeal operation.PKUnseal and PKSeal operation also can be used to realize sealed storage.
In the Table VII illustrated be used for the false code of PKUnseal operation.In the false code of Table VII, ID () is ID discussed above () function, and c is the input to the PKUnseal operation, [d 1..., d m] be the summary (perhaps one or more other condition) that can disclose one or more calling programs of s to it; s is a protected data, and Kd is a decryption key (private cipher key of the public/private cipher key centering relevant with the protective device of just realizing the PKUnseal operation).
Table VII
([d1,...dm],s)=Decrypt Kd(c) if?ID()is?in[d 1,...,d m]then?return?s else?fail
Therefore, as seeing in the Table VII, PKUnseal manipulates Public key deciphering reconciliation key K d and deciphers input value a.Decrypted input value comprises permission and discloses the summary [d of one or more calling programs of protected data s to it 1..., d m] (when perhaps having identified and/or allowed to disclose to whom one or more other conditions of protected data s).The PKUnseal operation also generates the summary of calling program.If the summary of calling program equals summary [d 1..., d m] one of them, then protected data s is returned to calling program.Yet, if the summary of calling program is not equal to summary [d 1..., d m] one of them, then protected data s is not returned to calling program.
Fig. 9 is one a process flow diagram that is used for the exemplary process 340 of PKUnseal operation has been described.Processing procedure 340 is carried out by the protective device among Fig. 1 104, and can realize with hardware, software, firmware or their combination.
At first, receive and to have the ciphertext (action 342) that caller is wished the enciphered data retrieved.Whether be allowed to retrieve data inspection (action 344) with regard to caller, and whether be allowed to retrieve data and continue to handle (action 346) based on caller.If caller is allowed to retrieve data, then (use the Public key deciphering and deciphering) data are returned to caller (action 348).If caller is not allowed to retrieve data, then handles failure (action 350), and data are not returned to caller.
The PKSeal operation is a public key cryptographic scheme, and its identity based on caller (for example, the summary of calling program or one or more other programs) is by gating.PKSeal operation execution is a pair of, and (wherein s is secret for d, public-key encryption s), and d has identified one or more configurations (for example, the summary of calling program) that can disclose s to it
In the Table VIII illustrated be used for the false code of PKSeal operation.In the false code of Table VIII, c is the output of PKSeal operation, [d 1..., d m] be the summary that can disclose one or more calling programs of s to it, s is a protected data, and Ke is an encrypting key.
Table VIII
c=Encrypt Ke([d 1,...,d m],s) return?c
Therefore, as seeing in the Table VIII, PKSeal does protected data s and the summary [d that can disclose one or more programs of protected data s to it 1..., d mReceive as input.Use public key cryptography to encrypt ([d then based on encrypting key Ke 1..., d m], s) encrypting key Ke can be used for the Public key of protective device of decrypting ciphertext.Then the ciphertext that is produced by public-key encryption is returned to calling program.
Figure 10 is one a process flow diagram that is used to realize the exemplary process 360 of PKSeal operation has been described.Processing procedure 360 is carried out by the protective device among Fig. 1 104, and can realize with hardware, software, firmware or their combination.
At first, receive sealed secret (action 362) from caller.Use public-key encryption private cryptography,, or have only when having satisfied one or many specified conditions and could retrieve so that make the secret can only be by a specific objective program search (action 364).Then the ciphertext that comprises encrypted secret is returned to caller (action 366).Can return to caller (as the part of ciphertext or from ciphertext, separate) to additional information in addition, such as the summary of caller and/or the summary of target program.
Intention is used Quote and PKUnseal operation and Public key indentification protocol together.By respectively one that calling then of Public key deciphering, public-key encryption, signature and signature verification is replaced with to RKUnseal, PKSeal, Quote, Verify being called, can directly adopt most Public key indentification protocol.
In some cases, it is important can obtaining a random number (for example, as the basis that is used to produce encryption key).Can obtain random number in various mode.In one implementation, random number source is a strong randomizer of hard-wired encryption with computing equipment.
A replacement of above-mentioned Seal operation is one and this Seal operation and one are produced the combined GenSeal of random number operation operates.This GenSeal operation handlebar should be retrieved the summary [t of secret target program 1..., t m] (and/or other condition that must be satisfied for the secret that will be retrieved) reception conduct input.The GenSeal operation produces a random number and seals the random number of this new generation so that it only can be by having target summary [t 1..., t m] one of the calling program of (and/or satisfy other condition) retrieve.
The false code that is used for the GenSeal operation has been described in Table I X.In the false code of Table I X, ID () refers to above-mentioned ID () function, and c refers to the output of GenSeal operation, and s refers to the new random number that produces, [t 1..., t m] refer to be allowed to one or more target program of searching value s (one of them can be a program of calling the GenSeal operation) or be one or more condition alternatively, and GenRandom () refers to a function that produces random number.
Table I X
?d=ID() ?s=GenRandom() ?c=store(s,[t 1,...,t m],d) ?return?c
Figure 11 is one a process flow diagram that is used to realize the exemplary process 380 of GenSeal operation has been described.Processing procedure 380 is carried out by the protective device among Fig. 1 104, and can realize with hardware, software, firmware or their combination.
At first, receive input (action 382) from a caller, it has identified should retrieve secret target program or one or more other conditions that will satisfy for secret is retrieved.Generate secret (action 384) then, and secret is encrypted,, or have only when having satisfied one or more other condition and can retrieve secret so that make the secret can only be by the target program retrieval (action 386) of sign.Then the ciphertext that comprises encrypted secret is returned to caller (action 388).Can return to caller (as the part of ciphertext or from ciphertext, separate) to additional information in addition, such as the summary of caller and/or the summary of target program.
The service that is provided by disclosed protective device can be used to general sealing service.For example, turn around referring to Fig. 1 and 2, based on the identity (for example, after restarting or starting computing machine, perhaps when beginning to carry out a program) of layer n when the initialization, a layer n-1 discloses single key to layer n.This key of layer n high-speed cache, and use it to encrypt additional secret.Start platform in identical configuration the time in next time, disclosed protective device provides identical root key (for example, by UnSeal or PKUnseal), and all secrets of before having encrypted can be retrieved by layer n.
In certain embodiments, when one deck is initialised instantly (for example, after restarting or starting computing machine, perhaps when beginning to carry out a program), the downward one deck of lower level discloses one or more secrets.Continue this gating openly after, do not re-use lower level (till starting next time or restarting).This uses a model and is also referred to as open protective device model.By using open protective device model, reduced visit to lower level.
Gating function in this discussion can be used together with service protective device and the open protective device that isolate service time and the space isolates.Below discussed four kinds and be used for the service model realization of verification operation: (1) service protective device-space isolates; (2) open protective device-space isolates; (3) open protective device-time isolates; (4) service protective device-time isolates.In the discussion of these service models, suppose that more low-level protective device discloses one or more keys to the protective device at the layer that is considered.The mode that obtains these keys depends on the isolation model of following protective device and this layer.Different layers on same computing equipment can use the different models in these service models.
(1) service protective device-space isolates: the identity of this program measured and preserves by protective device when requestor is initialised.Protective device uses the system call interfaces of the basic operation that processor service (for example, CPU or some other safe processor or coprocessor) and exposure verified to realize a protection system.
(2) open protective device-space isolates: protective device obtains with cryptographic block form, relevant initialized services request.This piece can be stored in the storer, or obtains from External memory equipment.Protective device is measured the identity of its initialized program, and foundation gating function described above is to the program public-key cryptography.Before the control of abandoning following one deck, protective device is set up the pattern protection for its own secret resource with it.
(3) open protective device-time isolates: protective device obtains with cryptographic block (hyte) form, relevant initialized services request.This piece can be stored in the storer, or obtains from External memory equipment.Protective device is measured the identity of its initialized program, and foundation gating function described above is to the program public-key cryptography.Before passing control to these programs, the protective device deletion is used to realize the key (perhaps making its inaccessible on the contrary) of gating function.
(4) service protective device-time isolates: in service protective device-time isolation model, computing equipment keeps program state safely when crossing safe resetting.This model class is similar to model (1) (service protective device-space isolates), yet before one deck, the service protective device is deleted its secret (making it become inoperative till next time restarting) under passing control to.Usually will carry out down one deck below, till needs are served from the protective device request.At that, its parameter of request is stored in the somewhere in the storer, and they will stand to reset and carry out to reset at there.When equipment restarted, the service protective device obtained its secret, checks request, and (using its key) carries out it, destroys key and for information about any, and result calculated and control are delivered to down one deck (that one deck of initial request service).
In certain embodiments, if a computing equipment support space is isolated, then this security kernel should expose basic Seal, Unseal, GetRandom (to obtain a random number) and PKUnseal (perhaps Quote) (operation).This security kernel can be realized an open protective device or a service protective device.On the other hand, if this platform support time isolates, then this security kernel should provide an open protective device, and should realize basic Unseal, GenSeal and PKUnseal (perhaps Quote) (operation).
Should also be noted that: Quote and PKUnseal function can be based upon in Seal and Unseal or Unseal and the GenSeal basic operation.For example, manufacturer can set up one and realized Quote or PKUnseal and played one being used at I 1The I of host's effect of middle GenSeal that realizes and the more high-level software on the Unseal (for example, operating system) 2Program.This manufacturer can produce and encapsulate by the needed key of service layer and and equipment or CPU transport their (perhaps allow them online available) together.
