CN106549764A - A kind of credible platform module based on UKEY - Google Patents

A kind of credible platform module based on UKEY Download PDF

Info

Publication number
CN106549764A
CN106549764A CN201610897082.3A CN201610897082A CN106549764A CN 106549764 A CN106549764 A CN 106549764A CN 201610897082 A CN201610897082 A CN 201610897082A CN 106549764 A CN106549764 A CN 106549764A
Authority
CN
China
Prior art keywords
utpm
ukey
submodules
key
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610897082.3A
Other languages
Chinese (zh)
Inventor
向南
蔡国扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Sun Yat Sen University
Original Assignee
National Sun Yat Sen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Sun Yat Sen University filed Critical National Sun Yat Sen University
Priority to CN201610897082.3A priority Critical patent/CN106549764A/en
Publication of CN106549764A publication Critical patent/CN106549764A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/127Trusted platform modules [TPM]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a kind of credible platform module based on UKEY, using UKEY realize known to storage, safety message and cryptography related algorithm safely defined in TPM standards.The module includes two submodules, respectively the utpm engine submodules and the utpmd submodules in user's space in space in UKEY locks;Utpm engine submodules wherein in space in UKEY locks are used to provide the power function of bottom, and the power function of the bottom is used to realize secure storage function and safety message function;Utpmd submodules in user's space carry out United Dispatching for the request produced to user.UTPM causes reliable computing technology to become much larger crowd, is more easy to obtain, and common computer only needs to a USB interface and just can insert UTPM, and the institute for then obtaining tradition TPM is functional, while hardware cost is reduced so that the security of computer is greatly improved.

