CN100596058C - System and method for managing credible calculating platform key authorization data - Google Patents
System and method for managing credible calculating platform key authorization data Download PDFInfo
- Publication number
- CN100596058C CN100596058C CN200610114763A CN200610114763A CN100596058C CN 100596058 C CN100596058 C CN 100596058C CN 200610114763 A CN200610114763 A CN 200610114763A CN 200610114763 A CN200610114763 A CN 200610114763A CN 100596058 C CN100596058 C CN 100596058C
- Authority
- CN
- China
- Prior art keywords
- authorization data
- key
- execution
- information
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
This invention relates to a management system for trustable computation of cryptographic key authentication data including a trustable platform module, an authorization data management module, an authorization data list storage module and a cryptographic key storage module, in which, the authorization data management module is connected with the trustable platform module, the cryptographic storagemodule and an authorization data list storage module used in management and authentication of authorized data, the authorization data list storage module is connected with the management module for storing authorized data list, the cryptographic key storage module is connected with the data management module including a cryptographic label storage module and its related information storage module. This invention also includes a management method and an authorized data maintenance method corresponding to the method.
Description
Technical field
The present invention relates to credible calculating platform key management system and method, belong to information security field.
Background technology
Along with popularizing of network application, people's information protection consciousness strengthens day by day, and various fail-safe softwares arise at the historic moment.Fact proved, only rely on software can not fundamentally solve safety problem.1999, set up (the TrustedComputing Platform Alliance of credible calculating platform alliance by industry major companies such as Intel, Hewlett-Packard, Microsoft, IBM, hereinafter to be referred as TCPA), renamed as credible computation organization (Trusted Computing Group is hereinafter to be referred as TCG) in 2003." credible calculating " technology that TCG proposes by adding a hardware that is called credible platform module (Trust Platform Module is hereinafter to be referred as TPM) as system's root of trust on mainboard, has improved the safety of existing computing terminal hardware configuration.At present, it has become the main flow trend of information security technology development.Credible calculating is core with the cryptographic technique, has realized the discriminating of platform identity, and completeness of platform is measured, stored and report, the data security storage, and functions such as system's trusted bootstrap have remedied the deficiency of conventional P C system in safeguard protection.Existing TCG normalized definition the password of a bulky complex use and management system.
The TCG standard relates to the management of seven kinds of keys, be signature key (Signing Key), storage key (Storage Key, hereinafter to be referred as SK), identity key (Attestation Identity Key, hereinafter to be referred as AIK), signature key (Endorsement Key, following EK), Binding key (Bind Key), inherit key (Legacy Key) and authenticate key (Authentication Key).
According to the difference of the key scope of application, above-mentioned seven kinds of keys can be divided three classes:
In the TCG standard, have only EK and SRK directly to leave among the TPM and protect, leave the TPM outside after other secret key encryption in, the storage protection of these external keys is used SRK, SK, and forming with SRK is the multistage cryptographic key protection system of root, i.e. " key tree ".In this key tree, any one node except that SRK is by its superior node (i.e. " father's key ") encipherment protection.Like this, any one key all has a unique path from SRK to this key, when needs use this key, just needs to use from SRK and deciphering first order SK, from top to bottom each key on the access path step by step.
TPM storage platform key and sensitive data, key and sensitive data are referred to as entity, all distribute an authorization data during each entity set-up, just can use this entity as long as import correct authorization data when visiting later on.Authorization data in the TCG standard comprises the authorization data of TPM owner authorization data, SRK authorization data, various exterior storage key and sensitive data, and is used for the authorization data that authority is appointed.
Deposit after the private key one of key authorization data and key is reinstated his father's secret key encryption in the existing TCG Password Management system key storage organization, constitute key data piece (Keyblob).
When TPM need call in the inside of TPM with a key, call in authorization data of key data piece, his father's key handle (Handle) (will call in a key must guarantee that his father's key call among the TPM), father's key etc. earlier.Then, the authorization data that TMP judges father's key whether with the outside provide consistent, if identical then can continue, otherwise return mistake.Then, use his father's secret key decryption key data piece, this key information is called in TPM inside.The key of calling among the TPM can be used to carry out data encapsulation (seal), binding (bind), signature operations such as (sign).
