CN106549764A - A kind of credible platform module based on UKEY - Google Patents
A kind of credible platform module based on UKEY Download PDFInfo
- Publication number
- CN106549764A CN106549764A CN201610897082.3A CN201610897082A CN106549764A CN 106549764 A CN106549764 A CN 106549764A CN 201610897082 A CN201610897082 A CN 201610897082A CN 106549764 A CN106549764 A CN 106549764A
- Authority
- CN
- China
- Prior art keywords
- utpm
- ukey
- submodules
- key
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/127—Trusted platform modules [TPM]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a kind of credible platform module based on UKEY, using UKEY realize known to storage, safety message and cryptography related algorithm safely defined in TPM standards.The module includes two submodules, respectively the utpm engine submodules and the utpmd submodules in user's space in space in UKEY locks;Utpm engine submodules wherein in space in UKEY locks are used to provide the power function of bottom, and the power function of the bottom is used to realize secure storage function and safety message function;Utpmd submodules in user's space carry out United Dispatching for the request produced to user.UTPM causes reliable computing technology to become much larger crowd, is more easy to obtain, and common computer only needs to a USB interface and just can insert UTPM, and the institute for then obtaining tradition TPM is functional, while hardware cost is reduced so that the security of computer is greatly improved.
Description
Technical field
The present invention relates to trust computing field, more particularly, to a kind of credible platform module based on UKEY(UTPM).
Background technology
Trust computing is an information security based on hardware configuration safety, for the purpose of improving computer security
Emerging field.Credible is the key concept of trust computing, in trust computing standard to the definition of credible this concept is:If one
The behavior of individual entity is always it is anticipated that mode and target are carried out, then the entity is exactly believable.In trust computing, own
Judgement whether believable to entity all relies on one and is embedded in the credible chip on mainboard -- credible platform module.
Credible platform module(TPM Trusted Platform Module)It is the core composition portion of credible calculating platform
Point, be one piece of chip being embedded on mainboard, communicated with mainboard using lpc bus, with single microprocessor and
Cryptographic algorithm engine, primary clustering include that input and output, password coprocessor, key generation, HMAC engines, random number are produced
Device, SHA-1 engines, power detecting, switch, enforcement engine, non-volatile memories and volatile storage etc..
The design philosophy of trust computing is using credible platform module as unconditional root of trust.Computer is opened from root of trust
Begin to start, through measuring checking, Trust transitivity, CPU controls three steps of transmission, progressively trust boundary is extended from root of trust
To BIOS, then to operating system, finally expand to application program.
The theoretical proposition of trust computing, does not mean only that and ensures that the research in terms of computer system security is achieved greatly
Progress, and to ensure that computer system security brings new thinking.With the gradually development that trust computing is theoretical, much
Chip and computer vendors have developed the computer that some support trust computing, but have not been able to popularization, relative to whole generation
The huge number of computers in boundary, can only say it is minority's product.Due to the basis of trust computing --- TPM needs to be embedded on mainboard
And the reason started prior to BIOS, then need to modify the framework of conventional motherboard when improving, therefore be difficult to transplant TPM
To on the computer for still not supporting trust computing.Furthermore, as current TPM computing capabilitys are limited, and ensure whole computer peace
Full cryptography related operation is carried out in TPM, and this causes the operational capability of TPM to become the operation bottleneck of operating system,
The operational efficiency of whole computer system has been dragged slowly, the availability of operating system has been reduced.
The content of the invention
The present invention is to overcome at least one defect described in above-mentioned prior art(It is not enough), there is provided it is a kind of based on UKEY can
Letter console module(UTPM), need not be embedded on mainboard using the module, it is only necessary to realize traditional TPM's using by UKEY
Function, so that as long as a common computer inserts the UTPM, then equivalent to the function of having TPM.
To solve above-mentioned technical problem, technical scheme is as follows:
Using UKEY, a kind of credible platform module based on UKEY, realizes that storage, safety are reported safely defined in known TPM standards
Accuse, and cryptography related algorithm, the module includes two submodules, the respectively utpm in space in UKEY locks
Engine submodules and the utpmd submodules in user's space;
Utpm engine submodules wherein in space in UKEY locks are used to provide the power function of bottom, the work(of the bottom
Energy function is used to realize secure storage function and safety message function;
The utpmd submodules in user's space carry out United Dispatching for the request produced to user.
