CN115062330A - TPM-based intelligent cipher key and cipher application interface realization method - Google Patents

TPM-based intelligent cipher key and cipher application interface realization method Download PDF

Info

Publication number
CN115062330A
CN115062330A CN202210989534.6A CN202210989534A CN115062330A CN 115062330 A CN115062330 A CN 115062330A CN 202210989534 A CN202210989534 A CN 202210989534A CN 115062330 A CN115062330 A CN 115062330A
Authority
CN
China
Prior art keywords
skf
tpm
interface
application
operating system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210989534.6A
Other languages
Chinese (zh)
Other versions
CN115062330B (en
Inventor
岳佳圆
宋俊涛
边秀宁
于珊珊
李蕾
杨诏钧
孔金珠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kirin Software Co Ltd
Original Assignee
Kirin Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kirin Software Co Ltd filed Critical Kirin Software Co Ltd
Priority to CN202210989534.6A priority Critical patent/CN115062330B/en
Publication of CN115062330A publication Critical patent/CN115062330A/en
Application granted granted Critical
Publication of CN115062330B publication Critical patent/CN115062330B/en
Priority to PCT/CN2022/137642 priority patent/WO2024036832A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a TPM-based implementation method of a password application interface of an intelligent password key, which comprises the following steps: a. the bottom hardware of the intelligent IC card or the intelligent password key adopts a TPM security chip which is a TPM device, the kernel of an operating system of each TPM device comprises a TPM device driver, and the user space of the operating system of each TPM device is provided with an application program, an SKF interface providing layer, an SKF interface service layer and a TSS trusted software stack; b. the operating system interacts with the TPM security chip through the TPM device driver; c. storing the SKF application metadata, the SKF container data and the SKF file data of the equipment in a nonvolatile storage area provided by a TPM (trusted platform Module) security chip, and creating an authorized access mechanism; d. when the SKF interface is called, the availability check of the SKF interface is firstly executed. The invention provides a hardware level system integrity safety credible protection mechanism with TPM as a core for the availability of the SKF interface.