Description

A kind of credible platform module based on UKEY
Technical field
The present invention relates to trust computing field, more particularly, to a kind of credible platform module based on UKEY(UTPM).
Background technology
Trust computing is an information security based on hardware configuration safety, for the purpose of improving computer security Emerging field.Credible is the key concept of trust computing, in trust computing standard to the definition of credible this concept is:If one The behavior of individual entity is always it is anticipated that mode and target are carried out, then the entity is exactly believable.In trust computing, own Judgement whether believable to entity all relies on one and is embedded in the credible chip on mainboard -- credible platform module.
Credible platform module(TPM Trusted Platform Module)It is the core composition portion of credible calculating platform Point, be one piece of chip being embedded on mainboard, communicated with mainboard using lpc bus, with single microprocessor and Cryptographic algorithm engine, primary clustering include that input and output, password coprocessor, key generation, HMAC engines, random number are produced Device, SHA-1 engines, power detecting, switch, enforcement engine, non-volatile memories and volatile storage etc..
The design philosophy of trust computing is using credible platform module as unconditional root of trust.Computer is opened from root of trust Begin to start, through measuring checking, Trust transitivity, CPU controls three steps of transmission, progressively trust boundary is extended from root of trust To BIOS, then to operating system, finally expand to application program.
The theoretical proposition of trust computing, does not mean only that and ensures that the research in terms of computer system security is achieved greatly Progress, and to ensure that computer system security brings new thinking.With the gradually development that trust computing is theoretical, much Chip and computer vendors have developed the computer that some support trust computing, but have not been able to popularization, relative to whole generation The huge number of computers in boundary, can only say it is minority's product.Due to the basis of trust computing --- TPM needs to be embedded on mainboard And the reason started prior to BIOS, then need to modify the framework of conventional motherboard when improving, therefore be difficult to transplant TPM To on the computer for still not supporting trust computing.Furthermore, as current TPM computing capabilitys are limited, and ensure whole computer peace Full cryptography related operation is carried out in TPM, and this causes the operational capability of TPM to become the operation bottleneck of operating system, The operational efficiency of whole computer system has been dragged slowly, the availability of operating system has been reduced.
The content of the invention
The present invention is to overcome at least one defect described in above-mentioned prior art(It is not enough), there is provided it is a kind of based on UKEY can Letter console module(UTPM), need not be embedded on mainboard using the module, it is only necessary to realize traditional TPM's using by UKEY Function, so that as long as a common computer inserts the UTPM, then equivalent to the function of having TPM.
To solve above-mentioned technical problem, technical scheme is as follows:
Using UKEY, a kind of credible platform module based on UKEY, realizes that storage, safety are reported safely defined in known TPM standards Accuse, and cryptography related algorithm, the module includes two submodules, the respectively utpm in space in UKEY locks Engine submodules and the utpmd submodules in user's space;
Utpm engine submodules wherein in space in UKEY locks are used to provide the power function of bottom, the work(of the bottom Energy function is used to realize secure storage function and safety message function;
The utpmd submodules in user's space carry out United Dispatching for the request produced to user.
Credible platform module based on UKEY proposed by the present invention, is that traditional TPM is prepared into similar common UKEY shapes Formula, only needs to when in use for the module to be directly inserted into computer and is capable of achieving computer trust computing, reduce hardware into This while so that the security of computer is greatly improved.
Preferably, realize secure storage function power function be UTPM_CreateWrapKey (), UTPM_LoadKey (), is to produce key and loading secrete key respectively.
Preferably, the key of the generation includes four types, respectively store key, Binding key, identity key with And signature key.
Preferably, realize safety message function power function be UTPM_MakeIdentity (), UTPM_PCRExtend (), UTPM_PCRRead (), UTPM_Quote (), are to produce identity key respectively, expand PCR, read PCR, to PCR Carry out QUOTE operations.
Preferably, the utpmd submodules in user's space are a service processes of system, and it passes through domain Socket is communicated with user.
Compared with prior art, the beneficial effect of technical solution of the present invention is:1st, UTPM causes reliable computing technology to become It is more popular, be more easy to obtain, common computer only needs to a USB interface and just can insert UTPM, and then obtain tradition TPM owns Function, while hardware cost is reduced so that the security of computer is greatly improved;2nd, the operational capability of tradition TPM is relatively thin The weak update cycle for essentially consisting in TPM is oversize, and UTPM is not particularly dependent on hardware, and UKEY on the market only needs to meet energy Lock internal program this function is performed, just easily and efficiently the core code in UTPM can be transplanted in new UKEY.So, The operational capability of UTPM just can keep synchronized update with UKEY newest on the market, and cause performance to be significantly larger than tradition TPM.
Description of the drawings
Fig. 1 is configuration diagram of the present invention based on the credible platform module of UKEY.
Specific embodiment
Accompanying drawing being for illustration only property explanation, it is impossible to be interpreted as the restriction to this patent;It is in order to more preferably illustrate the present embodiment, attached Scheme some parts to have omission, zoom in or out, do not represent the size of actual product;