Credible platform module based on UKEY proposed by the present invention, is that traditional TPM is prepared into similar common UKEY shapes
Formula, only needs to when in use for the module to be directly inserted into computer and is capable of achieving computer trust computing, reduce hardware into
This while so that the security of computer is greatly improved.
Preferably, realize secure storage function power function be UTPM_CreateWrapKey (), UTPM_LoadKey
(), is to produce key and loading secrete key respectively.
Preferably, the key of the generation includes four types, respectively store key, Binding key, identity key with
And signature key.
Preferably, realize safety message function power function be UTPM_MakeIdentity (), UTPM_PCRExtend
(), UTPM_PCRRead (), UTPM_Quote (), are to produce identity key respectively, expand PCR, read PCR, to PCR
Carry out QUOTE operations.
Preferably, the utpmd submodules in user's space are a service processes of system, and it passes through domain
Socket is communicated with user.
Compared with prior art, the beneficial effect of technical solution of the present invention is:1st, UTPM causes reliable computing technology to become
It is more popular, be more easy to obtain, common computer only needs to a USB interface and just can insert UTPM, and then obtain tradition TPM owns
Function, while hardware cost is reduced so that the security of computer is greatly improved;2nd, the operational capability of tradition TPM is relatively thin
The weak update cycle for essentially consisting in TPM is oversize, and UTPM is not particularly dependent on hardware, and UKEY on the market only needs to meet energy
Lock internal program this function is performed, just easily and efficiently the core code in UTPM can be transplanted in new UKEY.So,
The operational capability of UTPM just can keep synchronized update with UKEY newest on the market, and cause performance to be significantly larger than tradition TPM.
Description of the drawings
Fig. 1 is configuration diagram of the present invention based on the credible platform module of UKEY.
Specific embodiment
Accompanying drawing being for illustration only property explanation, it is impossible to be interpreted as the restriction to this patent;It is in order to more preferably illustrate the present embodiment, attached
Scheme some parts to have omission, zoom in or out, do not represent the size of actual product;
To those skilled in the art, in accompanying drawing, some known features and its possible omission of explanation will be understood by.Under
Face is described further to technical scheme in conjunction with the accompanying drawings and embodiments.
Traditional TPM there are problems that following two:1. the current all no TPM of mainboards most of on the market, and due to TPM
It is embedded on mainboard, causes the penetration of computer use for possessing TPM not high.2. traditional TPM computing capabilitys are limited so as to become
The operation bottleneck of operating system, has dragged slowly the operational efficiency of whole computer system, reduces the availability of operating system.This
Bright is exactly, in order to solve the two subject matters that traditional TPM is present, to propose a kind of credible platform module based on UKEY.
USB Key are also called USB Token, are widely used in financial transaction in the last few years, such as U-shield, K shields, Net silver
Shield is essentially all one kind of USB Key.The general built-in conventional cryptographic algorithms of USB Key, such as RSA, SHA1 etc., and
Also there is certain memory space inside which, the private key and digital certificate of user can be stored.But the function realized by TPM, only
It is far from being enough to possess cryptographic algorithm module and secure storage module.Such as, TPM most crucial function is licensing scheme,
Namely user needs offer authorization data carry out some specific operations to key, realizes this function with common USB
Key cannot accomplish, because no corresponding function interface can be called.Realize this function, it is necessary to can be to USB Key
Inside develop, with provide in addition to basic cryptographic algorithm, defined in TPM standards safely storage and safety message
Function.In fact, some more high-end USB Key products can typically provide similar function, it allows user toward USB Key
Internal write executable file, and provide corresponding interface interchange the execution file.
Employ the USB-Key of the sincere ROCKEY-ARM models of flying apsaras in the present embodiment to develop, in USB
Realize being stored defined in tradition TPM standards safely inside Key, safety message and cryptography related algorithm.
The general frame of UTPM as shown in figure 1, which is mainly made up of two submodules, in space in UKEY locks
Utpm engine submodules and the utpmd submodules in user's space.
Executable file in actually one lock of utpm engine, it mainly provides a series of work(of more bottoms
Energy function, these functions ensure that the two big functions possessed by traditional TPM, secure storage function and safety message function.