In practice, because security needs, in some cases, such as, when former authorization data was revealed accidentally, TPM need make amendment to authorization data.In TCG Password Management system, the modification of key authorization data is carried out as follows: at first, and the authorization data and the old authorization data that will revise key of checking father key; Then, the data that have the user to import generate new authorization data through hash (hash) operation back, come the authorization data of replace old with new authorization data; At last, re-using father's key encrypts new key data piece.
According to storage, use and the modification process of key authorization data in the above-mentioned TCG Password Management system as can be seen, key and authorization data store together in TCG Password Management system.When judging whether to have the right to use key, be from the key data piece, to take out authorization data, the authorization data that provides with the outside compares.When revising authorization data, also be the authorization data of revising in the key data piece.The problem that will occur key synchronization like this after having revised authorization data, if there is the people to know former authorization data and corresponding former key data piece, then still can be used this key.Because what need to verify in the use of key is whether authorization data in the key data piece equates with the authorization data that provides, so as long as both are identical, this key just can use.
The existence of key synchronization problem makes TPM may be subjected to the opponent and attacks the great safety defect of existence.In addition, because key and authorization data are corresponding one by one in the former TCG Password Management system, each key all needs corresponding authorization data, for being stored in outside TPM entity, in fact authorization data is exactly a password, and this password is produced by the user who creates entity.When external entity quantity constantly increased, the user had to produce and manage a large amount of passwords, brings inconvenience to use.And the possibility of weak passwurd existence, also cause to have a strong impact on to platform safety.
About TMP specifically can further consult following document:
1、TPM?Main?Part?1?Design?Principles,specification?version?1.2Level?2?Revision?94,29?march?2006;
2、TPM?Main?Part?2?TPM?Structures,specification?version?1.2Level?2?Revision?94,29?march?2006;
3、TPM?Main?Part?3?Commands,specification?version?1.2?Level?2Revision?94,29march?2006。
Summary of the invention
Technical problem to be solved by this invention is: solve the problem of key synchronization in the TCG Password Management system, improve the efficiency of management of credible calculating platform authorization data simultaneously.
For achieving the above object, the invention provides a kind of managing credible calculating platform key authorization data system, comprise credible platform module, authorization data administration module, authorization data list storage module and cipher key storage block;
The authorization data administration module is connected with credible platform module, cipher key storage block and authorization data list storage module, is used for the management of authorization data and the authentication of authorization data;
Authorization data list storage module is connected with the authorization data administration module, is used to store the authorization data tabulation; Authorization data list storage module comprises: one or more authorization data item memory modules, and authorization data item memory module is used to store the authorization data item; Authorization data item memory module comprises the second key identification memory module and authorization data memory module; The second key identification memory module is used for the key identification of storage key; The authorization data memory module links with the second key identification memory module, is used to store concrete authorization data; The authorization data memory module that authorization data item memory module comprises is one; The second key identification memory module that authorization data item memory module comprises is one or more;
Cipher key storage block is connected with the authorization data administration module, comprising: the first key identification memory module and cipher key related information memory module;
The first key identification memory module is used for the storage key sign;
The cipher key related information memory module is used for the storage key relevant information, and described cipher key related information comprises key.
The present invention also provides a kind of managing credible calculating platform key authorization data method, comprises the following steps:
Step 1, authorization data administration module receive key call request information, according to this key call request information, obtain key identification;
In addition, the present invention also provides a kind of and above-mentioned managing credible calculating platform key authorization data method corresponding authorization data maintaining method, comprises the steps:
Step a, reception authorization data tabulation modification information;
Step b, judgement authorization data tabulation modification information are delete authority data item information, newly-built authorization data item information or upgrade authorization data item information, if be delete authority data item information, execution in step c; If be newly-built authorization data item information, execution in step d; If for upgrading authorization data item information and executing step e; Otherwise, return error message;
Step c, from authorization data tabulation the corresponding authorization data item of deletion, execution in step f;
Steps d, set up new authorization data item, in newly-established authorization data item, store one or more key identifications of authorization data and this authorization data correspondence, execution in step f according to authorization data tabulation modification information;
Step e, revise the corresponding authorization data item of information updating, execution in step f according to authorization data tabulation;
Step f, end.
The present invention has the following advantages: the problem that solves key synchronization in the TCG Password Management system, make after having revised authorization data, even someone knows former authorization data and corresponding former key block, also can't use this key, to improve the security performance of TPM, eliminate the safety defect that exists because of the key synchronization problem among the TPM, and with existing TCG key authorization way to manage compatibility, easy-to-use flexibly.Another advantage of the present invention is to have improved the authorization data efficiency of management.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 is a credible computation key management system structure chart of the present invention;
Fig. 2 is the flow chart of credible computation key management method of the present invention;
Fig. 3 is the flow chart of authorization data maintaining method of the present invention.