Description

TPM-based intelligent cipher key and cipher application interface realization method
Technical Field
The invention relates to the technical field of security of terminal password equipment, in particular to a TPM-based intelligent password key password application interface implementation method.
Background
The smart IC card and the smart Key are terminal cryptographic devices that have cryptographic operation and Key management capabilities and can provide cryptographic services, and the smart IC card and the smart Key are mainly used for storing user secret information (such as a private Key and a digital certificate), completing functions such as data encryption and decryption, data integrity verification, digital signature, access control and the like, and generally use a USB interface form, and are also called as a USB Token, or a USB Key or an UKey.
The smart IC card and the smart Key cryptographic application interface (SKF interface for short) are C language application development interface standards of the smart Key in the national cryptographic standard, and are located between an application program and a device (i.e., the smart IC card or the smart Key) (as shown in fig. 1), and these interfaces provide functions of storing user secret information (such as a Key and a digital certificate) on a USB Key, and completing functions of data encryption and decryption, data integrity verification, digital signature, access control, and the like.
At present, many domestic cryptographic equipment manufacturers provide development kits of SKF interfaces for products thereof. Developers can develop password application through a uniform SKF interface, and access password equipment in different forms such as USB Key, TF card and smart card from different equipment suppliers without binding with exclusive equipment or an exclusive interface of one equipment supplier.
In addition, the prior art defines several broad classes of SKF interfaces in the standard specification: device management, access control, application management, file management, container management, cryptographic services. According to the standard specification, one or more applications (applications) may be included in a device that complies with the SKF interface specification (see fig. 2). Each application is independent of the other applications. Each application has an administrator PIN and a user PIN and may contain one or more containers (containers), one or more files. Each container may hold two pairs of keys for encryption and signing, respectively, and two corresponding certificates or certificate chains. Each container can only be one type of ECC or RSA, and one container cannot mix ECC keys and RSA keys (see fig. 3).
In the prior art, most of the USB keys are used as physical carriers for storing data such as cryptographic algorithm functions and keys, and some domestic CPU manufacturers also provide technologies for providing cryptographic algorithm functions based on their domestic CPU chips, but these technologies mainly focus on satisfying various requirements set forth in SKF interface standard specifications, and do not focus on safeguards in the aspects of SKF interface calling and sensitive data use when the integrity of the operating system of the cryptographic device is threatened.
Disclosure of Invention
The invention aims to provide a TPM-based intelligent cipher key cipher application interface implementation method, which aims to solve the problem that the SKF interface calling and sensitive data use cannot be protected when the integrity of an operating system of the existing intelligent cipher equipment is threatened.
In order to solve the technical problem, the invention is realized as follows:
a TPM-based implementation method of a password application interface of an intelligent password key comprises the following steps:
a. the bottom hardware of the intelligent IC card or the intelligent password key adopts a TPM security chip, the bottom hardware adopts the intelligent IC card or the intelligent password key of the TPM security chip as TPM equipment, the kernel of an operating system of each TPM equipment comprises a TPM equipment driver, and a user space of the operating system of each TPM equipment is provided with an application program, a SKF interface providing layer, a SKF interface service layer and a TSS trusted software stack;
b. the operating system interacts with the TPM security chip through a TPM device driver of the kernel; the TSS trusted software stack provides software interface support for accessing related functions of the TPM security chip for a user mode program in an operating system;
the specific form of the SKF interface service layer is a service process running in an operating system, the service process receives a request from an upper application program, maintains various runtime handles in the SKF interface calling process, and interacts with the TPM security chip through a TSS trusted software stack;
the SKF interface providing layer provides an SKF interface for calling SKF function by an upper application program, and the SKF interface comprises an SKF equipment management interface, an SKF access control interface, an SKF application management interface, an SKF file management interface, an SKF container management interface and an SKF password service interface;
c. storing the SKF application metadata, the SKF container data and the SKF file data of the equipment in a nonvolatile storage area provided by a TPM (trusted platform Module) security chip, and creating an authorized access mechanism;
d. when the SKF interface is called, the availability check of the SKF interface is firstly executed.
The SKF application metadata occupy an NV index in a nonvolatile storage area, and store the total number of the created applications and the attribute information of each application;
each SKF container data occupies one NV index, and the data information of the container name, the creation condition of each key in the container, the length and the key value of each key and the NV index of the certificate in the container is saved;
each SKF file data occupies one NV index.
Wherein the authorized access mechanism is created based on NV indexed access, which employs a password authorization mechanism.
The SKF cryptographic service interface reads SKF application metadata, keys in SKF container data and certificate data through NV related commands of the TPM, and calls TPM cryptographic algorithm related commands to achieve various cryptographic algorithm functions.
The SKF equipment management interface is used for inquiring and acquiring information of a TPM equipment node in an operating system, and calling an attribute acquisition command of the TPM to acquire information about a manufacturer, firmware, a version number, a supported algorithm and mode identifier, an algorithm characteristic value and a storage space size of the TPM equipment.
The SKF access control interface is used for operating SKF application metadata through NV related commands of the TPM; the SKF application management interface relates to operation of SKF application metadata through NV related commands of the TPM; the SKF file management interface is used for operating SKF application metadata and SKF file data through NV related commands of the TPM; the SKF container management class interface involves operating SKF application metadata and SKF container data via NV-related commands of the TPM.
The method for checking the availability of the SKF interface in the step d comprises the following steps:
after the computer is started, the integrality of each level on an operating system software and hardware trust chain with TPM equipment is measured by the TPM, and the integrality measurement value is stored in a PCR register of the TPM;
in the SKF interface, the availability check of the operating system is first started, the current value of the PCR is read and compared with an integrity reference value:
(1) if the two are inconsistent, the security risk may exist in the current operating system, and the SKF interface is unavailable at the moment;