To carry out a series of platforms that will allow below supports a hard-wired example of verification operation to describe.Similar with the higher level in this system, the lowermost layer (I among Fig. 2 1) be characterised in that: (a) key resource, (b) have authorization code to these cipher key access, and (c) the control initialization of this layer.
A strong binding is provided between program of having verified that operates in and the key.At the higher level place, the protective device in lower level guarantees this binding.At the lowermost layer place, there is not below software protecting device can guard visit to the platform secret.Therefore, used another mechanism to support I 1Key is to I 1The association of program.A kind of method of finishing this binding is to allow I 1Software be after making with regard to unalterable platform microcode or firmware, and allow I 1Software can unrestrictedly be visited I 1Key.This platform microcode or firmware can be called as security kernel then, and this I 1Key is called as platform key.Platform is designed to only pass control to a predetermined safe core.The hardware behavior can also be interpreted as a simple resource protective device, and it is to the open platform key of predefined security kernel.
Platform key and security kernel firmware can be the parts of processor, perhaps can realize with one or more other assemblies in the computing equipment (for example, safe processor or coprocessor, it can also carry out cryptographic operation).Platform key and security kernel firmware can be realized with single component, perhaps realize with a plurality of assemblies in the computing equipment.
The operation that utilization has been verified is with a kind of original state start-up routine of control.In higher level, can on commissionly be to proofread and correct the startup execution of place, entrance at software than the low level operation.Yet, at I 1, hardware is carried out this function.Typically, powering on or during resetting subsequently, current processor determines that by following some sequence begins to carry out.For example, under the simplest situation, processor begins to take out and run time version from the storage unit that an architecture has defined.With regard to I 1, can be with a kind of in check original state by hardware-initiated program, wherein this hardware guarantees that security kernel is the code of carrying out (as a part of determining sequence) when starting.
In addition, should there be other platform status can destroy the execution of security kernel.Reset and power on and remove for processor provides state firm and good debugging.As using in this example like that, be used to start or the platform status of calling security kernel changes and is called as safe resetting.
In addition, the device fabrication merchant should prepare by I 1The generation of the platform key that uses or the realization of installation, Seal and Unseal.If equipment is considered to the part of PKI (Public Key Infrastructure, PKI), then the manufacturer should also confirm a Public key for platform.This can be one by I 1The direct platform key of Shi Yonging, or the key that uses by a higher level.
Key generates and confirms can be CPU manufacturer or other side, such as the responsibility of CPU being assembled the OEM that becomes an equipment.Alternatively, this responsibility can be shared by a plurality of such groups.
In case security kernel is carried out, just can use interrupter described above to carry out to protect it oneself can not carry out code in higher level.Isolation in the space will be referred to the privileged mode support usually, and the isolation in the time will be referred to conceal the secret on upper strata usually.
On most current processor, not needing extra platform support to isolate with support space---existing privileged mode or rank are with enough (as long as allowing the hardware resource of access platform key to be protected from higher level).
For the support time isolates, used the hardware utility appliance before passing control to higher level, to hide platform key to allow security kernel.In the time isolation model, provide the method for platform key safety to be to use a kind of holding circuit that state is arranged that is called as reset latch.Reset latch is a hardware circuit, and it has the attribute of opening after resetting or powering on, but any software can both be closed latch at any time able to programmely.In case closed, latch just keeps cutting out till resetting next time or powering on.The platform of the security kernel that the realization time isolates should be visited by the gating platform key on the state of reset latch, and security kernel should be closed latch before passing control to higher level.As mentioned above, security kernel also should be taked extra action, removed storer and register before controlling in transmission, but these actions are identical with those actions of using in higher level.
If the platform usage space is isolated, then security kernel uses privileged mode with its own and its platform key of protection from its resident program (for example operating system).In addition, security kernel is system call interfaces of call establishment of verification operation.
If the platform usage space is isolated, then platform also should comprise and stands safety and reset to transmit the storer of parameter to service routine.For the service of calling, operating system is warning order and parameter block in the known storage unit of security kernel, and carries out safety and reset.If OS wish after service call to continue to carry out (with simply restart opposite), then it should carry out extra mensuration with security kernel and can be carried out reliably and safely to guarantee this.
In the checking of this discussion operation can be provided for security with various, avoid network attack, network management, Copy Protection, reliable Distribution calculation or the like such as the server data of protection personal data opposing virus, protection secret.The operation of having verified allows can carry out and not be their encrypt asset of distinct program maintenance of a specific fiduciary relation on same computing machine, do not consider the action of other software.
Some following discussion relate to SSP (Secure Service Processor, security services processor).In one embodiment, SSP be to computing equipment provide basic cryptographic services processor (being used for using) at computing equipment (for example, SSP support gating function described here (for example among Fig. 2 the layer I 1)).SSP can use encrypting key, and to have one or more usually be the encrypting key of unique (perhaps wish be unique) to that SSP.SSP can be the part of CPU or one or more other processors of equipment.For example, SSP can be independent chip or the integrated circuit (IC) in computing equipment.
In a different embodiment, SSP is a software program of suitably isolating, and its caller to it discloses and previous embodiment identical functions.SSP embodiment (directly or indirectly) visits encrypting key.Exist many implementation options to be used to the visit that provides such.For example, SSP can be invoked at service or the open protective device in the lower level.Perhaps SSP can have the exclusive visit of some part (for example hard disk, flash memory, ROM etc.) to the non-volatile storage that comprises required encrypting key.
In a word, SSP is defined by the disclosed function of its clientage in higher level.SSP is the protective device (as mentioned above) that has (direct or indirect) visit of encrypting key.SSP uses these keys to provide cryptographic services with the caller to it.With the lower part the disclosed exemplary functionality of SSP will be described.
Operation example
It below is discussion to the realization example of operation of sealed storage device and remote validation operation.This part is for example understood the realization example of Seal UnSeaL discussed above, Quote and PKUnseal operation.
In this part, used following definition:
Title Type Describe
DIGEST BYTE[20] 160 place values.The normally output of SHA-1 hash operations.
SECRET BYTE[32] 256 place values.Normally will carry out the secret of seal or pkseal operation.
Ordinal INTEGER Whether its affiliated operation that the ordinal of each input and output structure has divided quantitative character and it are input or export structure.
K M 256 keys The key that is used for the HMAC operation.
K S 256 keys The AES key that is used for Seal and UnSeal.
K U 2048 * 3 The RSA key that is used for PKUnseal is right
K Q 2048 * 3 The RSA key that is used for Quote is right.
R 128 Random number
In addition, in this part and following Bound Key Operations (border cipher key operation) part, relate to access strategy.When access strategy is (that is, when they work) of working if having been described specific operation.The user of computing equipment can cut off some function selectively.For example, computing equipment (for example realizing the SSP of Seal operation) comprises a register that is known as Feature Enable.One of them is known as MainEnable these positions in register.If the user is provided with MainEnable for false, then all functions in these parts all will no longer work.The access strategy that each function comprises is described and illustrated that this function will work below which FeatureEnable is provided with.
Seal
Definition (definition)
SSP_STATUS?Seal(
[in]SECRET?S,
[in]DIGEST?Target[2],
[in]UINT32?MaxLen,
[out]UINT32*ActualLen,
[out]BYTE*SealedBlob
)
Parameters (parameter)
Seal-Input::=SEQUENCE{
ordinal?INTEGER,
secret?Secret
target?DigestPair}
Seal-Output::=SEQUENCE{
ordinal?INTEGER,
status?INTEGER,
sealed-blob?OCTET?STRING}
Return Values (rreturn value)
SSP_SUCCESS
Comments (note)
If Seal operation forms following is estimated as very then can only be by the cryptographic block (hyte) of corresponding Unseal operation deciphering:
● is coding correct?
● is MAC correct?
● is the SK/SL of current operation (Security Kernel (security kernel) or Seure Loader (safe loading procedure)) named as that of Target in Seal operating period?
Seal has increased inner randomness, so that the output that Seal is operated in the identical input produces different results.This has guaranteed that Seal can not be used as a hardware device identifier.When carrying out sealing with to unpacking program (unsealer) when integrity information is provided, Seal also comprises the identifier (for example, be kept at the summary of the calling program in the PCR register of SSP, be also referred to as the PCR value at this) of the program of calling the Seal operation.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UseSymmKey=All|
Feature?Enable.UseSymmKey=AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UseSymmKey)
Actions (action)
The Seal operation realizes following action:
1. generate one 128 random number R
2. making D0 is PCR[0] currency, D1=PCR[1]
3.DIGEST?M=HMAC[KM](R||S||target||D0||D1)
4.C=AES[K S](R||S||Target||D0||D1||M)
5. return SSP_SUCCESS, and SealedBlob is set to C
Unseal
Definition (definition)
SSP_STATUS?Unseal(
[in]BYTE*?SeaIedBlob,
[in]UINT32?SealedBlobLen,
[out]SECRET?S,
[out]DIGEST?Source
)
Parameters (parameter)
Unseal-Input::=SEQUENCE{
ordinal?INTEGER,
sealed-blob?OCTET?STRING}
Unseal-Output::=SEQUENCE{
ordinal?INTEGER,
status INTEGER,
secret Secret,
source Digest}
Return Values (rreturn value)
SSP_SUCCESS
SSP_UNSEAL_ERROR
Comments (note)
Unseal operates in inner deciphering by Seal operation generation, and checks following condition:
● is coding correct?
● is the currency of PCR to be named as that of Target in Seal operating period?
If all inspections are successful, then return the PCR of secret and sealing schedule; Otherwise return UNSEAL_ERROR.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatuTeEnable.UseSymmKey==All|
Feature?Enable.UseSymmKey=AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UseSymmKey)
Actions (action)
The Unseal operation realizes following action:
1.M=AES-1[K S](SealedBlob).
2. M is interpreted as (BITS[128] R||SECRET S1||DIGEST Target0||DIGEST Target1||DIGEST Sealer0||DIGEST Sealer1||DIGEST N).
3.DIGEST?D=HMAC[K M](R||S1||Target0||Target1||Sealer0||Sealer1)
=PCR[1]), then return SSP_UNSEAL_ERROR, and S, Source are set to 0.