Embodiment
Fig. 1 comprises: credible platform module, authorization data administration module, authorization data list storage module and cipher key storage block for realizing that the present invention at first needs to set up a kind of credible computation key authorization data management system.The authorization data administration module is connected with credible platform module, cipher key storage block and authorization data list storage module, is used for the management of authorization data and the authentication of authorization data.Authorization data list storage module is connected with the authorization data administration module, is used to store the authorization data tabulation.Cipher key storage block is connected with the authorization data administration module, comprising: the first key identification memory module and cipher key related information memory module.The first key identification memory module is used for the storage key sign.The cipher key related information memory module is used for the storage key relevant information.
Credible platform module is identical with credible platform module of the prior art.The authorization data administration module can adopt the mode of hardware or software module to realize.Authorization data list storage module can be independent of outside the credible calculating platform, is used to store the authorization data tabulation, can adopt hardware, database or alternate manner to realize.In this authorization data store list, authorization data can corresponding a plurality of key identifications, that is to say, have the corresponding key of all key identifications that the user of this authorization data can this authorization data correspondence of request call.All authorization datas form an authorization data tabulation, and this authorization data tabulation is stored in authorization data list storage module by being stored in secret key encryption special in the credible platform module (this key is stored in the credible platform module after can encrypting with SRK).That is to say being connected to become safe connection the between authorization data administration module and the authorization data list storage module.The authorization data administration module has only call corresponding secret key from credible platform module, stored authorized data list in just can decrypt authorized data list memory module, the data message of obtaining the authorization from the authorization data tabulation after the deciphering carries out the attended operation of authorization data tabulation etc.Prevent authorization data tabulation by opponent's visit, distort or malicious attack.Guaranteed the fail safe of authorization data tabulation.Cipher key storage block comprises the first key identification memory module and cipher key related information memory module.The first key identification memory module is used for the storage key sign.The cipher key related information memory module is used for the storage key relevant information.Wherein, cipher key related information comprises key, can also comprise the information that other is relevant with key, such as migration authorization data (migrationAuth), public data summary (pubDataDigest) etc.Wherein, key identification and key are corresponding one by one, and each key all has corresponding key identification.
Because comprise one or more authorization data items in the authorization data tabulation, therefore, authorization data list storage module may further include: one or more authorization data item memory modules are used to store the authorization data item.Wherein each authorization data item comprises an authorization data, and one or more key identifications of this authorization data correspondence.Because all corresponding unique key identification of each key, that is, key identification and key are corresponding one by one.Whether therefore, can search the key identification of this authorization data correspondence according to authorization data, be the legal user of this key with the holder who judges certain authorization data.
Because each authorization data item comprises the key identification of authorization data and this authorization data correspondence, therefore, authorization data item memory module comprises the authorization data memory module and the second key identification memory module.Authorization data storage module and authorization data Module Links are used to store concrete authorization data.The second key identification memory module is used for the key identification of storage key.The authorization data memory module can be one.The second key identification memory module can be for one or more.
In the embodiment of credible calculating platform key management system of the present invention, the authorization data memory module that authorization data item memory module comprises is one, the second key identification memory module can be for one or more, and therefore, an authorization data can correspond to a plurality of key identifications.Same conversely speaking, key identification also can be stored in a plurality of authorization data item memory modules, that is, a key identification can corresponding a plurality of authorization datas.In prior art, key and authorization data are corresponding one by one, and each key all needs corresponding different authorization data, and the system that makes need manage a large amount of key authorization data, storage organization provided by the invention can reduce system key authorization data amount, improves the efficiency of management.And, in the prior art, when calculating user's authorization data, general all adopt password to user's input to carry out hash with the hash value that obtains method as user authorization data, therefore, for managing a large amount of external entities, the user has to produce and manage a large amount of passwords.And behind employing the present invention, the user only need produce and manage a password, can manage a large amount of external entities.Because required password reduces, thus the user password choose Shi Yougeng big may avoid selecting weak passwurd, thereby also reduced weak passwurd to having a strong impact on that platform safety causes.