So-called safety is stored, and refers to that all of private key will be stored in UTPM, it is impossible to occur in outside in plain text.But due to
Limited storage space in UTPM, therefore in actual preparation process, temporarily private key encryption is not stored in locally, when needs make
With when reload in UTPM.Related function includes UTPM_CreateWrapKey (), UTPM_LoadKey (), they
Effect be to produce key, and loading secrete key respectively.The key of four types as TPM, can be produced, is storage respectively
Key, Binding key, identity key and signature key.
Safety message refers to the state of safe reporting platform.A kind of common usage is, in credible start-up course
The program measured by Jing is measured to the program that next step will be performed, and metric is extended corresponding in UTPM
In PCR.When third party requires to send the trusted status of platform, UTPM is signed to these PCR values with AIK, then will be signed
Name value returns to third party.Correlation function includes UTPM_MakeIdentity (), UTPM_PCRExtend (), UTPM_
PCRRead()、UTPM_Quote()。
Additionally, user needs to need to provide corresponding authorization data when carrying out specific operation using private key, to reach isolation
The effect of different user.In this process, UTPM needs the session produced to different user to be managed, and verifies user
Mandate it is whether legal.Related function includes UTPM_OIAP (), UTPM_OSAP ().Their effect is opening one respectively
The unrelated session of individual object, the session for opening an object correlation.
Utpmd is in user's space, and it is responsible for carrying out United Dispatching to the request that user produces.Compared to user directly with
Utpm engine communicate, and this mode can prevent multiple users from producing the situation of contention.Utpmd is actually of system
Service processes, it is communicated with user by domain socket.
In order to more easily use UTPM, a function library is present embodiments provided, major function includes producing key, carries
Enter key, encryption data, ciphertext data, signed data, checking signature, PCR extensions, PCR signatures.Function interface see the table below.
/ * produces context, need to call before calling other functions */ | |
UTPM_RESULT utpm_create_context(); | |
UTPM_RESULT utpm_close_context(); | |
UTPM_RESULT utpm_get_random(…); | |
/ * one session of opening, the unrelated * of obejct/ | |
UTPM_RESULT utpm_open_oiap_session(…); | |
/ * one session of opening, object correlation */ | |
UTPM_RESULT utpm_open_osap_session(…); | |
/ * one wrapkey () * of generation/ | |
UTPM_RESULT utpm_create_wrap_key(…); | |
/ * by the key of generation be loaded into in UTPM */ | |
UTPM_RESULT utpm_load_key(…); | |
/ * binding one piece of data */ | |
UTPM_RESULT utpm_bind_data(…); | |
Data * of/* decryption bindings/ | |
UTPM_RESULT utpm_unbind_data(…); | |
/ * data are carried out signature */ | |
UTPM_RESULT utpm_sign_data(…); | |
UTPM_RESULT utpm_verify_data(…); | |
UTPM_RESULT utpm_make_hash(…); | |
UTPM_RESULT utpm_flush_specific(…); | |
UTPM_RESULT utpm_flush_all(…); | |
/ * pcr is carried out extend () operation */ | |
UTPM_RESULT utpm_pcr_extend(…); | |
Value * of the specific pcr of/* readings/ | |
UTPM_RESULT utpm_pcr_read(…); |
Obviously, the above embodiment of the present invention is only intended to clearly illustrate example of the present invention, and is not right
The restriction of embodiments of the present invention.For those of ordinary skill in the field, may be used also on the basis of the above description
To make other changes in different forms.There is no need to be exhaustive to all of embodiment.It is all this
Any modification, equivalent and improvement made within the spirit and principle of invention etc., should be included in the claims in the present invention
Protection domain within.
Claims (5)
1. a kind of credible platform module based on UKEY, it is characterised in that using UKEY realize known to pacify defined in TPM standards
Full storage, safety message and cryptography related algorithm, the module include two submodules, respectively empty in UKEY locks
Between utpm engine submodules and the utpmd submodules in user's space;
Utpm engine submodules wherein in space in UKEY locks are used to provide the power function of bottom, the work(of the bottom
Energy function is used to realize secure storage function and safety message function;
The utpmd submodules in user's space carry out United Dispatching for the request produced to user.
2. the credible platform module based on UKEY according to claim 1, it is characterised in that realize secure storage function
Power function is UTPM_CreateWrapKey (), UTPM_LoadKey (), is to produce key and loading secrete key respectively.