If D!=N then returns SSP_UNSEAL_ERROR, and S, Source are set to 0.
Otherwise, return SSP_SUCCESS, and S is set to S1, Source is set to { Sealer0, Sealer1}.
Quote
Definition (definition)
SSP_STATUS?Quote(
[in]BITSTRING?d-ext,
[out]PKSignature?SigBlob
)
Parameters (parameter)
Quote-Input::={
ordinal?INTEGER,
d-ext?Digest}
Quote-output::={
ordinal?INTEGER,
status INTEGER,
sig-blob?PKSignature}
Return Values (rreturn value)
SSP_SUCCESS
SSP_CRYPTO_ERROR
Comments (note)
Quote operation indication SSP signs for the D-EXT that provides from the outside and the cascade of inner PCR value.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UsePrivKey==All|
FeatureEnable.UsePrivKey==AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UsePrivKey)
Actions (action)
The Quote operation realizes following action:
1.SSP form the message M of the cascade of a content that comprises the identifier, D-EXT and the PCR register that are used for type of message QuoteMessage down at DER (Distinguished Encoding Rules, distributed coding rule) coding:
SEQUENCE{
message-type?PKMessageType,
d-ext?Digest,
pcr?DigestPair
}
2.SSP use KQ, PRIV to generate the message of signing on the ground M according to the default realization of the RSASSA-PSS-SIGN that in PKCS #1 V2.1, stipulates then.If function returns mistake, then return SSP_CRYPTO_ERROR, and SigBlob is set to 0.
3.SSP the signature value of returning SSP_SUCCESS and just calculating at SigBlob with signatureAlgorithm=rSASSA-PSS-Default-Identifier.
PKUnseal
Definition (definition)
SSP_STATUS?PK_Unseal(
[in]PKCiphertext?SealedBlob,
[out]SECRET?Secret
)
Parameters (parameter)
PkUnseal-Input::={
ordinal?INTEGER,
pk-sealed-blob?PKCiphertext}
PkUnseal-output::={
ordinal?INTEGER,
status INTEGER,
secret Secret}
Return Values (rreturn value)
SSP_SUCCESS
SSP_CRYPTO_ERROR
SSP_BAD_DATA_ERROR
Comments (note)
PKUnseal manipulates a cryptographic block that has 416 bit lengths and have specific format.Decipher this piece, and if deciphering and successfully decoded, be 416 message interpretations a secret value and the cascade that is allowed to the PCR value of receiving and deciphering value then.
If current PCR value equals in cryptographic block appointment that, then bare a mystery; Otherwise return mistake.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UsePrivKey==All|
FeatureEnable.UsePrivKey==AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UsePrivKey)
Actions (action)
The PKUnseal operation realizes following action:
1.SSP whether the Algorithmldentifier of test in pk-sealed-blob is sspV1BoundKey
2.SSP SealedBlob is internally deciphered in the default realization according to the RSAES-OAEP-DECRYPT that stipulates in PKCS #1 V2.1, to obtain clear-text message M.
3., then return SSP_BAD_DATA_ERROR, and Secret is set to 0 if decoded operation is output as " decoding error ".
Otherwise, the message M that recovers under DER coding should be a column format down:
SEQUENCE{
message-type?PKMessageType,
secret?Secret,
target?Digest}
In addition, Secret should comprise 256 (=32 eight bit bytes), and target should comprise 160 (=20 eight bit bytes).Message type (type of message) should be sspV1PKSealedMessage.If do not satisfy these conditions, then return SSP_BAD_DATA_ERROR, and Secret is set to 0, otherwise:
=PCR then return SSP_BAD_DATA_ERROR, and Secret is set to 0.
2. if target=PCR then return SSP_SUCCESS, and Secret is set to secret.
Bound Key Operations (border cipher key operation)
In addition, one group of border key function or operation allow encrypting key to be created in this locality and confirm (for example, by SSP), but also allow encrypting key to transmit (for example, passing to SSP) from reliable long-range group.
Its feature of the function of border key is as follows:
1. service protective device (for example SSP) is directly visited the border key in a certain system layer.Each border key has the correlated condition definite which protective device can be visited the border key.Condition is impliedly represented.That is, the cryptographic boundary key has only one group or a certain group of protective device to have its key of deciphering so that make.
2. the service protective device of visit border key is to the function (for example signature, MAC, encryption, deciphering) that openly need use the border key the clientage of higher level.Each border key can have a relevant service condition, and protective device will be served the request of satisfying this correlated condition in this case.
3. the border key is comprised in the data structure (being also referred to as the border key block at this) of encipherment protection.The border key block is self-protection, and can be stored in outside the environment of trust.
The border key has following benefit:
● each clientage can be allowed to have its border key.In addition, each clientage can be allowed to have many arbitrarily border keys.This has considered meticulousr strategy setting, and improves the confidentiality in some application program.Therefore, protective device there is no need to be limited to and only has one or several and be used for serving key from all clientages' request.
● the border key is covert outside the service protective device of authorizing.Therefore, the divulging a secret of clientage (for example because programming error) can not cause divulging a secret of arbitrary border key.In one embodiment, service protective device (SSP) is realized with hardware.In this case, the border key can not be divulged a secret owing to software malice or incorrect.
The border key function provides protection for encryption key.The border key can be generated by long-range group, or they can be created by the GenBoundKey order in this locality.
The border key that generates in this locality can send " quote (quoting) " certificate, its can be used to long-range group provide type certification, the generation of Public key Key Tpe, generating during bound (optional) condition (for example summary) of state, key of machine.
The border key comprises one or more following key elements:
● key uses (for example, BoundSign, BoundQuote, BoundPkUnseal, BoundPkDecrypt, BoundMAC, BoundEncrypt or BoundDecrypt).This key element is optional.If involved, then this key element restricted boundary key only uses together with the type function that is identified.
● condition element (as mentioned above), which condition lower boundary key it specifies in can be used (being also referred to as border key service condition).For example, condition can be represented as the form of one or more summaries of program.In this case, the border key must only be used by the program of having specified its summary or use with the name of this program.As mentioned above, other example of condition comprises time restriction, logical formula and executable program.This key element is optional.If this key element has been omitted, then be suitable for some default condition.For example, default condition can not limit the visit (empty condition) to the border key.
● allow the calculated encryption key of key (border key) or some data.
● can change one or more conditions (as mentioned above) of border key service condition in its lower section.This change is also referred to as the border key migration, and this condition is also referred to as transition condition.This key element is optional.If this key element has been omitted, then be suitable for some default condition.For example, absent condition can " always false ", so that summary (if providing) can not be changed.
● can change one or more conditions of this group service protective device that can directly visit the border key in its lower section.This change is also referred to as border key output, and this condition is also referred to as output condition.This key element is optional.
The cryptoguard of border key
The border key has and sealed storage described above and the identical encryption requirement of authentication function (Seal, UnSeal, PKUnseal).Particularly, the border key that generates in this locality can be realized protecting by any encryption of above-described Store and Retrieve function.In each case, the confidentiality of border key self is protected, and the integrality of whole data structure is protected, and does not have destroyed so that guarantee the different condition that the regulatory boundary key uses.As described in previous, this can be realized by the various combinations of symmetric cryptography or public-key encryption algorithm and MACs or digital signature.In one embodiment, the border cipher key data structure is a public-key encryption.
Function
In certain embodiments, the border key can be used in one or more following array functions:
●BoundSign
●BoundQuote
●BoundPkDecrypt
●BoundPkUnseal
●BoundMAC
●BoundEncrypt
●BoundDecrypt
●GenBoundKey
●BoundKeyMigrate
●BoundKeyExport
In each of these functions, border key block (hyte in data structure) with will offer the border key function as parameter by being included in the data that key in the key block of border carries out computing thereon.If the key user element is comprised in the key block of border, then SSP guarantees that the border key is used to correct purpose (for example, the key of creating with type " BoundQuoteKey " can only be used in the BoundQuote operation).
In some implementations, the border key is the private cipher key of public/private cipher key centering.In this realization, the border key block can comprise this private cipher key, and perhaps some allows the calculated data of this key.For example, a private cipher key fragment can be contained in the key block of border, and this fragment and corresponding Public key can be used to the private cipher key of this public/private cipher key centering of reconstruct together.
The BoundSign operation receives the data input that will use the border key to sign, but also receives a border key block.SSP recovers private signature key from the key block of border, use the signature key that is recovered to generate the message of a digital signature in the data input then.SSP exports the message of this digital signature then.If the border key block destroyed or if border key service condition is arranged and when not satisfying, then SSP does not carry out this operation.Therefore can use the private cipher key that recovered rather than data input be carried out digital signature by the private cipher key of SSP announcement.
Data that the BoundQuote operation handlebar will be signed and border key block receive as input.SSP recovers private cipher key from the key block of border, use the signature key recovered with (for example then in the data that are input to this operation and current PCR value, call the identifier of the program of BoundQuote operation, such as summary) go up and generate a signature, as in the above-described Quote operation.SSP exports the message of this digital signature then.If the border key block destroyed or if border key service condition is arranged and when not satisfying, then SSP does not carry out this operation.In one implementation, the BoundQuote class of operation is similar to BoundSign operation, but it is different aspect this in operating to be used in BoundQuote in current PC R value.
BoundPkDecrypt operation handlebar ciphertext and border key block receive as input.SSP recovers private cipher key from the key block of border, use the privately owned border key that is recovered with deciphering input ciphertext then.Then by BoundPkDecrypt operation output decrypted data.If the border key block destroyed or if border key service condition is arranged and when not satisfying, then SSP does not carry out this operation.
BoundPkUnseal operation handlebar ciphertext and border key block receive as input.SSP recovers private cipher key from the key block of border, use this privately owned border key with deciphering input ciphertext then, as in the PKUnseal operation described below.Then by BoundPkUnseal operation output decrypted data.If the border key block destroyed or if border key service condition is arranged and when not satisfying, then SSP does not carry out this operation.