Because in this credible computation key authorization data management system, adopted the authorization data list storage module stores authorization data that is independent of credible calculating platform, with key and authorization data separate storage, all need from the authorization data tabulation, to search the corresponding authorization data of current key sign when using key at every turn, so, after the authorization data change, the old authorization data no longer key identification with this key is corresponding, and checking can't be passed through.Thereby solved the stationary problem of key authorization Data Update in the TCG scheme, and kept compatible, easy-to-use flexibly, improved the efficiency of management of credible calculating platform the key authorization data with original cipher key authorization data way to manage.
As shown in Figure 2, managing credible calculating platform key authorization data method of the present invention comprises the steps:
Step 1, authorization data administration module receive key call request information, according to this key call request information, obtain key identification;
The authorization data that whether comprises this key identification correspondence in the described key call request information is judged in step 2, inquiry authorization data tabulation, is execution in step 3 then, otherwise, execution in step 4;
Comprise one or more authorization data items in the above-described authorization data tabulation, be stored in the authorization data list storage module.Wherein each authorization data item comprises an authorization data, and one or more key identifications of this authorization data correspondence.Because all corresponding unique key identification of each key, that is, key identification and key are corresponding one by one.Whether therefore, can search the key identification of authorization data correspondence, be the legal user of this key with the holder who judges certain authorization data.That is to say, authorization data item in the authorization data tabulation has been set up a kind of corresponding relation, and the user who grasps authorization data in this authorization data item can use the key of key identification correspondence in this authorization data item to carry out data encapsulation (seal), binding (bind), signature operations such as (sign).
In the present embodiment, said process can specifically describe and be: system receives user's key call request information, and this key call request information can comprise the corresponding password of key, the handle value of key etc.System passes through this key call request information acquisition user authorization data and key identification, and searches in the authorization data tabulation, judges whether can calculate the correct authorization data of this key from described key call request information.Be, then key called in credible platform module, according to the scope of authority of authorization data and user's request, the data encapsulation of execution (seal), binding (bind), signature operations such as (sign).Otherwise, return error message.
Because in the present embodiment, for preventing that the assailant from intercepting and capturing cipher key related data and attacking, can encrypt being stored in data such as key identification in the cipher key storage block and cipher key related information.Therefore, when obtaining the key identification of this key, also need key data is decrypted, so step 1 comprises:
Step 11, authorization data administration module receive key call request information;
Step 12, authorization data administration module are obtained key data in the cipher key storage block that is stored in this key according to key call request information;
Step 13, authorization data administration module are deciphered described key data, obtain the key identification of this key.
Be key identification and the cipher key related information that is stored in the cipher key storage block at the key data described in the step 12, in the present embodiment, adopt father's key of this key to encrypt key data.Thereby step 13 can further be embodied as:
Step 131, inquiry authorization data list storage module are judged the correct authorization data that whether comprises father's key in the described key call request information, are execution in step 132 then, otherwise, execution in step 133;
Father's secret key decryption cipher key related data of step 132, use request call key obtains key identification;
Step 133, return error message, finish.
The all corresponding unique key identification of each key in the present invention, that is, key identification and key are corresponding one by one.Each authorization data item all is made of authorization data all key identifications corresponding with it, is stored in the authorization data list storage module with the form of tabulating.Therefore, search authorization data item in the tabulation of this authorization data, judge authorization data that the user provides whether corresponding requests call the key identification of key, can judge whether the holder of certain authorization data is the legal user of this key.
Accordingly, step 2 further comprises:
Step 21, from described key call request information, obtain user authorization data;
Step 22, inquiry authorization data list storage module judge whether the authorization data item of described user authorization data correspondence exists, be, execution in step 23, otherwise, execution in step 4;
Step 23, inquire about the key identification that whether comprises user's request call key in this authorization data item, be, then execution in step 3, otherwise, execution in step 4.
Because in the embodiment of credible calculating platform key management method of the present invention, the authorization data of key can obtain after the password process hash computing by manual input,, be one section binary data that entropy is higher perhaps, leave in smart card and so on medium in order to improve fail safe.So, step 21, from described key call request information, calculate user authorization data, can be that password to user's input carries out hash and obtains user authorization data, perhaps from the medium of smart card and so on, extract the binary data of depositing.
Because in the present embodiment, for guaranteeing the fail safe of authorization data tabulation, the authorization data tabulation is to be stored in the authorization data list storage module through encrypting, therefore, can comprise before the step 22: step 221, call credible platform module, stored authorized data list in the decrypt authorized data list memory module.