To those skilled in the art, in accompanying drawing, some known features and its possible omission of explanation will be understood by.Under Face is described further to technical scheme in conjunction with the accompanying drawings and embodiments.
Traditional TPM there are problems that following two:1. the current all no TPM of mainboards most of on the market, and due to TPM It is embedded on mainboard, causes the penetration of computer use for possessing TPM not high.2. traditional TPM computing capabilitys are limited so as to become The operation bottleneck of operating system, has dragged slowly the operational efficiency of whole computer system, reduces the availability of operating system.This Bright is exactly, in order to solve the two subject matters that traditional TPM is present, to propose a kind of credible platform module based on UKEY.
USB Key are also called USB Token, are widely used in financial transaction in the last few years, such as U-shield, K shields, Net silver Shield is essentially all one kind of USB Key.The general built-in conventional cryptographic algorithms of USB Key, such as RSA, SHA1 etc., and Also there is certain memory space inside which, the private key and digital certificate of user can be stored.But the function realized by TPM, only It is far from being enough to possess cryptographic algorithm module and secure storage module.Such as, TPM most crucial function is licensing scheme, Namely user needs offer authorization data carry out some specific operations to key, realizes this function with common USB Key cannot accomplish, because no corresponding function interface can be called.Realize this function, it is necessary to can be to USB Key Inside develop, with provide in addition to basic cryptographic algorithm, defined in TPM standards safely storage and safety message Function.In fact, some more high-end USB Key products can typically provide similar function, it allows user toward USB Key Internal write executable file, and provide corresponding interface interchange the execution file.
Employ the USB-Key of the sincere ROCKEY-ARM models of flying apsaras in the present embodiment to develop, in USB Realize being stored defined in tradition TPM standards safely inside Key, safety message and cryptography related algorithm.
The general frame of UTPM as shown in figure 1, which is mainly made up of two submodules, in space in UKEY locks Utpm engine submodules and the utpmd submodules in user's space.
Executable file in actually one lock of utpm engine, it mainly provides a series of work(of more bottoms Energy function, these functions ensure that the two big functions possessed by traditional TPM, secure storage function and safety message function.
So-called safety is stored, and refers to that all of private key will be stored in UTPM, it is impossible to occur in outside in plain text.But due to Limited storage space in UTPM, therefore in actual preparation process, temporarily private key encryption is not stored in locally, when needs make With when reload in UTPM.Related function includes UTPM_CreateWrapKey (), UTPM_LoadKey (), they Effect be to produce key, and loading secrete key respectively.The key of four types as TPM, can be produced, is storage respectively Key, Binding key, identity key and signature key.
Safety message refers to the state of safe reporting platform.A kind of common usage is, in credible start-up course The program measured by Jing is measured to the program that next step will be performed, and metric is extended corresponding in UTPM In PCR.When third party requires to send the trusted status of platform, UTPM is signed to these PCR values with AIK, then will be signed Name value returns to third party.Correlation function includes UTPM_MakeIdentity (), UTPM_PCRExtend (), UTPM_ PCRRead()、UTPM_Quote()。
Additionally, user needs to need to provide corresponding authorization data when carrying out specific operation using private key, to reach isolation The effect of different user.In this process, UTPM needs the session produced to different user to be managed, and verifies user Mandate it is whether legal.Related function includes UTPM_OIAP (), UTPM_OSAP ().Their effect is opening one respectively The unrelated session of individual object, the session for opening an object correlation.
Utpmd is in user's space, and it is responsible for carrying out United Dispatching to the request that user produces.Compared to user directly with Utpm engine communicate, and this mode can prevent multiple users from producing the situation of contention.Utpmd is actually of system Service processes, it is communicated with user by domain socket.
In order to more easily use UTPM, a function library is present embodiments provided, major function includes producing key, carries Enter key, encryption data, ciphertext data, signed data, checking signature, PCR extensions, PCR signatures.Function interface see the table below.
/ * produces context, need to call before calling other functions */
UTPM_RESULT utpm_create_context();
UTPM_RESULT utpm_close_context();
UTPM_RESULT utpm_get_random(…);
/ * one session of opening, the unrelated * of obejct/
UTPM_RESULT utpm_open_oiap_session(…);
/ * one session of opening, object correlation */
UTPM_RESULT utpm_open_osap_session(…);
/ * one wrapkey () * of generation/
UTPM_RESULT utpm_create_wrap_key(…);
/ * by the key of generation be loaded into in UTPM */
UTPM_RESULT utpm_load_key(…);
/ * binding one piece of data */
UTPM_RESULT utpm_bind_data(…);
Data * of/* decryption bindings/
UTPM_RESULT utpm_unbind_data(…);
/ * data are carried out signature */
UTPM_RESULT utpm_sign_data(…);
UTPM_RESULT utpm_verify_data(…);
UTPM_RESULT utpm_make_hash(…);
UTPM_RESULT utpm_flush_specific(…);
UTPM_RESULT utpm_flush_all(…);
/ * pcr is carried out extend () operation */
UTPM_RESULT utpm_pcr_extend(…);
Value * of the specific pcr of/* readings/
UTPM_RESULT utpm_pcr_read(…);
Obviously, the above embodiment of the present invention is only intended to clearly illustrate example of the present invention, and is not right The restriction of embodiments of the present invention.For those of ordinary skill in the field, may be used also on the basis of the above description To make other changes in different forms.There is no need to be exhaustive to all of embodiment.It is all this Any modification, equivalent and improvement made within the spirit and principle of invention etc., should be included in the claims in the present invention Protection domain within.