The BoundMAC operation receives the data input that will use the border key to calculate MAC thereon, but also receives a border key block.If the border key block destroyed or if border key service condition is arranged and when not satisfying, then SSP does not carry out this operation.Otherwise SSP recovers the border key from the key block of border, uses the border key that is recovered to generate a Message Authentication Code (MAC) then on the input data.SSP exports the MAC that is calculated then.Therefore, can use border key that is recovered rather than the border key that discloses by SSP to calculate the MAC that is used to import data.
The BoundEncrypt operation receives one and will use the border key that it is carried out the ciphered data input, but also receives a border key block.If the border key block destroyed or if border key service condition is arranged and when not satisfying, then SSP does not carry out this operation.Otherwise SSP recovers private cipher key from the key block of border, uses the border secret key encryption input data of being recovered then.SSP exports the ciphertext of being calculated then.Therefore, can use border key that is recovered rather than the border key that discloses by SSP to come encrypting input data.
The BoundDecrypt operation receives one and will use the border key to its data that are decrypted input, but also receives a border key block.If the border key block destroyed or if border key service condition is arranged and when not satisfying, then SSP does not carry out this operation.Otherwise SSP recovers private cipher key from the key block of border, uses the border secret key decryption input data of being recovered then.SSP exports the plaintext that is calculated then.Therefore, can use the border key that recovered rather than decipher the input data by the border key that SSP discloses.
The GenBoundKey operation makes SSP create a new border key.New border key is an encryption key, and generates the new border key block of the key that comprises up-to-date generation.Should be appreciated that the border key block always must not comprise this whole key.For example, if the key of up-to-date generation is that a public/private cipher key is right, then comprising private cipher key in the key block of border may be just enough.
New border key block is bound on one or more protective devices---normally just (for example at the SSP of executable operations; be similar to above-described Store function; by this new border key block of cryptoguard; perhaps opposite, protect this new border key block so that make it be merely able to retrieval) by SSP.The GenBoundKey operation can also have the parameter of each feature of determining new border key block; and in the shielded mode of some integrality the data of having described these parameters are appended on the private cipher key of up-to-date generation (for example, making data is parts of new border key block).As discussed above such, the example of these data comprises transition condition, border key service condition or the like.Then by the new border key block of GenBoundKey operation output.
In a word, the border key can be the encryption key of any kind, comprises symmetric key or public-private cipher key is right.Key Tpe depends on that it is with the border cipher key operation that is used accurately.For example, with the border key symmetric key normally that is used among the BoundMAC, and will be used in border key among the BoundSign normally public/private signature key is right.Key Tpe can be designated as the parameter of GenBoundKey.
The BoundKeyMigrate operation allows the service condition of border key to be changed.These one or more transition conditions of SSP checking have been satisfied.Any can use together in the multiple condition (for example, any when identified and/or can be to the condition of whose transferring data be similar to above those conditions of discussing with regard to Seal and UnSeal operation) with BoundKeyMigrate operation.If checking is not successfully carried out, then this operation failure.If carried out, then protective device generates a new border key block with being proved to be successful, and wherein key service condition in border has been changed as requested.
BoundKeyExport operation indication SSP changes this group protective device (SSPs) that can directly visit the border key.These one or more conditions of SSP checking have been satisfied.Any can use together in the multiple condition (for example, any when identified and/or can be to the condition of whose output data be similar to above those conditions of discussing with regard to Seal and UnSeal operation) with BoundKeyExport operation.If checking is not successfully carried out, then this operation failure.If carried out, then SSP changes the cryptoguard on the key block of border as requested with being proved to be successful.In one embodiment, SSP is with one or more new secret key encryption border cipher key data structure.
(local or long-range) founder of border key can appointment an example of a class condition be: only can use the border key with the name that its program digest have a clientage of particular value.In this case, the border cipher key operation is checked the summary of asking the clientage after the retrieval of the inside of border key block, and if pluck if it were not for as appointment in the key block of border, then operation failure is not carried out extra calculating.
Usually with the cryptographic operation of proceeding the border key block is retrained or is tied to a specific SSP by means of the unique key that requires specific SSP.The example of this operation is the combination of MAC, digital signature, encryption and encryption and integrity verification function.
Border cipher key operation example
In one implementation, authorize migration by this locality migration certificate or the output certificate that send by authorized entity.Local migration certificate is that RSASSA-PSS-SIGN operates in the default value on the following data structure:
Bound-migration-info::=SEQUENCE{
source-bound-blob-digest?Digest,
dest-PCR DigestPair
}
Use the SSP-migration (migration) of BoundKeyMigrate operation requests this locality.In order to authorize local migration, SSP has a Bound-migration-info structure that relates to this border key, and provides a certificate that correctly forms by the entity of authorizing on this structure.If it is acceptable that migration is authorized, then SSP is a new PCR Binding key again, and makes other all key attribute remain unchanged (for example, if key is not bound to a PCR value at first, then it will can not be when to bind again).Source-bound-blob-digest is the summary of the encryption external form of border key.
Realize remotely migrating by for example having by the BoundKeyExport function of the Bound-export-info structure of authorized entity signature:
Bound-export-info::=SEQUENCE {
source-bound-blob-digest?Digest,
dest-pubkey RSAPublicKey,
deSt-PCR DigeStPair
}
When key is marked as when exportable, authorized entity is in the control fully of equipment that key is tied to again or software module.
The border cipher key operation is used PKCiphertext, and it is that wherein Bound-key-blob is as follows with the sequence of the Bound-key-blob type of platform public encryption key encryption:
Bound-key-blob::=SEQUENCE{
message-type PKMessageType,
key-type Bound-key-type,
bound-to-PCR BOOL,
bound-to DigestPair,
migrateable Bool,
migrate-auth Digest,
exportable Bool,
export-auth Digest,
pub-key-digest?Digest,
bound-key PKCompressedPrivateKey?}
Wherein:
Bound-key-type::=INTEGER?{
BoundSignKey,
BoundQuoteKey,
BoundDecryptKey,
BoundPkUnsealKey}
Bound-to-PCR member be an indication for make the border key be used the bound-to-Digest field whether must with the mark of current PC R value coupling.Migrateable, whether migrate-auth} indication key is transportable, and if like this, under the control of what authority (if migrateable is false, then the migrate-auth value is unessential).Exportable, whether export-auth} indication key is exportable, and if like this, under the control of what authority (if exportable is false, then the export-auth value is unessential).Pub-key-digeSt is in order to the summary of the corresponding Public key of firm binding to be provided between PKCompressedPrivateKey and the necessary Public key of recovery private cipher key.
In one implementation, if the border key is created with the GenBoundKey function is local, then SSP has described the public attribute of the key that has just generated in detail and created a signature on the data structure of the system configuration between the key period of output of border at one.
Bound-key-pub-info::=SEQUENCE{
message-type PKMessageType,
//sspVIBoundKeyGenMessage
sig-nonce Digest,
key-type Bound-key-type,
bound-to-PCR BOOL,
bound-to DigestPair,
migrateable Bool,
migrate-auth Digest,
exportable Bool,
export-auth DigeSt,
creator-PCR DigestPair,
bound-pub-key Digest}
In this data structure, key-type, bound-to-PCR, bound-to, migrateable, migrate-auth, exportable and export-auth are the border key characteristics of the key of up-to-date generation.Creator-PCR is effective PCR when the output key, and bound-pub-key is the summary of the Public key of up-to-date establishment.Sig-nonce is the value of the summary size transmitted when request generates the border key.
Exemplary being defined as follows of BoundSign, BoundQuote, BoundPkDecrypt, BoundPkUnseal, GenBoundKey, BoundKeyMigrate and BoundKeyExport operation.
BoundSign
Definition (definition)
SSP_STATUS?BoundSign(
[in]PKCiphertext BoundKeyBlob,
[in]RSAPublicKey PubPartOfBoundKey,
[in]BITSTRING DataToBeSigned
[out]PKSignature?sig-blob
)
Parameters (parameter)
Boundsign-Input::={
ordinal INTERGER,
bound-key BoundKeyBlob,
bound-pub-key RSAPublicKey,
data-to-be-signed OCTET?STRING}
BoundSign-output::={
ordinal INTEGER,
Status INTEGER,
Sig-blob PKSignature}
Return Values (rreturn value)
SSP_SUCCESS
SSP_CRYPTO_ERROR
SSP_BAD_DATA_ERROR
SSP_UNSEAL_ERROR
Comments (note)
The PKciphertext and the corresponding Public key of the sspV1BoundKey type of the BoundKeyBlob that comprises the BoundSignKey type adopted in the BoundSign operation.If any one does not satisfy in these conditions, perhaps fail to decipher as infructescence, then operation failure returns SSP_CRYPTO_ERROR.
If Bound-to-PCR has been set up, then SSP checks that current PC R value is whether as appointment in the Bound-key-blob sequence.If not so, then SSP returns SSP_CRYPTO_ERROR.
At last, SSP imports message with the private cipher key signature of deciphering.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UsePrivKey==All|
FeatureEnable.UsePrivKey==AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UsePrivKey)
Actions (action)
The BoundSign operation realizes following action:
1.SSP whether the Algorithmldentifier of test in pk-sealed-blob is sspV1BoundKey.
2.SSP SealedBlob is internally deciphered in the default realization according to the RSAES-OAEP-DECRYPT that stipulates in PKCS #1 V2.1, to obtain clear-text message M.
3., then return SSP_CRYPTO_ERROR, and Secret is set to 0 if decoded operation is output as " decoding error ".
Otherwise, the message M of recovery should be the DER coding that utilizes the Bound-key-blob form of BoundSignKey type.If not, then SSP should send SSP_CRYPTO_ERROR.
5., then should compare bound-to and current PC R value if bound-to-PCR is true.If be worth inequalityly, then SSP should export SSP_CRYPTO_ERROR.
6.SSP use the relevant Public key that is provided to recover the border private cipher key then.If this has failed, then SSP returns SSP_CRYPTO_ERROR.If its success, then SSP according to as the default realization of the RSASSA-PSS-SIGN that stipulates among the PKCS #1 V2.1, use the private cipher key bound-key that is recovered on input information DataToBeSigned, to generate the message of signing.If function returns mistake, then return SSP_CRYPTO_ERROR, and SigBlob is set to 0.
7. return SSP_SUCCESS.
BoundQuote
Definition (definition)
SSP_STATUS?BoundQuote(
[in]PKCiphertext?BoundKeyBlob,
[in]DIGEST?DataToBeSigned
[out]PKSignature?sig-blob
)
Parameters (parameter)
BoundQuote-Input::={
ordinal INTEGER,
bound-key BoundKeyBlob,
bound-pub-key RSAPublicKey,
data-to-be-quoted?Digest}
BoundQuote-output::={
ordinal INTEGER,
status INTEGER,
sig-blob PKSignature}
Return Values (rreturn value)
SSP_SUCCESS
SSP_CRYPTO_ERROR
SSP_BAD_DATA_ERROR
SSP_UNSEAL_ERROR
Comments (note)
The PKciphertext of the sspV1BoundKey type of the BoundKeyBlob that comprises the BoundQuoteKey type is adopted in the BoundQuote operation.If any one does not satisfy in these conditions, perhaps fail to decipher as infructescence, then operation failure returns SSP_CRYPTO_ERROR.
If Bound-to-PCR has been set up, then SSP checks that current PC R value is whether as appointment in the Bound-key-blob sequence.If not, then SSP returns SSP_CRYPTO_ERROR.
At last, SSP quotes input message with the private cipher key of deciphering.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UsePrivKey==All|
FeatureEnable.UsePrivKey==AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UsePrivKey)
Actions (action)
The BoundQuote operation realizes following action:
1.SSP whether the Algorithmldentifier of test in pk-sealed-blob is sspV1BoundKey.
2.SSP SealedBlob is internally deciphered in the default realization according to the RSAES-OAEP-DECRYPT that stipulates in PKCS #1 V2.1, to obtain clear-text message M.
3., then return SSP_CRYPTO_ERROR, and Secret is set to 0 if decoded operation is output as " decoding error ".
Otherwise, the message M of recovery should be the DER coding that utilizes the Bound-key-blob form of BoundSignKey type.If not, then SSP should send SSP_CRYPTO_ERROR.
5., then should compare bound-to and current PC R value if bound-to-PCR is true.If be worth inequalityly, then SSP should export SSP_CRYPTO_ERROR.
6.SSP use the private cipher key fragment recovered and Public key then with the reconstruct private cipher key.Private cipher key can be as follows by reconstruct.In a word, RSA key is by digital N=p*q (N is the product of two prime number p and q) and two exponent e (encryption exponent) and d (decryption exponent) formation.N and e form Public key; D is a private cipher key.In a word, d the same with N long (for example 2048).If the factorization of N is known (that is, if p and q are known), then private cipher key d can be decided at an easy rate.Notice that p and q only are half length of N.So, not that d stores as private cipher key, but storage p.Then, given Public key N, e and p can calculated value q=N/p, any given p and q determined value d.
According to the explanation in the Quote of above definition operation, use private cipher key then on input message DataToBeSigned and current PC R value, to generate a signature.If function returns mistake, then return SSP_CRYPTO_ERROR, and SigBlob is set to 0.
7. return SSP_SUCCESS.
BoupdPkDecrypt
Definition (definition)
SSP_STATUS?BoundPkDecrypt(
[in]PKCiphertext?BoundKeyBlob,
[in]RSAPublicKey?BoundPubKey,
[in]PKCiphertext?DataToBeDecrypted,
[out]Secret?decryptedData
)
Parameters (parameter)
BoundPkDecrypt-Input::={
ordinal INTEGER,
bound-key BoundKeyBlob,
bound-pub-key RSAPublicKey,
pk-sealed-blob PKCiphertext}
BoundPkDecrypt-output::={
ordinal INTEGER,
status INTEGER,
d-blob Secret}
Return Values (rreturn value)
SSP_SUCCESS
SSP_UNSEAL_ERROR
SSP_CRYPTO_ERROR
SSP_BAD_DATA_ERROR
Comments (note)
The PKciphertext of the sspV1BoundKey type of the BoundKeyBlob that comprises the BoundDecryptKey type is adopted in the BoundPkDecrypt operation.If any one does not satisfy in these conditions, perhaps fail to decipher as infructescence, then operation failure returns SSP_CRYPTO_ERROR.
If Bound-to-PCR has been set up, then SSP checks that current PC R value is whether as appointment in the Bound-key-blob sequence.If not so, then SSP returns SSP_CRYPTO_ERROR.
At last, the SSP private cipher key deciphering input message of from bound-blob, deciphering.
Access PoliCy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UsePrivKey==All|
FeatureEnable.UsePrivKey==AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UsePrivKey)
Actions (action)
The BoundPkDecrypt operation realizes following action:
1.SSP whether the Algorithmldentifier of test in pk-sealed-blob is sspV1BoundKey.
2.SSP SealedBlob is internally deciphered in the default realization according to the RSAES-OAEP-DECRYPT that stipulates in PKCS #1 V2.1, to obtain clear-text message M.
3., then return SSP_CRYPTO_ERROR, and Secret is set to 0 if decoded operation is output as " decoding error ".
Otherwise, the message M of recovery should be the DER coding that utilizes the Bound-key-blob form of BoundSignKey type.If not, then SSP should send SSP_CRYPTO_ERROR.
5. if bound-to-PCR is true, then should compare bound-to and current PC R value, if be worth inequalityly, then SSP should export SSP_CRYPTO_ERROR.
6.SSP use the Public key that is provided to recover private cipher key.Can discussing in the BoundQuote operation, recover private cipher key as above.It is then by using the default realization of the RSAES-OAEP-DECRYPT that stipulates, use the privately owned border key that is recovered with deciphering pk-sealed-blob, to obtain clear-text message M in PKCS #1 V2.1.
7.SSP d-blob is set is M.
8. return SSP_SUCCESS.
BoundPkUnseal
Definition (definition)
SSP_STATUS?BoundPKUnseal(
[in]PKCiphertext BoundKeyBlob,
[in]RSAPublicKey BoundPubKey,
[in]PKCiphertext DataToBeUnsealed,
[out]Secret?decryptedData
)
Parameters (parameter)
BoundPKUnseal-Input::={
ordinal INTEGER,
bound-key BoundKeyBlob,
bound-pub-key RSAPublicKey,
pk-sealed-blob PKCiphertext}
BoundPKUnseal-output::={
ordinal INTEGER,
status INTEGER,
d-blob Secret}
Return Values (rreturn value)
SSP_SUCCESS
SSP_UNSEAL_ERROR
SSP_CRYPTO_ERROR
SSP_BAD_DATA_ERROR
Comments (note)
The PKciphertext of the sspV1BoundKey type of the BoundKeyBlob that comprises the BoundPKUnsealKey type is adopted in the BoundPkUnseal operation.If any one does not satisfy in these conditions, perhaps fail to decipher as infructescence, then operation failure returns SSP_CRYPTO_ERROR.
If Bound-to-PCR has been set up, then SSP checks that current PC R value is whether as appointment in the Bound-key-blob sequence.If not, then SSP returns SSP_CRYPTO_ERROR.
At last, SSP uses PK_Unseal to use the private cipher key unpacking input message of deciphering from bound-blob.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UsePrivKey==All|
FeatureEnabte.USePrivKey==AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UsePrivKey)
Actions (action)
The BoundPkUnseal operation must realize the following step:
1.SSP whether the Algorithmldentifier of test in pk-sealed-blob is sspV1BoundKey.
2.SSP SealedBlob is internally deciphered in the default realization according to the RSAES-OAEP-DECRYPT that stipulates in PKCS #1 V2.1, to obtain clear-text message M.
3., then return SSP_CRYPTO_ERROR, and Secret is set to 0 if decoded operation is output as " decoding error ".
Otherwise, the message M of recovery should be the DER coding that utilizes the Bound-key-blob form of BoundSignKey type.If not, then SSP should send SSP_CRYPTO_ERROR.
5., then should compare bound-to and current PC R value if bound-to-PCR is true.If be worth inequalityly, then SSP should export SSP_CRYPTO_ERROR.
Again create private cipher key 6.SSP use the border key block.Can discussing in the BoundQuote operation, recover private cipher key as above.It uses the privately owned border key that is recovered with unpacking pk-sealed-blob by the step of using description in the PK_Unseal order then.
7. if PCR and the current PC R that defines in the piece of unpacking do not match, then SSP returns SSP_CRYPTO_ERROR.
Otherwise, it is M that SSP is provided with d-blob.
9. return SSP_SUCCESS.
GenBoundKev
Definition (definition)
SSP_STATUS?GenBoundKey(
[in]BoundKeyType?KeyType,
[in]BOOL?BoundToPcr,
[in]DIGEST?BoundTo[2],
[in]BOOL?migrateable,
[in]DIGEST?migrationAuthority,
[in]BOOL?exportable,
[in]DIGEST?exportAuthority,
[in]DIGEST?SigNonce,
[out]BoundKey?bound-key,
[out]PKPublickey?newPubKey,
[out]PKSignature?boundKeyQuoteBlob
)
Parameters (parameter)
GenBoundKey-Input::={
ordinal INTEGER,
key-type Bound-key-type,
bound-to-pcr BOOL,
bound-to DigestPair,
migrateable BOOL,
exportable BOOL,
export-auth Digest,
sig-nonce Digest
}
GenBoundKey-output::={
ordinal INTEGER,
status INTEGER,
bound-blob PKCiphertext,
bound-pub RSAPublicKey,
sig-blob PKSignature}
Return Values (rreturn value)
SSP_SUCCESS
SSP_BAD_DATA_ERROR
Comments (note)
The GenBoundKey operation makes SSP generate a new bound-keyblob (border key block) who comprises the private cipher key of up-to-date generation.Public key with SSP oneself is encrypted the border key block.
Public key, indication SSP that GenBoundKey also exports the cipher key pair of up-to-date generation generate the quote-signature (quoting signature) of key, its characteristic and the PCR value when generating key.
The caller of GenBoundKey is also indicated the bound-key type that will be created: whether it is used for signing, quotes, deciphers with the BoundPkUnseal unpacking or with BoundPkDecrypt.Whether caller also specified boundary key should be bound on the PCR, and if like this, also specifies the PCR value that it will be bound to.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UsePrivKey=AII|
FearureEnable.UsePrivKey==AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UsePrivKey)
Actions (action)
The GenBoundKey operation realizes following action:
1.SSP it is right to generate new public/privately owned RSA key.When SSP was idle, it is right that SSP can generate key selectively, and little key cache of storage is used for quick retrieval in nonvolatile memory.
2.SSP the border Key Tpe that internally generates a private cipher key that has comprised up-to-date generation and provide by caller and the border key structure of other parameter.
3.SSP with platform public encryption key cryptographic boundary key block.
4.SSP the signaling block of bound-key-pub-info of attribute, the PCR value when key generates and provides of the key comprise up-to-date establishment is provided.
5.SSP export the Public key of the border key block of encrypting, up-to-date generation and quote key block.
6. return SSP_SUCCESS.
BoundKevMigrate
Definition (definition)
SSP_STATUS?BoundKeyMigrate(
[in]PKCiphertext?BoundKeyBlob,
[in]RSAPublicKey?PubPartOfBoundKey,
[in]BOUND_MIGRATION_INFO?Migrationlnfo,
[in]RSA_SIG?SigOnMigrationlnfo
)
Parameters (parameter)
GenBoundKey-Input::={
ordinal INTEGER,
migration-info Bound-migration-info,
migration-pubkey RSAPublicKey,
migration-auth PKSignature
}
GenBoundKey-output::={
ordinal INTEGER,
status INTEGER,
re-bound-blob PKCiphertext,
}
Return Values (rreturn value)
SSP_SUCCESS
SSP_BAD_DATA_ERROR
Comments (note)
BoundKeyMigrate operation indication SSP is tied to key on the different PCR value again in check mode.Local or long-range initial key founder specifies the migration authorized entity.The border key that only is labeled as migrateable can be moved, and if SSP have a suitably Boundmigration-info structure of signature, then have only these keys to be moved.Suitably signature is meant that the Public key that is comprised within the key block of border with its summary signs.Other border key attribute does not change.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UsePrivKey=All|
FeatureEnable.UsePrivKey=AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].USePrivKey)
Actions (action)
The BoundKeyMigrate operation realizes following action:
1.SSP internally decipher bound-key (border key) structure, and it be interpreted as Bound-key-blob.If decoding failure, then SSP returns SSP_CRYPTO_ERROR.
2.SSP it is that the summary of correct Public key that form and the signer is as appointment in Bound-key-blob " migrateable " field that checking Bound-export-info quotes identical key, signature.
3.SSP check that key is migrateable (transportable).If not, then SSP returns SSP_CRYPO_ERROR.
4. if key is bound on the PCR, then SSP checks that current PC R is that defines in key-blob.
5.SSP be used in that replacement PCR value that defines in the dest-PCR field of Bound-migration-info.
6.SSP encrypt bound-key-blob again, and export the structure of encrypting again.
7. return SSP_SUCCESS.
BoundKeyExport
Definition (definition)
SSP_STATUS?BoundKeyExport(
[in]PKCiphertext?BoundKeyBlob,
[in]RSAPublicKey?PubPartOfBoundKey,
[in]BOUND_EXPORT_INFO?ExportInfo,
[in]RSA_SIG?SigOnExportlnfoInfo,
[out]PKCipherText?ReBoundBlob
}
Parameters (parameter)
BoundKeyExport-Input::={
ordinal INTEGER,
bound-key PKCipherText,
bound-pub-hey?RSAPublicKey,
export-info Bound-export-info
export-auth PKSignature,
}
GenBoundKey-output::={
ordinal INTEGER,
status INTEGER,
re-bound-blob PKCiphertext,
}
Return Values (rreturn value)
SSP_SUCCESS
SSP_BAD_DATA_ERROR
Comments (note)