This authorization data tabulation can be encrypted by SRK in practical operation, perhaps by being stored in secret key encryption special in the credible platform module (this key is stored in the credible platform module after can encrypting with SRK), is stored in authorization data list storage module.
In addition, step 2 can also realize in the following manner:
Step 21 ', from described key call request information, obtain user authorization data;
Step 22 ', inquiry authorization data tabulation, search the key identification in each authorization data item, judge whether it is consistent with the key identification of acquisition in the step 1, be then execution in step 23 ', otherwise, continue execution in step 22 ' all authorization data items in having inquired about the authorization data tabulation, execution in step 4;
Step 23 ', judge whether the authorization data in this authorization data item consistent with step 21 ' described user authorization data, is, then execution in step 3, otherwise execution in step 22 '.
Be system according to the tabulation of key identification inquiry authorization data, judge that the user provides in the key call request information authorization data is whether consistent with the corresponding authorization data of key identification.
Same, step 22 ' can further include before: step 221 ', step 221, call credible platform module, stored authorized data list in the decrypt authorized data list memory module.
In said method, owing to each all need to search the key identification of current authorization data correspondence when using key from the authorization data tabulation, so after the authorization data change, the old authorization data no longer key identification with this key is corresponding, checking can't be passed through.Thereby solved the stationary problem of key authorization Data Update.And because in practical operation, only need in the former TCG key authorization way to manage, authorization data in the cipher key related data replaces with key identification can realize method provided by the invention, so the present invention can keep compatible with TGC original cipher key empowerment management mode.
In practice, because security needs, in some cases, such as, former authorization data is revealed accidentally, the time, authorization data need be made amendment, and in addition, the authorization data tabulation also needs to upgrade when having added new key or old key and abolished.Therefore, the present invention also provides the authorization data maintaining method of the credible computation key authorization data of corresponding the present invention management method when above-mentioned credible computation key management method is provided, as shown in Figure 3, comprise the steps:
Step a, reception authorization data tabulation modification information;
Step b, judgement authorization data tabulation modification information are delete authority data item information, newly-built authorization data item information or upgrade authorization data item information, if be delete authority data item information, execution in step c; If be newly-built authorization data item information, execution in step d; If for upgrading authorization data item information and executing step e; Otherwise, return error message;
Step c, from authorization data tabulation the corresponding authorization data item of deletion, execution in step f;
Steps d, set up new authorization data item, in newly-established authorization data item, store one or more key identifications of authorization data and this authorization data correspondence, execution in step f according to authorization data tabulation modification information;
Step e, revise the corresponding authorization data item of information updating, execution in step f according to authorization data tabulation;
Step f, end.
Wherein, authorization data tabulation modification information can comprise the instruction of outside deletion, interpolation or renewal.Simultaneously, when authorization data tabulation modification information is delete authority data item information, also comprise the parameters such as authorization data of needs deletion, so that need to determine the authorization data item of deletion.When authorization data tabulation modification information is when adding authorization data item information, also comprise authorization data and corresponding parameters such as key identification that needs add.When authorization data tabulation modification information is when upgrading authorization data item information, the authorization data of authorization data item that also comprises needs renewal is so that search corresponding authorization data item, and needs the key identification deleting or add in this authorization data item.
Step c can further be specially: information searching authorization data list storage module is revised in tabulation according to authorization data, judges whether whether there is this authorization data item in the authorization data tabulation, be, delete this authorization data item, otherwise, return error message.
Owing to the authorization data item might be to be that authorization data adds corresponding key identification or key identification is awarded in deletion because will change the key of authorization data correspondence when revising; Also might be because the careless leakage of former authorization data or reason such as lose and need former authorization data be upgraded, promptly the original authorization data of deletion in the authorization data item deposits new authorization data in.Therefore, step e is specially:
Step e1, revise information searching authorization data memory module, judge whether to be stored in corresponding authorization data item, be execution in step e2 then, otherwise return error message according to authorization data tabulation, and execution in step f;
Step e2, the described authorization data tabulation of judgement modification information are to upgrade key ID information or upgrade authorization data information, be to upgrade then execution in step e3 of key ID information, be to upgrade then execution in step e7 of authorization data information, other situation is returned error message, and execution in step f;
Step e3, the described authorization data tabulation of judgement modification information are to add key ID information or deletion key ID information, be to add then execution in step e4 of key ID information, be then execution in step e5 of deletion key ID information, other situation is returned error message, and execution in step f;
Step e4, the key identification that interpolation need be added in corresponding authorization data item, execution in step e8;
Step e5, judge the key identification that whether has described authorization data tabulation modification information indication deletion in the corresponding authorization data item, be, execution in step e6 then, otherwise return error message, and execution in step f;
The key identification of step e6, the described authorization data tabulation of deletion modification information indication deletion in corresponding authorization data item, execution in step f;
Step e7, revise original authorization data in the corresponding authorization data item of information deletion, preserve new authorization data according to described authorization data.
In such scheme,, and no longer preserve authorization data but the key identification of direct storage key correspondence in the key data (being similar to the key block in the existing TCG Password Management system) owing to authorization data is stored in the authorization data tabulation.When needs are checked authorization data, by key identification authorization data tabulation is searched, whether be the proper authorization data that can use this key to judge this authorization data.Make the problem that solves key synchronization in the TCG Password Management system at authorization data, behind the change authorization data, even someone knows former authorization data and corresponding old key data (being similar to the key data piece in the existing TCG Password Management system), also can't use this key, to improve the security performance of credible platform, eliminate the safety defect that exists because of the key synchronization problem in the prior art, and with existing TCG key authorization way to manage compatibility, easy-to-use flexibly.
In addition, because in the present embodiment, the authorization data tabulation is encrypted and is stored in the authorization data list storage module, and the authorization data tabulation can be by being stored in secret key encryption special in the credible platform module (this key is stored in the credible platform module after can encrypting with SRK).So, needed also before upgrading the authorization data tabulation that tabulation is decrypted to authorization data, after upgrading the authorization data tabulation, also need to use key that authorization data is encrypted.Therefore, can comprise before the step b: step b ', tabulation is decrypted to authorization data to call credible platform module.Accordingly, step f can be specially: step f ', call credible platform module authorization data tabulation is encrypted, finish.
It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not technical scheme of the present invention is limited, although the present invention is had been described in detail with reference to the above embodiments, those of ordinary skill in the art is to be understood that: still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or replace the spirit and scope that still do not break away from technical solution of the present invention.
Claims (12)
1, a kind of managing credible calculating platform key authorization data system comprises credible platform module, it is characterized in that, also comprises authorization data administration module, authorization data list storage module and cipher key storage block;
Described authorization data administration module is connected with described credible platform module, described cipher key storage block and described authorization data list storage module, is used for the management of authorization data and the authentication of authorization data;
Described authorization data list storage module is connected with described authorization data administration module, is used to store the authorization data tabulation; Described authorization data list storage module comprises: one or more authorization data item memory modules, and described authorization data item memory module is used to store the authorization data item; Described authorization data item memory module comprises the second key identification memory module and authorization data memory module; The described second key identification memory module is used for the key identification of storage key; Described authorization data memory module links with the described second key identification memory module, is used to store concrete authorization data; The described authorization data memory module that described authorization data item memory module comprises is one, and the described second key identification memory module that described authorization data item memory module comprises is one or more;
Described cipher key storage block is connected with described authorization data administration module, comprising: the first key identification memory module and cipher key related information memory module;
The described first key identification memory module is used for the storage key sign;
Described cipher key related information memory module is used for the storage key relevant information, and described cipher key related information comprises key.
2, a kind of managing credible calculating platform key authorization data method is characterized in that, comprises the steps:
Step 1, authorization data administration module receive key call request information, according to this key call request information, obtain key identification;
Step 2, from described key call request information, obtain user authorization data, inquiry authorization data list storage module is judged the authorization data that whether comprises this key identification correspondence in the described key call request information, is execution in step 3 then, otherwise, execution in step 4; The authorization data tabulation comprises one or more authorization data items, is stored in the described authorization data list storage module, and wherein, each described authorization data item comprises one or more key identifications of an authorization data and described authorization data correspondence;
Step 3, use key complete operation finish;
Step 4, return error message, finish.
3, managing credible calculating platform key authorization data method according to claim 2 is characterized in that step 1 is:
Step 11, authorization data administration module receive key call request information;
Step 12, authorization data administration module are obtained key data in the cipher key storage block that is stored in this key according to key call request information; Described key data is key identification and cipher key related information, and described cipher key related information comprises key;
Step 13, authorization data administration module are deciphered described key data, obtain the key identification of this key.