3. the credible platform module based on UKEY according to claim 1, it is characterised in that the key of the generation includes
Four types, respectively store key, Binding key, identity key and signature key.
4. the credible platform module based on UKEY according to claim 1, it is characterised in that realize safety message function
Power function be UTPM_MakeIdentity (), UTPM_PCRExtend (), UTPM_PCRRead (), UTPM_Quote (),
It is to produce identity key respectively, expands PCR, read PCR, QUOTE operations are carried out to PCR.
5. the credible platform module based on UKEY according to claim 1, it is characterised in that in user's space
Utpmd submodules are a service processes of system, and it is communicated with user by domain socket.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610897082.3A CN106549764A (en) | 2016-10-14 | 2016-10-14 | A kind of credible platform module based on UKEY |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610897082.3A CN106549764A (en) | 2016-10-14 | 2016-10-14 | A kind of credible platform module based on UKEY |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106549764A true CN106549764A (en) | 2017-03-29 |
Family
ID=58368940
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610897082.3A Pending CN106549764A (en) | 2016-10-14 | 2016-10-14 | A kind of credible platform module based on UKEY |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106549764A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101902472A (en) * | 2010-07-09 | 2010-12-01 | 北京工业大学 | Method for pushing remote declaration based on behaviors in trusted network |
CN102427561A (en) * | 2011-10-24 | 2012-04-25 | 山东泰信电子有限公司 | Method for preventing VOD (Video-On-Demand) programs from being illegally spread and shared |
WO2013124579A1 (en) * | 2012-02-23 | 2013-08-29 | Edevice | Electronic equipment for the replication of ports and the routing of digital signals |
-
2016
- 2016-10-14 CN CN201610897082.3A patent/CN106549764A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101902472A (en) * | 2010-07-09 | 2010-12-01 | 北京工业大学 | Method for pushing remote declaration based on behaviors in trusted network |
CN102427561A (en) * | 2011-10-24 | 2012-04-25 | 山东泰信电子有限公司 | Method for preventing VOD (Video-On-Demand) programs from being illegally spread and shared |
WO2013124579A1 (en) * | 2012-02-23 | 2013-08-29 | Edevice | Electronic equipment for the replication of ports and the routing of digital signals |
Non-Patent Citations (2)
Title |
---|
刘觅: "基于USBKey的移动TPM密钥管理研究", 《北京交通大学硕士学位论文》 * |
池亚平,王全民: "基于USBkey的可信平台模块的研究与仿真设计", 《北京电子科技学院学报》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2965254B1 (en) | Systems and methods for maintaining integrity and secrecy in untrusted computing platforms | |
US7711960B2 (en) | Mechanisms to control access to cryptographic keys and to attest to the approved configurations of computer platforms | |
WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
Owusu et al. | OASIS: On achieving a sanctuary for integrity and secrecy on untrusted platforms | |
Cooijmans et al. | Analysis of secure key storage solutions on android | |
CN104969234B (en) | For the root of trust of the measurement of virtual machine | |
JP5703391B2 (en) | System and method for tamper resistant boot processing | |
US8826391B2 (en) | Virtualized trusted descriptors | |
US20040093505A1 (en) | Open generic tamper resistant CPU and application system thereof | |
US20150310231A1 (en) | Multi-Core Processor Based Key Protection Method And System | |
EP2095241A2 (en) | Securing a flash memory block in a secure device system and method | |
CN102208000A (en) | Method and system for providing security mechanisms for virtual machine images | |
TW201145069A (en) | Providing integrity verification and attestation in a hidden execution environment | |
JP7406013B2 (en) | Securely sign configuration settings | |
US11829464B2 (en) | Apparatus and method for authentication of software | |
US11250134B2 (en) | Secure computation environment | |
CN117561699A (en) | Secure computing mechanism | |
WO2024036832A1 (en) | Method for realizing smart token cryptography application interface on basis of tpm | |
Eldefrawy et al. | Advancing remote attestation via computer-aided formal verification of designs and synthesis of executables: opinion | |
CN106549764A (en) | A kind of credible platform module based on UKEY | |
CN103679066A (en) | Implement method of dependable security disk | |
CN112733126A (en) | Product license authentication method and system | |
England et al. | Towards a programmable TPM | |
CN112470153A (en) | Secure data processing | |
CN111291389B (en) | Method and system for protecting full life cycle of computer core program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170329 |