(2) if the two are consistent, the system integrity measurement is normal, and the SKF interface can be normally used.
The invention has the beneficial effects that:
sensitive data such as application in an SKF interface, metadata of a container, a secret key in the container, a certificate and the like are stored in nonvolatile storage of the TPM and protected by an authorized access mechanism provided by the TPM, and cannot be accessed by the outside through other ways. And functions of random number generation, secret key generation, symmetric encryption and decryption algorithms, asymmetric encryption and decryption algorithms and the like in the SKF interface are provided by the TPM security chip.
The usability of the SKF interface is combined with the integrity measurement result of the operating system, if the integrity of the system measured by the TPM fails, the current system is indicated to face a safety risk, and at the moment, the SKF interface logic controls the upper application program to be incapable of normally using the SKF interface so as to deal with the risk that sensitive data such as keys and certificates are illegally used until the integrity measurement result of the system is recovered to be normal.
The bottom hardware of the intelligent cipher key scale adopts a TPM security chip, combines the availability of the intelligent IC card and the intelligent cipher key cipher application interface with the system integrity measured by the TPM, and provides a hardware level system integrity security credible protection mechanism taking the TPM as a core for the availability of the SKF interface.
Drawings
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
FIG. 1 is a diagram of the location of an SKF interface in an application hierarchical relationship in the prior art;
fig. 2 is a logical structure of a prior art SKF device;
FIG. 3 is a logical block diagram of an application and container of a prior art SKF compliant device;
FIG. 4 is a diagram of the hardware and software architecture of the present invention;
FIG. 5 is a relationship between various interfaces of SKF and TPM according to the present invention;
fig. 6 is a flow chart illustrating the checking of the availability of the SKF interface according to the present invention, taking the specific SKF interface for generating the random number as an example.
Description of the reference numerals
1. A TPM device; 2. driving a TPM device; 3. a TSS trusted software stack; 4. an SKF interface service layer; 5. an SKF interface providing layer; 6. an application program; 51. an SKF device management interface; 52. the SKF accesses a control interface; 53. an SKF application management interface; 54. an SKF file management type interface; 55. an SKF container management interface; 56. SKF cryptographic service class interface.
Detailed Description
The technical solution in the embodiments of the present invention is clearly and completely described below with reference to the drawings in the embodiments of the present invention. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those specifically described and will be readily apparent to those of ordinary skill in the art without departing from the spirit of the present invention, and therefore the present invention is not limited to the specific embodiments disclosed below.
The invention relates to a method for realizing an intelligent password key password application SKF interface based on a TPM trusted security chip, which expands a bottom hardware platform of an intelligent IC card and an intelligent password key to trusted security hardware (namely the TPM security chip) and further combines the usability of the SKF interface with the trusted capability of system integrity measurement provided by the TPM. In the prior art, the availability of the SKF interface is not associated with the integrity of the operating system. The invention provides a method for measuring the integrity of an operating system by using TPM software and TPM hardware, when the integrity of the system is damaged or has potential risks, an SKF interface can not be used any more, and a safer and more reliable guarantee is provided for the SKF interface.
The invention discloses a realization method of an intelligent cipher key cipher application interface based on TPM, which comprises the following steps:
a. as shown in fig. 4, the bottom hardware of the smart IC card or the smart key adopts a TPM security chip, the bottom hardware adopts the smart IC card or the smart key of the TPM security chip as the TPM device 1, the kernel of the operating system of each TPM device 1 includes a TPM device driver 2, and the user space of the operating system of each TPM device 1 deploys an application program 6, an SKF interface providing layer 5, an SKF interface service layer 4, and a TSS trusted software stack 3.
b. As shown in fig. 4, the operating system interacts with the TPM security chip through the TPM device driver 2 of the kernel; the TSS trusted software stack 3 provides software interface support for accessing functions related to the TPM security chip for user mode programs in the operating system.
The specific form of the SKF interface service layer 4 is a service process running in an operating system, which receives a request from an upper application program 6, maintains various runtime handles in the SKF interface calling process, and interacts with the TPM secure chip through the TSS trusted software stack 3. Specifically, the SKF interface service layer 4 waits for monitoring a request from the upper application 6, creates several types of handle objects of the SKF interface service layer 4 in the application 6, and thus maintains various types of runtime handles in the SKF interface calling process, realizes specific processing logic of each SKF interface, interacts with the TPM chip through the TSS trusted software stack 3 in each SKF interface logic, and uses various physical cryptographic functions and NV storage operations.
The steps a and b are the design of the software and hardware architecture of the present invention.
The SKF interface providing layer 5 provides an SKF interface for the upper application 6 to call SKF functions, which are typically integrated and called in the form of a dynamic library or a static library. The SKF interface includes an SKF device management interface 51, an SKF access control interface 52, an SKF application management interface 53, an SKF file management interface 54, an SKF container management interface 55, and an SKF cryptographic service interface 56.
The TPM security chip is a security chip conforming to TPM (trusted platform module) standard: the trusted platform module TPM is a security coprocessor with encryption and decryption capabilities, has nonvolatile storage (NV storage) and a Platform Configuration Register (PCR), and can provide basic functions such as encryption and decryption algorithms such as a physical random number generator, symmetry/asymmetry/hash and the like, key generation and management and the like, so that the trusted security capabilities such as integrity measurement, identity authentication, data sealing protection and the like can be provided for the system, and the trusted platform module TPM can be used as a hardware security anchor point of a computer and used as a basis for constructing a security trust chain. In addition, the TPM chip products made in China generally have cryptographic encryption and decryption algorithms. The upper layer applications 6 typically access and use the various capabilities of the TPM through a Trusted Software Stack (TSS). It provides interface functions to access TPM functionality, which is a bridge between the TPM and upper-level applications. Generally, the TSS trusted software stack 3 mainly has the following core functions: providing a single access portal to TPM functionality; allowing synchronized access to the TPM; constructing a bottom layer implementation of a TPM command stream for an application program; managing resources of the TPM. Some embodiments of the TSS trusted software stack 3 also support the ability to remotely provide an interface across machines.