BoundKeyExport operation indication SSP outputs to the privately owned part of border key-remote entity with the form with the border key agreement on power-supply device in check mode.Local or long-range initial key founder specifies export-authorization (output is authorized) entity.The border key that only is labeled as exportable can be output, and if SSP have a suitably Bound-export-info structure of signature, then have only these keys to be output.Suitably signature is meant that the Public key that is comprised within the initial border key block with its summary signs.BoundKeyExport allows the PCR value of the caller appointment Public key and the target entity that key should be tied to again of proper authorization.To external entity is that SSP does not have particular requirement, all is that up-to-date boundary block is followed the bound-key agreement to allow long-range SSP directly to use the border key of output.
Access Policy (access strategy)
Allowed=FeatureEnable.MainEnable?&
(FeatureEnable.UsePrivKey=All|
FeatureEnable.UsePrivKey=AuthSL
&?SLKnown?&?AuthPCR[CurrentSL].UsePrivKey)
Actions (action)
The BoundKeyExport operation realizes following action:
1.SSP internally decipher the bound-key structure, and it be interpreted as Bound-key-blob.If decoding failure, then SSP returns SSP_CRYPTO_ERROR.
2.SSP it is that the summary of correct Public key that form and the signer is as appointment in Bound-key-blob " export " field that checking Bound-export-info quotes identical key, signature.
3.SSP check that key is exporrable (exportable).If not, then SSP returns SSP_CRYPO_ERROR.
4. if key is bound on the PCR, then SSP checks that current PC R is that defines in key-blob.
5.SSP a new bound-key-blob structure that has comprised from the parameter of initial bound-key-blob structure and the new PCR value that provides in Bound-export-info internally is provided.All other parameters are preserved identical.
6.SSP being provided, the public encryption key that provides among the Bound-export-info encrypts new bound-key-blob.
7. export up-to-date border key.
8. return SSP_SUCCESS.
General Computer Environment (general-purpose computer environment)
Figure 12 has illustrated a general-purpose computer environment 400, and it can be used to realize technology described here.Computer environment 400 only is an example of computing environment, and does not plan to propose any about the usable range of computing machine and network architecture or the limit of function.Computer environment 400 should not be interpreted as having and any one assembly or relevant any correlativity or the requirement of its combination in exemplary computer environment 400 illustrated.
Computer environment 400 comprises the universal computing device with computing machine 402 forms.For example, computing machine 402 can be used to realize clientage 102 among Fig. 1 and the layer among protective device 104 or Fig. 2.The parts of computing machine 402 can comprise, but be not limited to one or more processor or processing unit 404 (comprising or more safe processor or coprocessor (such as SSP) and/or or more encryption processor or coprocessor alternatively), a system storage 406 and the system bus 408 that each system unit that comprises processor 404 is connected to system storage 406.
Processor or local bus that on behalf of one or more, these bus structure, system bus 408 in the several types bus structure arbitrarily to comprise memory bus or Memory Controller, peripheral bus, Accelerated Graphics Port and used in the multiple bus structure any one.For instance, such structure Peripheral Component Interconnects (PCI) bus that can comprise Industry StandardArchitecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus and be also referred to as the Mezzanine bus.
Computing machine 402 generally comprises a plurality of computer-readable mediums.Such medium can be can be by any medium that obtains of computing machine 402 visit, and comprises volatibility and non-volatile media, removable and removable medium not.
System storage 406 comprises with the volatile memory form, such as random access storage device (RAM) 410, and/or the nonvolatile memory form, such as the computer-readable medium of ROM (read-only memory) (ROM) 412.A Basic Input or Output System (BIOS) (BIOS) 414 is stored among the ROM412, and BIOS is included in the basic routine of transmission information between each unit that helps between the starting period in computing machine 402.RAM410 generally comprises by processing unit 404 zero accesses and/or current data and/or program by its operation.
Computing machine 402 can also comprise other movably/computer-readable storage medium fixing, volatile, nonvolatile.For instance, Figure 12 illustrated one be used for from fixing, non-volatile magnetic medium (not shown) read and write to wherein hard disk drive 416, one be used for from removable a, non-volatile magnetic disk 420 (for example, " floppy disk "), reading and writing to wherein disc driver 418 and one be used for reading and/or be written to wherein CD drive 422 from removable, a non-volatile CD 424 such as CD-ROM, DVD-ROM or other light medium.Each all is connected to system bus 408 by one or more data media interfaces 426 hard disk drive 416, disc driver 418 and CD drive 422.Alternatively, hard disk drive 416, disc driver 418 and CD drive 422 can be connected to system bus 408 by one or more interface (not shown)s.
These disc drivers and their associated computer-readable media for computing machine 402 provide computer-readable instruction, data structure, program module, and other data non-volatile memories.Though this example has illustrated hard disk 416, moveable magnetic disc 420 and removable CD 424, to be appreciated that: can store can be by the computer-readable medium of other type of the data of a computer access, such as tape or other magnetic storage apparatus, fast erasable storage card, CD-ROM, digital versatile disk [Sony] (DVD) or other optical memory, random access storage device (RAM), ROM (read-only memory) (ROM), EEPROM (Electrically Erasable Programmable Read Only Memo) (EEPROM), or the like, also can be used to computing system and the environment of realizing that this is exemplary.
Can be stored in the program module of arbitrary number on hard disk 416, disk 420, CD 424, ROM 412 and/or the RAM410, this program module comprises for example operating system 426, one or more application program 428, other program module 430 and routine data 432.In this operating system 426, one or more application program 428, other program module 430 and the routine data 432 each (perhaps their some combination) can realize supporting all of distributed file system or the resident assembly of part.
The user can be via input equipment such as keyboard 434 and indicating equipment 436 (for example " mouse ") input command and information in computing machine 402.Other input equipment 438 (specifically not showing) can comprise microphone, operating rod, game mat, satellite retroreflector, serial port, scanner and/or type equipment.These and other input equipment is connected to processing unit 404 via the input/output interface 440 that links to each other with system bus 408, but also can be by other interface with bus structure, be connected such as parallel port, game port or USB (universal serial bus) (USB).
In addition, the display device of a monitor 442 or other type can be via an interface, be connected to system bus 408 such as video adapter 444.Except watch-dog 442, other output peripherals can comprise assembly such as loudspeaker (not shown) and printer 446, that can be connected to computing machine 402 via input/output interface 440.
Computing machine 402 can be operated under the environment that uses one or more remote computers, networks such as the logic connection of remote computing device 448.For instance, remote computing device 448 can be personal computer, portable computer, server, router, network computer, surveillance equipment or other common network node etc.Remote computing device 448 is illustrated as a portable computer, and it can be included in this many or all elements and feature of describing about computing machine 402.
Logic connection between computing machine 402 and remote computer 448 is described to Local Area Network 450 and common wide area network (WAN) 452.This networked environment is very usual in computer network, enterprises lan and the Internet of office, enterprise-wide.
When realizing in the LAN networked environment, computing machine 402 is connected to LAN 450 via network interface or adapter 454.When realizing in the WAN networked environment, computing machine 402 comprises modulator-demodular unit 456 usually or other is used for setting up the device of communication on wide area network.Modulator-demodular unit 456 can be connected to system bus 408 via input/output interface 440 or other suitable mechanism, and wherein modulator-demodular unit 456 can be in the inside or the outside of computing machine 402.Should be appreciated that it is exemplary that illustrational network connects, and can use other device of between computing machine 402 and 448, setting up communication.
At networked environment, such as using in the computing environment 400 illustrational environment, program module or its part described about computing machine 402 can be stored in the remote storage device.For instance, remote application 458 resides on the memory device of remote computer 448.For example for the purpose of the explanation, although application program and other executable program components such as operating system are illustrated as discrete program block at this, but will be appreciated that, this program resides in the different memory units of computing equipment 402 at different time with assembly, and is carried out by the data processor of computing machine.
In the computer executable instructions of carrying out by one or more computing machines or miscellaneous equipment, total environment, various modules and technology have been described at this such as program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract, program, object, assembly, data structure etc.Typically, can be according to the function that requires in each embodiment combination or allocator module.
The realization of these modules and technology can be stored on the computer-readable medium of certain form or transmit thereon.Computer-readable medium can be any available, can be by the medium of computer access.For example, rather than restriction, computer-readable medium can comprise " computer-readable storage medium " and " communication media ".
" computer-readable storage medium " comprises with any volatibility that is used for canned data, realizes such as the method for computer-readable instruction, data structure, program module or other data or technology and non-volatile, movably and fixing medium.Computer-readable storage medium including but not limited to: RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk [Sony] (DVD) or other optical memory, tape cassete, tape, magnetic disk memory or other magnetic storage apparatus or any other can be used to store desired information and can be by the medium of computer access.
" communication media " is presented as usually in modulated message signal, computer-readable instruction, data structure, program module or other data such as in carrier wave or other connecting gear.Communication media also comprises any information-delivery media.Term " modulated message signal " is to instigate one or more its characteristics to be provided with in such a way or change to be coded in the signal of the information in the signal.For example, rather than restriction, communication media comprise such as wired network or directly wired connection wired media and such as acoustics, RF, infrared, and the wireless medium of other wireless medium.More than any one combination also be comprised within the scope of computer-readable medium.
Although specific language concerning architectural feature and/or method effect has been used in above description, but be to be understood that, the present invention who defines in accessory claim is not limited to this special characteristic of description or acts on the contrary, and this special characteristic and effect are disclosed as realizing example form of the present invention.

Claims (32)

1. method that in a computing equipment, realizes, this method comprises:
From a calling program, receive data; And
Use symmetric cryptography to generate ciphertext, satisfy by enciphered data and one or more needs and to form ciphertext with the condition that shows these data, wherein ciphertext is to generate in the mode that only allows one or more target programs can obtain data from ciphertext, wherein generates ciphertext and comprises:
Generate a bit string, it is the combination of the identifier of the identifier of these data, calling program and one or more target programs; And
Encrypt this bit string.
2. the method for claim 1, it is characterized in that: these one or more target programs are identified by calling program.
3. the method for claim 1 further comprises: ciphertext is returned to calling program.
4. the method for claim 1, it is characterized in that: these data comprise an encryption key.
5. the method for claim 1, it is characterized in that: these one or more target programs comprise a plurality of target programs.
6. the method for claim 1 is characterized in that: each in these one or more target programs is all by by using the digest value sign that a cryptographic hash function generates to target program.
7. the method for claim 1, it is characterized in that: these one or more target programs comprise calling program.
8. the method for claim 1 is characterized in that: receive data and comprise the part of Data Receiving as the Seal operation, described Seal operation is the interface that allows calling program sealing data.
9 add right requires 1 described method, it is characterized in that: generate ciphertext and further comprise:
Generate the identifier of calling program.
10. the method for claim 1 is characterized in that: encrypt bit string and comprise and use a symmetric key and a symmetric cryptography to encrypt this bit string.
11. the method for claim 1 further comprises:
By using a Message Authentication Code, for this bit string generates a message authentication code value to bit string; And ciphertext and message authentication code value returned to calling program.
12. the method for claim 1 further comprises:
By using a Message Authentication Code, for this bit string generates a message authentication code value to bit string; And encrypt bit string and be included in and in this bit string, comprise the message authentication code value before encrypting bit string.
13. the method for claim 1 further comprises:
By using a Message Authentication Code, for this ciphertext generates a message authentication code value to ciphertext; And ciphertext and message authentication code value returned to calling program.
14. the method for claim 1 is characterized in that: the identifier of calling program comprises by using the digest value that cryptographic hash function generates to calling program.
15. the method for claim 1 is characterized in that: the combination of the identifier of data, calling program and the identifier of one or more target programs comprises the cascade of the identifier of the identifier of data, calling program and one or more target programs.
16. a method that realizes in a computing equipment, this method comprises:
From a calling program, receive a bit string;
Check the identifier of calling program, to determine whether calling program is allowed to visit ciphered data in the ciphertext of bit string;
The integrality of verification msg;
Use a symmetric key data decryption; And
When having only the integrality that is allowed to visit data and data when calling program successfully to be verified, just to the calling program return data.
17. method as claimed in claim 16 further comprises: use symmetric key deciphering ciphered data in ciphertext, to decipher this bit string.
18. method as claimed in claim 16 is characterized in that: these data comprise an encryption key.
19. method as claimed in claim 16 further comprises:
Return the identifier of a program that seals these data in advance to calling program.
20. method as claimed in claim 19 is characterized in that: the identifier that seals the program of these data in advance comprises by using the digest value that cryptographic hash function generates to the program that seals these data in advance.
21. method as claimed in claim 16 is characterized in that: check to comprise:
From bit string, obtain to be allowed to visit the identifier of a target program of these data;
Whether the identifier of checking this target program is identical with the identifier of calling program;
If the identifier of target program is identical with the identifier of calling program, determine that then calling program is allowed to visit these data; And
If the identifier of target program is different with the identifier of calling program, determine that then calling program is not allowed to visit this data.
22. method as claimed in claim 16 is characterized in that: check to comprise:
From bit string, obtain to be allowed to visit the identifier of a plurality of target programs of these data;
Whether the identifier of checking calling program is identical with in the identifier of these a plurality of target programs at least one;
If at least one in the identifier of the identifier of target program and a plurality of calling programs is identical, determine that then calling program is allowed to visit these data; And
If any one of the identifier of the identifier of target program and a plurality of target programs is all different, determine that then calling program is not allowed to visit this data.
23. method as claimed in claim 16 is characterized in that: the identifier of calling program comprises by using the digest value that cryptographic hash function generates to target program.
24. method as claimed in claim 16 is characterized in that: receive bit string and comprise the part of bit string reception as a UnSeal operation, described UnSeal operation is to allow calling program to obtain the interface of data from bit string.
25. method as claimed in claim 16 is characterized in that: bit string comprises ciphertext and is used for the combination of the message authentication code value of this ciphertext.
26. method as claimed in claim 16 is characterized in that: this bit string comprises ciphertext and is used for the combination of the message authentication code value of these data.
27. method as claimed in claim 16 is characterized in that: this bit string comprises the ciphertext that generates from these data and the combination that is used for the message authentication code value of these data.
28. method as claimed in claim 16 is characterized in that: checking comprises:
Obtain this data by decrypting ciphertext;
For the data that obtained generate a message authentication code value;
Message authentication code value that is generated and the message authentication code value that receives as a bit string part are compared; And
Have only and work as the message authentication code value that is generated when equaling to receive message authentication code value as a bit string part, just the integrality of verification msg successfully.
29. a method comprises:
From a calling program, receive data;
Use a symmetric cryptography to generate the ciphertext that comprises these data, wherein ciphertext is to generate in the mode that only allows one or more target programs can obtain data from ciphertext;
After generating ciphertext, from another calling program, receive bit string;
Check the identifier of another calling program, to determine whether another calling program is allowed to visit ciphered data in the ciphertext of bit string;
The integrality of verification msg;
Use a symmetric key to decipher this data; And
When having only the integrality that is allowed to visit data and data when another calling program successfully to be verified, just to another calling program return data.
30. method as claimed in claim 29 is characterized in that: calling program is identical program with another calling program.
31. a system comprises:
Be used for receiving the device of data from a calling program; And
Be used to use symmetric key to generate the device of ciphertext, form ciphertext by data and one or more needs being satisfied encrypt with the condition that shows these data, wherein ciphertext is to generate in the mode that only allows one or more target programs can obtain these data from ciphertext, wherein saidly is used to use symmetric key to comprise with the device that generates ciphertext:
Be used to generate the device of a bit string, it is the combination of the identifier of the identifier of these data, calling program and one or more target programs; And
Be used to encrypt the device of this bit string.
32. a system comprises:
Be used for receiving the device of a bit string from a calling program;
Be used for checking another calling program identifier, whether be allowed to visit device to determine another calling program in the ciphertext ciphered data of bit string;
The device that is used for verification of data integrity;
Be used to use a symmetric key to decipher the device of these data; And
When being used to have only the integrality that is allowed to visit data and data when calling program successfully to be verified just to the device of calling program return data.
CNB031307744A 2002-04-17 2003-04-17 Encryption retention and data retrieve based on symmetric cipher key Expired - Fee Related CN1322431C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US37350502P 2002-04-17 2002-04-17
US60/373,505 2002-04-17

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN 200610059598 Division CN100547598C (en) 2002-04-17 2003-04-17 Preserve and retrieve data based on symmetric key encryption

Publications (2)

Publication Number Publication Date
CN1493996A CN1493996A (en) 2004-05-05
CN1322431C true CN1322431C (en) 2007-06-20

Family

ID=29270506

Family Applications (6)

Application Number Title Priority Date Filing Date
CN 200610059571 Expired - Fee Related CN100543759C (en) 2002-04-17 2003-04-17 Data storage and data retrieval based on public key encryption
CN 200610059598 Expired - Fee Related CN100547598C (en) 2002-04-17 2003-04-17 Preserve and retrieve data based on symmetric key encryption
CNB03131208XA Expired - Lifetime CN100351815C (en) 2002-04-17 2003-04-17 Encrypted data memory & data search based on public key
CNB031307744A Expired - Fee Related CN1322431C (en) 2002-04-17 2003-04-17 Encryption retention and data retrieve based on symmetric cipher key
CN 200710152961 Expired - Fee Related CN101166095B (en) 2002-04-17 2003-04-17 Saving and retrieving data based on public key encryption
CN 200710152963 Expired - Fee Related CN101166096B (en) 2002-04-17 2003-04-17 Saving and retrieving data based on public key encryption

Family Applications Before (3)

Application Number Title Priority Date Filing Date
CN 200610059571 Expired - Fee Related CN100543759C (en) 2002-04-17 2003-04-17 Data storage and data retrieval based on public key encryption
CN 200610059598 Expired - Fee Related CN100547598C (en) 2002-04-17 2003-04-17 Preserve and retrieve data based on symmetric key encryption
CNB03131208XA Expired - Lifetime CN100351815C (en) 2002-04-17 2003-04-17 Encrypted data memory & data search based on public key

Family Applications After (2)

Application Number Title Priority Date Filing Date
CN 200710152961 Expired - Fee Related CN101166095B (en) 2002-04-17 2003-04-17 Saving and retrieving data based on public key encryption
CN 200710152963 Expired - Fee Related CN101166096B (en) 2002-04-17 2003-04-17 Saving and retrieving data based on public key encryption

Country Status (2)

Country Link
CN (6) CN100543759C (en)
CA (3) CA2425010C (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7890771B2 (en) 2002-04-17 2011-02-15 Microsoft Corporation Saving and retrieving data based on public key encryption
US7673345B2 (en) * 2005-03-31 2010-03-02 Intel Corporation Providing extended memory protection
US7747024B2 (en) * 2007-02-09 2010-06-29 Lenovo (Singapore) Pte. Ltd. System and method for generalized authentication
CN101561815B (en) * 2009-05-19 2010-10-13 华中科技大学 Distributed cryptograph full-text retrieval system
US9904803B2 (en) * 2015-03-25 2018-02-27 Intel Corporation Technologies for hardening data encryption with secure enclaves
US10769305B2 (en) * 2016-09-21 2020-09-08 Mastercard International Incorporated Method and system for double anonymization of data
CN108111587B (en) * 2017-12-15 2020-11-06 中山大学 Cloud storage searching method based on time release
WO2020007339A1 (en) 2018-07-04 2020-01-09 Yunding Network Technology (Beijing) Co., Ltd. Method and system for operating an electronic device
CN109829294B (en) * 2019-01-31 2021-07-13 云丁网络技术(北京)有限公司 Firmware verification method, system, server and electronic equipment
CN109284585B (en) * 2018-08-17 2020-12-22 网宿科技股份有限公司 Script encryption method, script decryption operation method and related device
CN110365490B (en) * 2019-07-25 2022-06-21 中国工程物理研究院电子工程研究所 Information system integration security policy method based on token encryption authentication
CN112434711B (en) * 2020-11-27 2023-10-13 杭州海康威视数字技术股份有限公司 Data management method and device and electronic equipment
CN112558019B (en) * 2020-12-14 2023-08-15 北京遥感设备研究所 Extraterrestrial celestial body landing measurement radar receiving and transmitting isolation system based on pseudo code modulation
CN112738219B (en) * 2020-12-28 2022-06-10 中国第一汽车股份有限公司 Program running method, program running device, vehicle and storage medium
CN112667586B (en) * 2021-01-26 2023-04-25 浪潮通用软件有限公司 Method, system, equipment and medium for synchronizing data based on stream processing
CN113609510B (en) * 2021-09-28 2021-12-24 武汉泰乐奇信息科技有限公司 Big data encryption transmission method and device based on distributed storage
CN115242490B (en) * 2022-07-19 2023-09-26 北京计算机技术及应用研究所 Group key secure distribution method and system in trusted environment
CN115277259B (en) * 2022-09-27 2023-02-28 南湖实验室 Method for supporting large-scale cross-platform migration of persistent data through privacy calculation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999038070A1 (en) * 1998-01-26 1999-07-29 Intel Corporation An interface for ensuring system boot image integrity and authenticity
US6032260A (en) * 1997-11-13 2000-02-29 Ncr Corporation Method for issuing a new authenticated electronic ticket based on an expired authenticated ticket and distributed server architecture for using same
US6229894B1 (en) * 1997-07-14 2001-05-08 Entrust Technologies, Ltd. Method and apparatus for access to user-specific encryption information
US6263431B1 (en) * 1998-12-31 2001-07-17 Intle Corporation Operating system bootstrap security mechanism

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5557765A (en) * 1994-08-11 1996-09-17 Trusted Information Systems, Inc. System and method for data recovery
CZ296738B6 (en) * 1997-02-07 2006-06-14 Salbu Research And Development (Proprietary) Limited Method of operating a network, network for carrying out the method and user station
CN1293847A (en) * 1999-01-28 2001-05-02 皇家菲利浦电子有限公司 Synchronisation of decryption keys in data packet transmission system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6229894B1 (en) * 1997-07-14 2001-05-08 Entrust Technologies, Ltd. Method and apparatus for access to user-specific encryption information
US6032260A (en) * 1997-11-13 2000-02-29 Ncr Corporation Method for issuing a new authenticated electronic ticket based on an expired authenticated ticket and distributed server architecture for using same
WO1999038070A1 (en) * 1998-01-26 1999-07-29 Intel Corporation An interface for ensuring system boot image integrity and authenticity
US6263431B1 (en) * 1998-12-31 2001-07-17 Intle Corporation Operating system bootstrap security mechanism

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Prentice-Hall William Stallings,Cryptography and network security:principles and practice,No.2 1999 *

Also Published As

Publication number Publication date
CN101166095B (en) 2013-01-16
CA2425010C (en) 2013-11-19
CN100543759C (en) 2009-09-23
CA2778805A1 (en) 2003-10-17
CN100547598C (en) 2009-10-07
CN101166096B (en) 2012-01-11
CA2425006C (en) 2012-06-05
CN1822015A (en) 2006-08-23
CA2778805C (en) 2015-01-20
CA2425006A1 (en) 2003-10-17
CN101166095A (en) 2008-04-23
CN1822016A (en) 2006-08-23
CN101166096A (en) 2008-04-23
CA2425010A1 (en) 2003-10-17
CN1493996A (en) 2004-05-05
CN1487422A (en) 2004-04-07
CN100351815C (en) 2007-11-28

Similar Documents

Publication Publication Date Title
CN1322431C (en) Encryption retention and data retrieve based on symmetric cipher key
US9003177B2 (en) Data security for digital data storage
CN102271037B (en) Based on the key protectors of online key
US5548721A (en) Method of conducting secure operations on an uncontrolled network
EP2267628B1 (en) Token passing technique for media playback devices
CN102084373B (en) Backing up digital content that is stored in a secured storage device
JP6275653B2 (en) Data protection method and system
US8572372B2 (en) Method for selectively enabling access to file systems of mobile terminals
JP2003058840A (en) Information protection management program utilizing rfid-loaded computer recording medium
WO2005098639A9 (en) Log in system and method
Zhang et al. Using blockchain to protect personal privacy in the scenario of online taxi-hailing
CN101689989A (en) creating and validating cryptographically secured documents
US20220141014A1 (en) Storing secret data on a blockchain
CN104868998A (en) System, Device, And Method Of Provisioning Cryptographic Data To Electronic Devices
CN103973698A (en) User access right revoking method in cloud storage environment
CN100596058C (en) System and method for managing credible calculating platform key authorization data
JPH10200522A (en) Ic card use enciphering method, system therefor and ic card
KR20210085389A (en) Method of storing plurality of data pieces in storage in blockchain network and method of receiving plurality of data pieces
CN114329564A (en) Processing method of proprietary format file, electronic device and medium
CN113836590A (en) Block chain security verification method, electronic device and storage medium
CN117407916A (en) Evidence chain-based court volume safety management method and system
WO2018231773A1 (en) Combined hidden dynamic random-access devices utilizing selectable keys and key locators for communicating randomized data together with sub-channels and coded encryption keys
Akhila et al. Enhanced Cryptography Technique: By Integrating Color and Arm Strong Numbers for Data Transfer
JP2008016060A (en) Control server device and program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: MICROSOFT TECHNOLOGY LICENSING LLC

Free format text: FORMER OWNER: MICROSOFT CORP.

Effective date: 20150424

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20150424

Address after: Washington State

Patentee after: Micro soft technique license Co., Ltd

Address before: Washington State

Patentee before: Microsoft Corp.

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20070620

Termination date: 20200417

CF01 Termination of patent right due to non-payment of annual fee