Claims (5)

1. a kind of credible platform module based on UKEY, it is characterised in that using UKEY realize known to pacify defined in TPM standards Full storage, safety message and cryptography related algorithm, the module include two submodules, respectively empty in UKEY locks Between utpm engine submodules and the utpmd submodules in user's space;
Utpm engine submodules wherein in space in UKEY locks are used to provide the power function of bottom, the work(of the bottom Energy function is used to realize secure storage function and safety message function;
The utpmd submodules in user's space carry out United Dispatching for the request produced to user.
2. the credible platform module based on UKEY according to claim 1, it is characterised in that realize secure storage function Power function is UTPM_CreateWrapKey (), UTPM_LoadKey (), is to produce key and loading secrete key respectively.
3. the credible platform module based on UKEY according to claim 1, it is characterised in that the key of the generation includes Four types, respectively store key, Binding key, identity key and signature key.
4. the credible platform module based on UKEY according to claim 1, it is characterised in that realize safety message function Power function be UTPM_MakeIdentity (), UTPM_PCRExtend (), UTPM_PCRRead (), UTPM_Quote (), It is to produce identity key respectively, expands PCR, read PCR, QUOTE operations are carried out to PCR.
5. the credible platform module based on UKEY according to claim 1, it is characterised in that in user's space Utpmd submodules are a service processes of system, and it is communicated with user by domain socket.
CN201610897082.3A 2016-10-14 2016-10-14 A kind of credible platform module based on UKEY Pending CN106549764A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610897082.3A CN106549764A (en) 2016-10-14 2016-10-14 A kind of credible platform module based on UKEY

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610897082.3A CN106549764A (en) 2016-10-14 2016-10-14 A kind of credible platform module based on UKEY

Publications (1)

Publication Number Publication Date
CN106549764A true CN106549764A (en) 2017-03-29

Family

ID=58368940

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610897082.3A Pending CN106549764A (en) 2016-10-14 2016-10-14 A kind of credible platform module based on UKEY

Country Status (1)

Country Link
CN (1) CN106549764A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902472A (en) * 2010-07-09 2010-12-01 北京工业大学 Method for pushing remote declaration based on behaviors in trusted network
CN102427561A (en) * 2011-10-24 2012-04-25 山东泰信电子有限公司 Method for preventing VOD (Video-On-Demand) programs from being illegally spread and shared
WO2013124579A1 (en) * 2012-02-23 2013-08-29 Edevice Electronic equipment for the replication of ports and the routing of digital signals

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902472A (en) * 2010-07-09 2010-12-01 北京工业大学 Method for pushing remote declaration based on behaviors in trusted network
CN102427561A (en) * 2011-10-24 2012-04-25 山东泰信电子有限公司 Method for preventing VOD (Video-On-Demand) programs from being illegally spread and shared
WO2013124579A1 (en) * 2012-02-23 2013-08-29 Edevice Electronic equipment for the replication of ports and the routing of digital signals

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘觅: "基于USBKey的移动TPM密钥管理研究", 《北京交通大学硕士学位论文》 *
池亚平,王全民: "基于USBkey的可信平台模块的研究与仿真设计", 《北京电子科技学院学报》 *

Similar Documents

Publication Publication Date Title
EP2965254B1 (en) Systems and methods for maintaining integrity and secrecy in untrusted computing platforms
US7711960B2 (en) Mechanisms to control access to cryptographic keys and to attest to the approved configurations of computer platforms
WO2020192406A1 (en) Method and apparatus for data storage and verification
Owusu et al. OASIS: On achieving a sanctuary for integrity and secrecy on untrusted platforms
Cooijmans et al. Analysis of secure key storage solutions on android
CN104969234B (en) For the root of trust of the measurement of virtual machine
JP5703391B2 (en) System and method for tamper resistant boot processing
US8826391B2 (en) Virtualized trusted descriptors
US20040093505A1 (en) Open generic tamper resistant CPU and application system thereof
US20150310231A1 (en) Multi-Core Processor Based Key Protection Method And System
EP2095241A2 (en) Securing a flash memory block in a secure device system and method
CN102208000A (en) Method and system for providing security mechanisms for virtual machine images
TW201145069A (en) Providing integrity verification and attestation in a hidden execution environment
JP7406013B2 (en) Securely sign configuration settings
US11829464B2 (en) Apparatus and method for authentication of software
US11250134B2 (en) Secure computation environment
CN117561699A (en) Secure computing mechanism
WO2024036832A1 (en) Method for realizing smart token cryptography application interface on basis of tpm
Eldefrawy et al. Advancing remote attestation via computer-aided formal verification of designs and synthesis of executables: opinion
CN106549764A (en) A kind of credible platform module based on UKEY
CN103679066A (en) Implement method of dependable security disk
CN112733126A (en) Product license authentication method and system
England et al. Towards a programmable TPM
CN112470153A (en) Secure data processing
CN111291389B (en) Method and system for protecting full life cycle of computer core program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170329