c. Storing the SKF application metadata, the SKF container data and the SKF file data of the equipment in a nonvolatile storage area provided by a TPM security chip, and creating an authorized access mechanism.
In the scheme of the invention, data which is related to an SKF interface and needs to be persisted is stored in a nonvolatile Storage area (NV Storage) inside the TPM. Wherein:
(1) SKF application metadata storage
There may be multiple applications in one SKF device. The metadata area of the application occupies an NV index, and stores information such as the total number of applications created and the attribute of each application. The storage structure definition of the application metadata area in the TPM NV is shown in table 1:
table 1 storage structure of application metadata
Figure DEST_PATH_IMAGE002
In addition, for NV indexes created in the TPM, a corresponding authorized access mechanism may be created for it: when trying to access the NV index, the data stored in the NV index can only be read and written after successfully obtaining the authorization of the NV index, otherwise, the operation is not authorized.
The TPM provides a plurality of authorization mechanisms, the password authorization mechanism is adopted for the NV index in the invention, compared with other authorization mechanisms, the password authorization mechanism is clear and simple, the password authorization information is stored in the TPM, when the operating system or the TPM security chip needs to be restarted, extra export and import operation on the authorization data is not needed, and the method is more suitable for the scene in the invention.
(2) SKF container data
There may be multiple containers in one SKF application. The main data area of the container occupies one NV index, and stores data such as the name of the container, the creation condition of each key in the container, the length and the key value of each key, and the NV index of the certificate in the container (note that the certificate in the container is stored using an independent NV index because there is an upper limit on the space that can be stored by a single NV index in the TPM). The structure definition of the container body data stored in the TPM NV is shown in table 2:
TABLE 2 storage Structure of the Container
Figure DEST_PATH_IMAGE004
(note: the key pair actually participating in encryption and decryption is generated by the TPM, and its private key is stored in the TPM and can only be accessed through the TPM handle, so the TPM handle of the private key is stored here).
The certificate in the container is stored by using an independent NV index, so that only the NV index of the certificate is stored in the upper container body data. In addition, since the length of the certificate is not fixed, there is an upper limit to the space that can be stored in a single NV index in the TPM, and the upper limit value is generally determined by the TPM manufacturer, there may be a case where each certificate needs to be stored in two or more NV indexes (in this case, each NV index stores a part of the content of the certificate), and it needs to be adjusted according to the actual situation.
(3) Storage of SKF file data
One or more files may be created in one SKF application. Each file occupies one NV index, and the storage structure is shown in table 3:
TABLE 3 storage Structure of files
Figure DEST_PATH_IMAGE006
d. And firstly performing availability check of the SKF interface when the SKF interface is called.
The SKF application metadata occupies an NV index in a nonvolatile storage area, and stores the total number of the created applications and the attribute information of each application;
each SKF container data occupies one NV index, and the data information of the container name, the creation condition of each key in the container, the length and the key value of each key and the NV index of the certificate in the container is saved;
each SKF file data occupies one NV index.
The authorized access mechanism is created based on NV indexed access, which employs a password authorization mechanism.
As shown in fig. 5, the SKF cryptographic service interface 56 reads SKF application metadata, keys in SKF container data, and data of certificates through NV related commands of the TPM, and calls TPM cryptographic algorithm related commands to implement various cryptographic algorithm functions. The TPM cipher algorithm related command comprises random number generation, key generation, hash, symmetric encryption and decryption, asymmetric encryption and decryption/signature verification and message authentication code.
The SKF equipment management interface is used for inquiring and acquiring information of a TPM equipment 1 node in an operating system, and calling a TPM attribute acquisition command to acquire information about a manufacturer, firmware, a version number, a supported algorithm and mode identifier, an algorithm characteristic value and a storage space size of the TPM equipment 1.
The SKF access control interface is used for operating SKF application metadata through NV related commands of the TPM; the SKF application management interface relates to the operation of SKF application metadata through NV related commands of the TPM; the SKF file management interface is used for operating SKF application metadata and SKF file data through NV related commands of the TPM; the SKF container management class interface involves operating SKF application metadata and SKF container data via NV-related commands of the TPM.
The method for checking the availability of the SKF interface in the step d comprises the following steps:
after the computer is started, the integrity of each level on an operating system software and hardware trust chain with the TPM equipment 1 is measured by the TPM, and the integrity measurement value is stored in a PCR register of the TPM;
in the SKF interface, the availability check of the operating system is first started, the current value of the PCR is read and compared with an integrity reference value:
(1) if the two are inconsistent, the security risk may exist in the current operating system, and the SKF interface is unavailable at the moment;
(2) if the two are consistent, the system integrity measurement is normal, and the SKF interface can be normally used.
Step d is equivalent to adding a layer of hardware-level system integrity protection provided by the TPM for the core to the use of the SKF interface. Additionally, the integrity of the operating system is typically measured on the system at its initial state (e.g., when the system has just been installed).
Fig. 6 shows, for example, the location of the SKF interface availability check in the entire interface logic, taking the specific SKF interface that generates the random number as an example:
firstly, starting the availability check of an SKF interface of an operating system, then reading the current value and the integrity reference value of the PCR, and comparing:
(1) if the two are not consistent, the SKF interface is unavailable, which indicates that the current operating system may have security risks.
(2) If the two are consistent, calling a TSS software stack interface to generate a TPM physical random number, wherein the SKF interface can be normally used.
The invention adopts a TPM security chip and a TSS trusted software stack 3 as a basis, the TPM security chip provides various cryptographic algorithm functions of a bottom physical level, and a hierarchical structure of objects such as storage application, a container, a file, a key, a certificate and the like is designed on the non-volatile storage of the TPM so as to realize a whole set of method of the cryptographic application interface functions of the intelligent IC card and the intelligent cryptographic key. In addition, the invention combines the usability of the intelligent IC card and the intelligent cipher key cipher application interface with the system integrity measured by the TPM, and provides a hardware level system integrity safety credible protection mechanism taking the TPM as a core for the intelligent IC card and the intelligent cipher key cipher application interface.