4, managing credible calculating platform key authorization data method according to claim 3 is characterized in that step 13 is specially:
Step 131, inquiry authorization data list storage module are judged the correct authorization data that whether comprises father's key of request call key in the described key call request information, are execution in step 132 then, otherwise, execution in step 133;
Step 132, the father's secret key decryption key data that uses described request to call key obtain key identification, execution in step 2;
Step 133, return error message, finish.
5, managing credible calculating platform key authorization data method according to claim 2 is characterized in that step 2 is specially:
Step 21, from described key call request information, obtain user authorization data;
Step 22, inquiry authorization data list storage module judge whether the authorization data item of described user authorization data correspondence exists, be, execution in step 23, otherwise, execution in step 4;
Step 23, inquire about the key identification that whether comprises user's request call key in this authorization data item, be, then execution in step 3, otherwise, execution in step 4.
6, managing credible calculating platform key authorization data method according to claim 2 is characterized in that step 2 is specially:
Step 21 ', from described key call request information, obtain user authorization data;
Step 22 ', inquiry authorization data tabulation, search the key identification in the authorization data item successively, judge whether it is consistent with the key identification of acquisition in the step 1, be then execution in step 23 ', otherwise, continue execution in step 22 ' all authorization data items in having inquired about the authorization data tabulation, execution in step 4;
Step 23 ', judge whether the authorization data in this authorization data item consistent with step 21 ' described user authorization data, is, then execution in step 3, otherwise execution in step 22 '.
7, managing credible calculating platform key authorization data method according to claim 5 is characterized in that, also comprises before the step 22:
Step 221, call credible platform module, stored authorized data list in the decrypt authorized data list memory module.
8, managing credible calculating platform key authorization data method according to claim 6 is characterized in that, step 22 ' also comprise before:
Step 221 ', call credible platform module, stored authorized data list in the decrypt authorized data list memory module.
9, a kind of authorization data maintaining method based on the arbitrary described managing credible calculating platform key authorization data method of claim 2-8 is characterized in that, comprises the steps:
Step a, reception authorization data tabulation modification information;
Step b, judgement authorization data tabulation modification information are delete authority data item information, newly-built authorization data item information or upgrade authorization data item information, if be delete authority data item information, execution in step c; If be newly-built authorization data item information, execution in step d; If for upgrading authorization data item information and executing step e; Otherwise, return error message;
Step c, from authorization data tabulation the corresponding authorization data item of deletion, execution in step f;
Steps d, set up new authorization data item, in newly-established authorization data item, store one or more key identifications of authorization data and this authorization data correspondence, execution in step f according to authorization data tabulation modification information;
Step e, revise the corresponding authorization data item of information updating, execution in step f according to authorization data tabulation;
Step f, end.
10, authorization data maintaining method according to claim 9, it is characterized in that, step c is specially: information searching authorization data list storage module is revised in tabulation according to authorization data, judging in the authorization data tabulation whether have this authorization data, is to delete the key identification of this authorization data and this authorization data correspondence, execution in step f, otherwise, return error message, execution in step f.
11, authorization data maintaining method according to claim 9 is characterized in that step e is specially:
Step e1, revise information searching authorization data list storage module, judge whether to be stored in corresponding authorization data item, be execution in step e2 then, otherwise return error message according to authorization data tabulation, and execution in step f;
Step e2, the described authorization data tabulation of judgement modification information are to upgrade key ID information or upgrade authorization data information, be to upgrade then execution in step e3 of key ID information, be to upgrade then execution in step e7 of authorization data information, other situation is returned error message, and execution in step f;
Step e3, the described authorization data tabulation of judgement modification information are to add key ID information or deletion key ID information, be to add then execution in step e4 of key ID information, be then execution in step e5 of deletion key ID information, other situation is returned error message, and execution in step f;
Step e4, the key identification that interpolation need be added in corresponding authorization data item, execution in step f;
Step e5, judge the key identification that whether has described authorization data tabulation modification information indication deletion in the corresponding authorization data item, be, execution in step e6 then, otherwise return error message, and execution in step f;
The key identification of step e6, the described authorization data tabulation of deletion modification information indication deletion in corresponding authorization data item, execution in step f;
Step e7, revise original authorization data in the corresponding authorization data item of information deletion, preserve new authorization data according to described authorization data.
12, authorization data maintaining method according to claim 9 is characterized in that,
Comprise before the step b: step b ', tabulation is decrypted to authorization data to call credible platform module;
Accordingly, comprise between step e and the step f:
Step f ', call credible platform module authorization data tabulation is encrypted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610114763A CN100596058C (en) | 2006-11-22 | 2006-11-22 | System and method for managing credible calculating platform key authorization data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610114763A CN100596058C (en) | 2006-11-22 | 2006-11-22 | System and method for managing credible calculating platform key authorization data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1988437A CN1988437A (en) | 2007-06-27 |
| CN100596058C true CN100596058C (en) | 2010-03-24 |
Family
ID=38185083
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610114763A Expired - Fee Related CN100596058C (en) | 2006-11-22 | 2006-11-22 | System and method for managing credible calculating platform key authorization data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100596058C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102195774B (en) * | 2010-03-16 | 2014-04-02 | 国民技术股份有限公司 | Method and system for online generation of endorsement key of trusted cryptography module chip |
| CN102063591B (en) * | 2011-01-07 | 2012-08-08 | 北京工业大学 | Methods for updating PCR (Platform Configuration Register) reference values based on trusted platform |
| CN102340500B (en) * | 2011-07-13 | 2014-04-16 | 中国人民解放军海军计算技术研究所 | Security management system and method of dependable computing platform |
| CN102427449B (en) * | 2011-11-04 | 2014-04-09 | 北京工业大学 | Trusted mobile storage method based on security chips |
| CN102647273B (en) * | 2012-03-31 | 2015-06-24 | 深圳数字电视国家工程实验室股份有限公司 | Generation methods and devices of user root key and user key for trusted computing platform |
| CN104618096B (en) * | 2014-12-30 | 2018-10-30 | 华为技术有限公司 | Protect method, equipment and the TPM key administrative center of key authorization data |
-
2006
- 2006-11-22 CN CN200610114763A patent/CN100596058C/en not_active Expired - Fee Related
Non-Patent Citations (6)
| Title |
|---|
| 一种可信网络接入认证模型和改进的OSAP协议设计与研究. 肖政等.计算机科学. 2006 |
| 一种可信网络接入认证模型和改进的OSAP协议设计与研究. 肖政等.计算机科学. 2006 * |
| 一种新的授权数据管理方案. 张兴等.武汉大学学报,第53卷第5期. 2007 |
| 一种新的授权数据管理方案. 张兴等.武汉大学学报,第53卷第5期. 2007 * |
| 可信计算授权数据管理与安全协议研究. 张兴等.全国网络与信息安全技术研讨会. 2007 |
| 可信计算授权数据管理与安全协议研究. 张兴等.全国网络与信息安全技术研讨会. 2007 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1988437A (en) | 2007-06-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10891384B2 (en) | Blockchain transaction device and method | |
| CN109792381B (en) | Method and device for storing and sharing comprehensive data | |
| WO2018046008A1 (en) | Storage design method of blockchain encrypted radio frequency chip | |
| US9141822B2 (en) | Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method | |
| CN101490689B (en) | Content control system and method using certificate chains | |
| US20190050598A1 (en) | Secure data storage | |
| US9996480B2 (en) | Resilient device authentication system with metadata binding | |
| US11361087B2 (en) | Security data processing device | |
| US20100005318A1 (en) | Process for securing data in a storage unit | |
| US8844009B2 (en) | Resilient device authentication system | |
| EP2513901A1 (en) | Content control method using certificate revocation lists | |
| CN104868998B (en) | A kind of system, apparatus and method that encryption data is supplied to electronic equipment | |
| CN104573549A (en) | Credible method and system for protecting confidentiality of database | |
| CN100596058C (en) | System and method for managing credible calculating platform key authorization data | |
| KR20090095635A (en) | Method for the secure storing of program state data in an electronic device | |
| CN1322431C (en) | Encryption retention and data retrieve based on symmetric cipher key | |
| CN109347625A (en) | Crypto-operation, method, cryptographic service platform and the equipment for creating working key | |
| CN1992714B (en) | Authority principal method based on trusted computing platform | |
| CN114372242A (en) | Ciphertext data processing method, authority management server and decryption server | |
| US8499357B1 (en) | Signing a library file to verify a callback function | |
| CN110914826A (en) | System and method for distributed data mapping | |
| CN111506915A (en) | Authorized access control method, device and system | |
| CN102256176B (en) | Method for achieving card-free certificate authority (CA) information security | |
| CN108880792B (en) | Method and device for realizing application interface of national secret intelligent password key | |
| KR20210085389A (en) | Method of storing plurality of data pieces in storage in blockchain network and method of receiving plurality of data pieces |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100324 Termination date: 20211122 |