Claims (7)

1. A realization method of an intelligent password key password application interface based on TPM is characterized by comprising the following steps:
a. the bottom hardware of the intelligent IC card or the intelligent password key adopts a TPM security chip, the bottom hardware adopts the intelligent IC card or the intelligent password key of the TPM security chip as TPM equipment, the kernel of an operating system of each TPM equipment comprises a TPM equipment driver, and a user space of the operating system of each TPM equipment is provided with an application program, a SKF interface providing layer, a SKF interface service layer and a TSS trusted software stack;
b. the operating system interacts with the TPM security chip through a TPM device driver of the kernel; the TSS trusted software stack provides software interface support for accessing related functions of the TPM security chip for a user mode program in an operating system;
the specific form of the SKF interface service layer is a service process running in an operating system, the service process receives a request from an upper application program, maintains various runtime handles in the SKF interface calling process, and interacts with the TPM security chip through a TSS trusted software stack;
the SKF interface providing layer provides an SKF interface for calling SKF function by an upper application program, and the SKF interface comprises an SKF equipment management interface, an SKF access control interface, an SKF application management interface, an SKF file management interface, an SKF container management interface and an SKF password service interface;
c. storing the SKF application metadata, the SKF container data and the SKF file data of the equipment in a nonvolatile storage area provided by a TPM (trusted platform Module) security chip, and creating an authorized access mechanism;
d. when the SKF interface is called, the availability check of the SKF interface is firstly executed.
2. The method for implementing the TPM-based intelligent cryptographic key password application interface according to claim 1, wherein the SKF application metadata occupies an NV index in a nonvolatile storage area, and stores information on the total number of applications created and attributes of each application;
each SKF container data occupies one NV index, and the data information of the container name, the creation condition of each key in the container, the length and the key value of each key and the NV index of the certificate in the container is saved;
each SKF file data occupies one NV index.
3. The method of claim 1, wherein the authorized access mechanism is created based on NV indexed access using a password authorization mechanism.
4. The method for implementing the TPM-based intelligent cryptographic key cryptographic application interface of claim 2, wherein the SKF cryptographic service class interface reads data of SKF application metadata, keys and certificates in SKF container data through NV related commands of the TPM, and invokes TPM cryptographic algorithm related commands to implement various cryptographic algorithm functions.
5. The method for implementing the TPM-based intelligent cryptographic key and password application interface according to claim 2, wherein the SKF device management-like interface refers to querying and acquiring information of TPM device nodes in an operating system, and calls an attribute acquisition command of the TPM to acquire information about manufacturers, firmware, version numbers, supported algorithms and mode identifiers, algorithm characteristic values, and storage space sizes of the TPM devices.
6. The method of claim 2, wherein the SKF access control class interface involves operating SKF application metadata via NV-related commands of the TPM; the SKF application management interface relates to operation of SKF application metadata through NV related commands of the TPM; the SKF file management interface is used for operating SKF application metadata and SKF file data through NV related commands of the TPM; the SKF container management class interface involves operating SKF application metadata and SKF container data via NV-related commands of the TPM.
7. The method for implementing the TPM-based passkey cryptographic application interface of claim 2, wherein the SKF interface availability check of step d is performed by:
after the computer is started, the integrality of each level on an operating system software and hardware trust chain with TPM equipment is measured by the TPM, and the integrality measurement value is stored in a PCR register of the TPM;
in the SKF interface, the availability check of the operating system is first started, the current value of the PCR is read and compared with an integrity reference value:
(1) if the two are inconsistent, the security risk may exist in the current operating system, and the SKF interface is unavailable at the moment;
(2) if the two are consistent, the system integrity measurement is normal, and the SKF interface can be normally used.
CN202210989534.6A 2022-08-18 2022-08-18 TPM-based intelligent password key password application interface implementation method Active CN115062330B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210989534.6A CN115062330B (en) 2022-08-18 2022-08-18 TPM-based intelligent password key password application interface implementation method
PCT/CN2022/137642 WO2024036832A1 (en) 2022-08-18 2022-12-08 Method for realizing smart token cryptography application interface on basis of tpm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210989534.6A CN115062330B (en) 2022-08-18 2022-08-18 TPM-based intelligent password key password application interface implementation method

Publications (2)

Publication Number Publication Date
CN115062330A true CN115062330A (en) 2022-09-16
CN115062330B CN115062330B (en) 2022-11-11

Family

ID=83207838

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210989534.6A Active CN115062330B (en) 2022-08-18 2022-08-18 TPM-based intelligent password key password application interface implementation method

Country Status (2)

Country Link
CN (1) CN115062330B (en)
WO (1) WO2024036832A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024036832A1 (en) * 2022-08-18 2024-02-22 麒麟软件有限公司 Method for realizing smart token cryptography application interface on basis of tpm

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106775716A (en) * 2016-12-15 2017-05-31 中国科学院沈阳自动化研究所 A kind of credible PLC based on tolerance mechanism starts method
CN109412795A (en) * 2018-09-17 2019-03-01 江苏敏行信息技术有限公司 A kind of Virtual Intelligent cipher key
CN110263524A (en) * 2019-08-05 2019-09-20 厦门亿力吉奥科技信息有限公司 A kind of mobile device encryption U-shield
CN110866240A (en) * 2019-11-12 2020-03-06 北京握奇智能科技有限公司 Intelligent password key calling method and system
CN111555881A (en) * 2020-03-23 2020-08-18 中安云科科技发展(山东)有限公司 Method and system for realizing national secret SSL protocol by using SDF and SKF
CN111800260A (en) * 2020-06-19 2020-10-20 深圳证券通信有限公司 Intelligent key signature method compatible with RSA and domestic commercial cryptographic algorithm
CN112464203A (en) * 2020-11-16 2021-03-09 航天信息股份有限公司 Data format detection method based on intelligent password key application interface and electronic equipment
CN112560058A (en) * 2020-12-17 2021-03-26 山东华芯半导体有限公司 SSD partition encryption storage system based on intelligent password key and implementation method thereof
CN114422261A (en) * 2022-02-15 2022-04-29 北京无字天书科技有限公司 Management method, management system, computer device, and computer-readable storage medium
CN114567470A (en) * 2022-02-21 2022-05-31 北京创原天地科技有限公司 SDK-based key splitting verification system and method under multiple systems

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050138393A1 (en) * 2003-12-22 2005-06-23 Challener David C. Determining user security level using trusted hardware device
CN1331015C (en) * 2004-09-30 2007-08-08 联想(北京)有限公司 Computer security startup method
US11475107B2 (en) * 2018-03-12 2022-10-18 Hewlett-Packard Development Company, L.P. Hardware security
CN114115836B (en) * 2022-01-28 2022-05-10 麒麟软件有限公司 Design method and system of trusted TCM software stack based on Linux operating system
CN115062330B (en) * 2022-08-18 2022-11-11 麒麟软件有限公司 TPM-based intelligent password key password application interface implementation method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106775716A (en) * 2016-12-15 2017-05-31 中国科学院沈阳自动化研究所 A kind of credible PLC based on tolerance mechanism starts method
CN109412795A (en) * 2018-09-17 2019-03-01 江苏敏行信息技术有限公司 A kind of Virtual Intelligent cipher key
CN110263524A (en) * 2019-08-05 2019-09-20 厦门亿力吉奥科技信息有限公司 A kind of mobile device encryption U-shield
CN110866240A (en) * 2019-11-12 2020-03-06 北京握奇智能科技有限公司 Intelligent password key calling method and system
CN111555881A (en) * 2020-03-23 2020-08-18 中安云科科技发展(山东)有限公司 Method and system for realizing national secret SSL protocol by using SDF and SKF
CN111800260A (en) * 2020-06-19 2020-10-20 深圳证券通信有限公司 Intelligent key signature method compatible with RSA and domestic commercial cryptographic algorithm
CN112464203A (en) * 2020-11-16 2021-03-09 航天信息股份有限公司 Data format detection method based on intelligent password key application interface and electronic equipment
CN112560058A (en) * 2020-12-17 2021-03-26 山东华芯半导体有限公司 SSD partition encryption storage system based on intelligent password key and implementation method thereof
CN114422261A (en) * 2022-02-15 2022-04-29 北京无字天书科技有限公司 Management method, management system, computer device, and computer-readable storage medium
CN114567470A (en) * 2022-02-21 2022-05-31 北京创原天地科技有限公司 SDK-based key splitting verification system and method under multiple systems

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024036832A1 (en) * 2022-08-18 2024-02-22 麒麟软件有限公司 Method for realizing smart token cryptography application interface on basis of tpm

Also Published As

Publication number Publication date
WO2024036832A1 (en) 2024-02-22
CN115062330B (en) 2022-11-11

Similar Documents

Publication Publication Date Title
US10915633B2 (en) Method and apparatus for device security verification utilizing a virtual trusted computing base
CN109313690B (en) Self-contained encrypted boot policy verification
WO2020192406A1 (en) Method and apparatus for data storage and verification
US11132468B2 (en) Security processing unit of PLC and bus arbitration method thereof
CN109800050B (en) Memory management method, device, related equipment and system of virtual machine
KR20210132216A (en) Verification of the identity of emergency vehicles during operation
CN113168476A (en) Access control for personalized cryptography security in operating systems
US9710658B2 (en) Computing entities, platforms and methods operable to perform operations selectively using different cryptographic algorithms
KR20090007123A (en) Secure boot method and semiconductor memory system for using the method
US11418499B2 (en) Password security
US20080278285A1 (en) Recording device
EP2051181A1 (en) Information terminal, security device, data protection method, and data protection program
CN115062330B (en) TPM-based intelligent password key password application interface implementation method
CN108345804B (en) Storage method and device in trusted computing environment
TW202147100A (en) Integrated circuit, system for securely managing a plurality of keys used for data security and method performed by integrated circuit
CN108345803B (en) Data access method and device of trusted storage equipment
US20230010319A1 (en) Deriving independent symmetric encryption keys based upon a type of secure boot using a security processor
CN114780981A (en) Method for storing security data, computer device and computer-readable storage medium
US20230058046A1 (en) Apparatus and Method for Protecting Shared Objects
CN108449753B (en) Method for reading data in trusted computing environment by mobile phone device
CN112131612B (en) CF card data tamper-proof method, device, equipment and medium
US20240179006A1 (en) Performing verified restore of data assets in a cryptographic device
CN110601846B (en) System and method for verifying virtual trusted root
US20230015334A1 (en) Deriving dependent symmetric encryption keys based upon a type of secure boot using a security processor
CN116167040A (en) Debug permission control method based on security certificate and security chip

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant