CN101431403A - Apparatus and method for providing interface data and credible computing system - Google Patents
Apparatus and method for providing interface data and credible computing system Download PDFInfo
- Publication number
- CN101431403A CN101431403A CNA2007101770140A CN200710177014A CN101431403A CN 101431403 A CN101431403 A CN 101431403A CN A2007101770140 A CNA2007101770140 A CN A2007101770140A CN 200710177014 A CN200710177014 A CN 200710177014A CN 101431403 A CN101431403 A CN 101431403A
- Authority
- CN
- China
- Prior art keywords
- module
- data
- key object
- algorithm
- hash algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses a device for providing interface data which comprises hash algorithm module and key object management module; the hash algorithm is used for receiving data which transmitted from its external and executing hash algorithm processing of the data according to hash algorithm selected by said device, and providing interface data of the device with its external according to result of said hash algorithm processing; they key object management module is used for receiving data which transmitted from its external and executing cryptographic algorithm processing of the data according to cryptographic algorithm selected by said device, and providing interface data of the device with its external according to the result of said cryptographic algorithm processing. The invention also discloses a method for providing interface data and a trusted computing system. Workload of modification to trusted computing system can be reduced when hash algorithm or cryptographic algorithm changes with the device, method and trusted computing system described by the invention, and reliability of trusted computing system is improved.
Description
Technical field
The present invention relates to the reliable computing technology field, relate in particular to a kind of apparatus and method and a kind of credible accounting system that interface data is provided.
Background technology
Reliable computing technology is complied with the consumer demand of privacy, integrality, authenticity and the reliability of information is produced.The definite credible accounting system of credible computation organization (TCG, Trusted Computing Group) mainly is the fail safe that guarantees whole computer system by the fail safe that strengthens existing terminal architecture.Its main thought is to introduce trusted infrastructure on various terminal hardware platforms, the fail safe that the security feature that provides by described trusted infrastructure improves described credible accounting system, the core of this credible accounting system is the credible chip that is called credible platform module (TPM, Trusted Platform Module).
With TPM be core credible accounting system structure chart as shown in Figure 1.
Described credible accounting system comprises credible platform module 101 successively by lower floor to the upper strata, credible platform module device drives (TDD, Trusted Platform Module Device Driver) module 102, credible accounting system device drives storehouse (TDDL, Trusted Computing Group Device DriverLibrary) module 103, credible software stack kernel service layer (TCS, Trusted Computing GroupCore Services) 104, when using to being applied as of credible accounting system is local, described credible accounting system further comprises credible software stack ISP (TSP, Trusted Computing GroupSoftware Stack Service Provider) layer 105 and local application layer 106, when to credible accounting system be applied as remote application the time, described credible accounting system further comprises remote procedure call (RPC, Remote Procedure Call) service 107, RPC client 108, credible software stack service provider system 105 and remote application layer 109.
Above-mentioned credible accounting system is set up credible to described credible accounting system by the chain-of-trust that is stored in the trusted root among the TPM and transmit between each layer of described credible accounting system, described credible accounting system is set up credible after, described credible accounting system is by authorizing and entrust the management information assets, key and certificate play an important role in the process of authorizing and entrusting, and credible accounting system is a large amount of cryptographic algorithm and hash algorithms used when work.
According to the TCG standard, the interface data that the application layer of credible accounting system is directly called the TSP layer to be provided uses credible calculation services, the representative that the TSP layer sends application layer the data of its requirement carry out that cryptographic algorithm is handled or after hash algorithm handles, described data are sent to following one deck of described TSP layer, and continuation is sent to TPM downwards, TPM handles described data, TPM feeds back the result of described processing to the upper strata, after in feeding back to the TSP layer, the TSP layer is further handled the result of described processing, described further processing comprises the cryptographic algorithm processing or hash algorithm is handled, described cryptographic algorithm is handled and the hash algorithm processing comprises crypto-operation, the hash computing and with crypto-operation or the relevant operation of hash computing, such as being provided with of key object attribute etc.Result or part or all of the data such as handle of described as a result correspondence of TSP layer after with described further processing is kept in the TSP layer, perhaps in the TSP layer, part or all of described data further handled, perhaps part or all of described data fed back to application layer.
The structure chart of TSP layer as shown in Figure 2 in the prior art.
In Fig. 2, the TSP layer comprises the context management person 201 and cipher function module 202.The context management person mainly is responsible for operations such as TSP layer storage allocation space; The cipher function module 202 main cryptographic algorithms of being responsible in the TSP layer handle and hash algorithm is handled.
The cryptographic algorithm that uses in the existing credible accounting system of TCG regulation and stipulation is the RSA asymmetric cryptographic algorithm, the hash algorithm that uses is safety hash algorithm-1 (SHA-1, Secure Hash Algorithm1), existing TCG standard is not made stipulations to symmetric cryptographic algorithm.
Development along with reliable computing technology, when adding other cryptographic algorithms or hash algorithm in the TCG standard, different or the mutually different situation of hash algorithm of cryptographic algorithm that different TPM supports can appear, in this case, just need carry out line by line modification to the code of the cipher function module 202 in the described TSP layer at cryptographic algorithm difference or the different TPM of hash algorithm, the variation of cryptographic algorithm or hash algorithm also needs code to the cipher function module 202 in the described TSP layer to carry out line by line modification in the credible accounting system that is caused by other factors, the interface of realizing described TSP layer by above-mentioned modification can provide correct interface data, guarantees the credibility of whole credible accounting system.Described correct interface data is meant that the TSP layer finishes the resulting data of the operation relevant with cryptographic algorithm according to the selected cryptographic algorithm of its credible accounting system that belongs to, and perhaps the hash algorithm of selecting according to its credible accounting system that belongs to is finished the resulting data of the operation relevant with hash algorithm.
As seen from the above technical solution, in the prior art, when the cryptographic algorithm of credible accounting system or hash algorithm change, the method workload that cipher function module in the credible accounting system is revised line by line is big, can cause the waste of developer and construction cycle, simultaneously, adopt the code that the method for revising line by line also may be missed needs modification, when missing the code that needs modification, the TSP layer can not provide correct interface data, thereby causes the collapse of whole credible accounting system.
Summary of the invention
In view of this, one of purpose of the present invention is to provide a kind of device and method that interface data is provided, when in credible accounting system, using device of the present invention or method, if cryptographic algorithm in the credible accounting system or hash algorithm change, the workload that credible accounting system is made amendment is less than the workload of in the prior art credible accounting system being made amendment.
Another object of the present invention is to provide a kind of credible accounting system, when using cryptographic algorithm that the described credible accounting system of the embodiment of the invention can be in credible accounting system or hash algorithm to change, make the workload that described credible accounting system is made amendment less than the workload that existing credible accounting system is made amendment.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
A kind of device that interface data is provided, this device comprise hash algorithm module and key object administration module; Described hash algorithm module is used to receive the data that its outside sends, and according to the selected hash algorithm of described device described data is carried out hash algorithm and handle, and the result who handles according to described hash algorithm provides described device the interface data outside with it; Described key object administration module is used to receive the data that its outside sends, and according to the selected cryptographic algorithm of described device described data are carried out cryptographic algorithm and handle, the result who handles according to described cryptographic algorithm provides described device the interface data outside with it.
Preferably, described hash algorithm module further comprises the hash algorithm computing module; Described hash algorithm computing module is used to receive the data of described hash algorithm inside modules other parts or the data that described hash algorithm module-external sends, and described data are carried out the hash computing, the result of described hash computing is returned described hash algorithm inside modules other parts or described hash algorithm module-external.
Preferably, described key object administration module further comprises the cryptographic algorithm module; Described cryptographic algorithm module is used to receive the data of inner other parts of described key object administration module or described key object administration module outside, and described data are carried out cryptographic algorithm handle, the result that described cryptographic algorithm is handled returns inner other parts of described key object administration module or described key object administration module outside.
Preferably, described cryptographic algorithm module further comprises enciphering algorithm module and deciphering algoritic module; Described enciphering algorithm module is used to receive the data that described cryptographic algorithm module-external sends, and finishes the realization of cryptographic calculation according to described data, and the result of described cryptographic calculation is returned to described cryptographic algorithm module-external; Described decipherment algorithm module is used to receive the data that described cryptographic algorithm module-external sends, and finishes the realization of decrypt operation according to described data, and the result of described decrypt operation is returned to described cryptographic algorithm module-external.
Preferably, described cryptographic algorithm module further comprises symmetric encipherment algorithm module and symmetry deciphering algoritic module, perhaps comprise rivest, shamir, adelman module and asymmetric decipherment algorithm module, perhaps comprise symmetric encipherment algorithm module, symmetry deciphering algoritic module, rivest, shamir, adelman module and asymmetric decipherment algorithm module; Described symmetric encipherment algorithm module is used to receive the data that the outside of described cryptographic algorithm module sends, and finishes the realization of symmetric cryptography computing according to described data, and the result of described symmetric cryptography computing is returned to described outside; Described symmetry deciphering algoritic module is used to receive the data that the outside of described cryptographic algorithm module sends, and finishes the realization of symmetrical decrypt operation according to described data, and the result of described symmetry deciphering calculation process is returned to described outside; Described rivest, shamir, adelman module is used to receive the data that the outside of described cryptographic algorithm module sends, and finishes the realization of asymmetric encryption computing according to described data, and the result of described asymmetric encryption computing is returned to described outside; Described asymmetric decipherment algorithm module is used to receive the data that the outside of described cryptographic algorithm module sends, and finishes the realization of asymmetric decrypt operation according to described data, and the result of described asymmetric decrypt operation is returned to described outside.
Preferably, described key object administration module further comprises key object manager and key object module; Described key object manager is used to receive the data that the outside of described key object administration module sends, and according to described data and the selected cipher protocol of described device each the key object submodule in the described key object module is managed.
Preferably, described cryptographic algorithm module is used for by the key object module invokes, and finishes crypto-operation according to call instruction, and the result of described crypto-operation is returned to the key object module.
Aforesaid device, described hash algorithm module, hash algorithm computing module, key object administration module, cryptographic algorithm module, enciphering algorithm module, decipherment algorithm module, symmetric encipherment algorithm module, symmetry deciphering algoritic module, rivest, shamir, adelman module, asymmetric decipherment algorithm module, key object manager, key object module or key object submodule are realized by the equivalent of class or class.
Preferably, described hash algorithm computing module is realized by the monomer class.
Preferably, described key object manager further comprises key object manager parent and key object manager subclass; Described key object manager parent is used to realize the common key bookkeeping; Described key object manager subclass is used to realize the specific key bookkeeping.
A kind of credible accounting system comprises application layer, credible software stack kernel service layer TCS and credible platform module TPM, and this system also comprises the device that interface data is provided; Described application layer is used to send the requirement of the user of described credible accounting system to described credible accounting system; The described device of interface data that provides is between application layer and TCS layer, be used to receive described requirement and TPM and carry out processing of modularization hash algorithm or the processing of modularization cryptographic algorithm to the result of described requirement and to the content that described device receives, send to the TCS layer and to handle through the modularization hash algorithm or the described requirement of modularization cryptographic algorithm after handling, will through hash algorithm handle or the cryptographic algorithm processing after TPM the result of described requirement is sent to application layer; Described TCS layer is used to receive, store and send the TPM module to the result of described requirement and the described requirement that process modularization hash algorithm is handled or the modularization cryptographic algorithm is handled.
Preferably, the described device of interface data that provides comprises hash algorithm module and key object administration module; Described hash algorithm module is used to receive the data that described requirement, TPM send the result or the key object administration module of described requirement, and the modularization hash algorithm that partly or entirely carries out of the content that the hash algorithm module is received handles, and stores or send the result that described modularization hash algorithm is handled; Described key object administration module is used to receive the data that described requirement, TPM send the result or the hash algorithm module of described requirement, and the modularization cryptographic algorithm that partly or entirely carries out of the content that the key object administration module is received handles, and stores or send the result that described modularization cryptographic algorithm is handled.
Preferably, described hash algorithm module further comprises platform configuration register PCR Object Management group module, PCR object module, policy object administration module and policy object module; Described PCR Object Management group module is used for receiving the data of hash algorithm module-external and according to the PCR object of the described PCR object module of described data management, perhaps is used for obtaining the data of PCR object module and part or all of described data returned to described hash algorithm module-external; Described policy object administration module is used for receiving the data of hash algorithm module-external and according to the policy object of the described policy object module of described data management, perhaps is used for the data of acquisition strategy object module and part or all of described data returned to described hash algorithm module-external.
Preferably, described hash algorithm computing module is used for by PCR object module or policy object module invokes, and finishes the hash computing according to call instruction, and the result of described hash computing is returned to PCR object module or policy object module.
A kind of usefulness provides the method for interface data, comprises step: A, reception data; B, judgement need be carried out hash algorithm processing still carrying out cryptographic algorithm to described data and handle, handle then execution in step C if need carry out hash algorithm, if need carry out cryptographic algorithm handles then execution in step D, do not need cryptographic algorithm to handle then execution in step E if neither need hash algorithm to handle yet; C, described data are carried out hash algorithm handle, and judge whether that need carry out cryptographic algorithm to the result that described hash algorithm is handled handles, if need then execution in step D, otherwise execution in step F; D, described data are carried out cryptographic algorithm handle, and judge whether that need carry out hash algorithm to the result that described cryptographic algorithm is handled handles, if need then execution in step C, otherwise execution in step F; E, to the operation of described data except that hash algorithm process and cryptographic algorithm are handled; Result, the result of step D or the result of step e of F, the described step C of transmission.
As seen from the above technical solution, owing to include hash algorithm module and key object administration module in the device that interface data is provided of the present invention, therefore, when being applied to the described device that interface data is provided in the credible accounting system, if the cryptographic algorithm of credible accounting system or hash algorithm change, only need to change the corresponding module of the device that interface data is provided and needn't change other parts in the credible accounting system, therefore can reduce because the hash algorithm of credible accounting system changes or cryptographic algorithm changes the caused workload that credible accounting system is made amendment.The method of interface data that provides of the present invention is carried out hash algorithm step of handling and the step of carrying out the cryptographic algorithm processing owing to being provided with separately, therefore, when credible accounting system application this method provides interface data between each layer of portion within it, if the hash algorithm of credible accounting system or cryptographic algorithm change, can reduce the workload that credible accounting system is made amendment.The described credible accounting system of the embodiment of the invention is owing to be provided with the device that interface data is provided with the processing of modularization hash algorithm and modularization cryptographic algorithm processing capacity, therefore when the hash algorithm of described credible accounting system or cryptographic algorithm change, the workload that described credible accounting system is made amendment is less than the workload that existing credible accounting system is made amendment.
Description of drawings
Fig. 1 is a credible accounting system structure chart of the prior art;
Fig. 2 is a TSP layer structure chart of the prior art;
Fig. 3 is the structure chart that the device of interface data is provided in the preferred embodiment 1 of the present invention;
Fig. 4 is the key object administration module structure chart of preferred embodiment 1 of the present invention;
Fig. 5 is the credible accounting system structure chart of preferred embodiment 2 of the present invention;
Fig. 6 is the hash algorithm modular structure figure of preferred embodiment 2 of the present invention;
Fig. 7 is the method flow diagram that interface data is provided in the preferred embodiment 3 of the present invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing preferred embodiment that develops simultaneously, the present invention is described in more detail.
Preferred embodiment 1: in the present embodiment, be used to provide the device of interface data to comprise hash algorithm module and key object administration module.
Fig. 3 is the described structure chart that the device of interface data is provided of preferred embodiment of the present invention.
In Fig. 3, provide the device of interface data to comprise hash algorithm module 301 and key object administration module 302.Hash algorithm module 301 is used to receive the data that its outside sends, and finishes the hash computing according to described data and according to the selected hash algorithm of described device; Hash algorithm module 301 provides described device the interface data outside with it according to the result of described hash computing, and for example the result with described hash computing is kept in the hash algorithm module 301 to wait for its external call.Described key object administration module is used to receive the data that its outside sends, and finishes crypto-operation according to described data and according to the selected cryptographic algorithm of described device; The key object administration module provides described device the interface data outside with it according to the result of described crypto-operation, and for example the result with described crypto-operation is kept in the key object administration module 302 to wait for its external call.The described difference of the device of interface data according to its application scenarios that provide is according to the requirement of described application scenarios selected its employed hash algorithm and cryptographic algorithm.
Described hash algorithm module can further comprise the hash algorithm computing module; Described hash algorithm computing module is used to receive the data of described hash algorithm inside modules other parts or the data that described hash algorithm module-external sends, and finish the hash computing according to described data, the result of described hash computing is returned described hash algorithm inside modules other parts or described hash algorithm module-external.Described other parts of hash algorithm inside modules are used for the processing relevant with hash algorithm, for example are used for determining according to standards such as TCG standards flow process of calling described hash algorithm computing module etc.
Fig. 4 is the key object administration module structure chart of preferred embodiment of the present invention.In Fig. 4, the key object administration module comprises key object manager 401, key object module 402 and cryptographic algorithm module 403.
Key object manager 401 receives that handle, key object attribute from key object administration module outside is provided with data such as order and from the data such as key object attribute of key object module 402, and the data that key object manager 401 is preserved or obtained send to key object administration module outside or key object module 402.
Comprise a plurality of key object submodules in the key object module 402, comprise the application layer handle of a certain key object and the attribute of this key object in each key object submodule, for example, comprise the application layer handle of key object 1 and the attribute of key object 1 in key object 1 submodule 4021, comprise the application layer handle of key object 2 and the attribute of key object 2 in key object 2 submodules 4022.Which key object the key object attribute that the application layer handle that comprises in the described key object submodule is used for identifying described key object submodule belongs to, for example, to be used for the key object attribute of tagged keys object 1 submodule 4021 are key object attributes of key object 1 to the application layer handle in key object 1 submodule 4021.Key object in the described key object submodule belongs to a certain Key Tpe respectively, for example the Key Tpe of the key object 1 in key object 1 submodule can be the RSA type, and the Key Tpe of the key object 2 in key object 2 submodules can be the AES type.
Comprise enciphering algorithm module and deciphering algoritic module in the cryptographic algorithm module 403, described enciphering algorithm module can further comprise symmetric encipherment algorithm module and rivest, shamir, adelman module, and described decipherment algorithm module can further comprise symmetry deciphering algoritic module and asymmetric decipherment algorithm module.Described enciphering algorithm module is used to finish the realization of cryptographic calculation, described decipherment algorithm module is used to finish the realization of decrypt operation, described symmetric encipherment algorithm module and rivest, shamir, adelman module are respectively applied for the cryptographic calculation of finishing symmetric cryptographic algorithm and the cryptographic calculation of asymmetric cryptographic algorithm, and described symmetry deciphering algoritic module and asymmetric decipherment algorithm module are respectively applied for the decrypt operation of finishing symmetric cryptographic algorithm and the decrypt operation of asymmetric cryptographic algorithm.
Each algoritic module in the cryptographic algorithm module 403 is designated its corresponding a kind of Key Tpe of meeting in the process of creating, when the key object that belongs to this Key Tpe calls cryptographic algorithm module 403 and carries out crypto-operation, it calls be exactly in the cryptographic algorithm module 403 with the corresponding algoritic module of this key object type in one or more.
401 pairs of key object modules 402 of described key object manager and cryptographic algorithm module 403 manage, and described management comprises and the key object attribute is set, obtains the key object attribute, adds key object and obtain or PCR attribute that setting is related with key object etc. in described key object administration module.Described key object attribute comprises attributes such as the usage strategy, migration strategy, key overall identification number of key object and key value.Key object manager 401 is provided with standard codes such as data such as order and TCG standard according to the handle that is received from key object administration module outside and key object attribute cipher protocol carries out described management to key object module 402 and cryptographic algorithm module 403.When key object manager 401 carries out described management, according to determining with the corresponding handle of this administration order this administration order to which the key object submodule in the key object module 402 manages in the key object manager 401, for example: key object manager 401 compares the application layer handle that each key object submodule is comprised in its handle that is received from key object administration module outside and the key object module 402, when two handles are identical, the key object manager will be provided with order with the described corresponding key object attribute of handle that is received from key object administration module outside and send described key object submodule to, and described key object submodule receives described key object attribute and order is set and order is set the key object attribute in this key object submodule is provided with according to described.In the process that described key object attribute is provided with, if the algoritic module that the key object submodule need call in the cryptographic algorithm module 403 carries out crypto-operation, described key object submodule calls with the corresponding algoritic module of the type of this key object according to the administration order of key object manager 401 and carries out crypto-operation.
Can include the hash operation result that the hash algorithm module sends in the data that come from key object administration module outside that key object manager 401 receives, key object manager 401 is determined operating process that data that it received and key object module 402 and cryptographic algorithm module 403 are carried out according to the cipher protocol of standard codes such as TCG standard.
As the described device of this preferred embodiment, described hash algorithm module, hash algorithm computing module, key object administration module, cryptographic algorithm module, enciphering algorithm module, decipherment algorithm module, symmetric encipherment algorithm module, symmetry deciphering algoritic module, rivest, shamir, adelman module, asymmetric decipherment algorithm module, key object manager or key object module are realized by the equivalent of class or class.The equivalent of described class is meant a kind of data encapsulation body, this data encapsulation body comprises external data interface and internal arithmetic module, described external data interface is used to realize the data interaction between described data encapsulation body and the outside, described internal arithmetic module is carried out computing according to the data in the described external data interface, and the result of described computing preserved or be used for other operation, perhaps the result with described computing returns to external data interface.
In the practical application, described key object manager can divide two-stage to realize, described minute two-stage realizes being meant that described key object manager comprises key object manager parent and key object manager subclass, described key object manager parent is realized such as obtaining key object, add key object, know which kind of cryptographic algorithm key object uses, obtain the common key bookkeeping that most of key algorithms such as strategy of key object all can be used, described key object manager subclass realizes such as the specific key bookkeeping that public key value etc. has only the specific key algorithm just can use is set.
Described key object module 402 can adopt the structure of key object parent and key object subclass to realize, the data-interface that described key object parent is used for receiving data that the key object manager sends and provides the attribute to the key object of key object submodule to be provided with according to described data; Described key object subclass is the implementation of each key object submodule, and the data that being used for the data-interface according to described key object parent provides realize the concrete operations that the attribute to each key object is provided with.Described key object parent can further adopt two-stage parent implementation, described two-stage parent implementation is meant the data-interface that the definition of first order key object parent all needs when most key objects are provided with, the data-interface that all needs at symmetric key object and unsymmetrical key object for example, key object parent needed data-interface when further definition is provided with the specific key object on the basis of first order key object parent in the second level for example obtains public key value, obtains the data-interface that private key value etc. just has at the unsymmetrical key object.When key object module 402 adopts said structure to realize, the interface that key object manager 401 can directly call the key object parent comes key object is managed, and carries out the concrete operations flow process of described management and realize being finished by the key object subclass.
Cryptographic algorithm changes and can cause the variation of key object attribute and the variation of crypto-operation, when therefore utilizing the described key object administration module of present embodiment to carry out the cryptographic algorithm processing, if cryptographic algorithm changes, only need to change key object module 402 and cryptographic algorithm module 403 and can adapt to this cryptographic algorithm variation.
Preferred embodiment 2: this preferred embodiment provides a kind of credible accounting system, used the preferred embodiment 1 described device that interface data is provided in this credible accounting system, and owing to this device is applied in the credible accounting system, so it has further increased the structure that adapts with described credible accounting system on the basis of preferred embodiment 1.Below described credible accounting system is described.
Fig. 5 is the structure chart of the described credible accounting system of this preferred embodiment, comprises application layer 501, device 502, TCS layer 503 and the TPM504 of interface data are provided.
Described application layer is used to send the requirement of the user of described credible accounting system to described credible accounting system; The described device of interface data that provides is between application layer and TCS layer, be used to receive described requirement and TPM and carry out processing of modularization hash algorithm or the processing of modularization cryptographic algorithm to the result of described requirement and to the content that described device receives, send to the TCS layer and to handle through the modularization hash algorithm or the described requirement of modularization cryptographic algorithm after handling, will through hash algorithm handle or the cryptographic algorithm processing after TPM the result of described requirement is sent to application layer.Described TCS layer is used to receive, store and send the TPM module to the result of described requirement and the described requirement that process modularization hash algorithm is handled or the modularization cryptographic algorithm is handled.
The device that interface data is provided among Fig. 5 further includes hash algorithm module and key object administration module; Described hash algorithm module is used to receive the data that described requirement, TPM send the result or the key object administration module of described requirement, and the modularization hash algorithm that partly or entirely carries out of the content that the hash algorithm module is received handles, and stores or send the result that described modularization hash algorithm is handled; Described key object administration module is used to receive the data that described requirement, TPM send the result or the hash algorithm module of described requirement, and the modularization cryptographic algorithm that partly or entirely carries out of the content that the key object administration module is received handles, and stores or send the result that described modularization cryptographic algorithm is handled.
Fig. 6 is the structure chart of the module of hash algorithm described in this preferred embodiment.
In Fig. 6, the hash algorithm module comprises PCR Object Management group module 601, PCR object module 602, policy object administration module 603, policy object module 604 and hash algorithm computing module 605.
Store one or more PCR objects in the PCR object module 602, each PCR object comprises PCR at least and selects (PCR Selection) field and two attributes of PCR complex (PCR Composite).Described PCR selects field can be a bit diagram (Bit map), is used for selecting one group of PCR of TPM, and described PCR complex is meant the content among described one group of PCR.Each PCR object is all corresponding PCR handle.
PCR Object Management group module 601 receives the PCR handle of hash algorithm module-external and the attribute of PCR object is provided with data such as order, and to managing with the corresponding PCR object of described PCR handle in the PCR object module, described management comprises that the attribute of attribute setting, the PCR object of PCR object obtains, determines the operating process of PCR object to the calculating of PCR complex, PCR Object Management group module 601 according to standards such as TCG standards etc.PCR object module 602 is in the process of accepting described management, carry out the hash computing if desired, then call hash algorithm computing module 605 and carry out described hash computing by call instruction, hash algorithm computing module 605 feeds back to PCR object module 602 with the result of described hash computing, and PCR object module 602 is preserved the result of described hash computing or described result is used for other operations.
Comprise a plurality of policy object in the policy object module 604, described policy object is used for determining the using method to the hash operation result of hash algorithm computing module 605, and for example the described hash operation result of storage, policy object are determined the life cycle etc. of described hash operation result in policy object.Each policy object is all corresponding policy object handle.
Policy object administration module 603 receives the data such as policy object handle of hash algorithm module-external, and to managing with the corresponding policy object of described policy object handle in the tactful object module 604, described management comprises that the property value of property value setting, the policy object of policy object obtains, policy object administration module 603 is determined the operating process of policy object according to standards such as TCG standards etc.Policy object in the policy object module 604 is in the process of accepting described management, carry out the hash computing if desired, then call hash algorithm computing module 605 and carry out described hash computing by call instruction, hash algorithm computing module 605 feeds back to policy object module 604 with the result of described hash computing, and policy object module 604 is preserved the result of described hash computing or described result is used for other operations.
Hash algorithm computing module 605 is realized by the equivalent of class or class; Preferably, hash algorithm computing module 605 is realized that by the monomer class described monomer class is meant the class of only creating once; Described hash algorithm computing module 605 also can be taked other implementation.Described hash algorithm computing module 605 has the global access inlet, and described global access inlet is used to finish hash algorithm computing module 605 and extraneous exchanges data.Described hash algorithm computing module 605 can also be employed layer and directly call finishing the hash computing, and the result of described hash computing is preserved or is sent to the TCS layer or is used for other operations.
Key object administration module in this preferred embodiment is referring to the relevant narration in the preferred embodiment 1, in this preferred embodiment, each key object submodule further includes one or more in the following handle in the key object module on the basis of preferred embodiment 1: the PCR object handle, be attached to the policy object handle of the key object in this key object submodule, the TCS layer handle of the key object in this key object submodule.After key object manager in the key object administration module obtains key object attribute in the key object module, if include the PCR object handle in the affiliated key object attribute or be attached to the policy object handle of the key object in this key object submodule, the key object administration module can call the hash algorithm module according to described PCR object handle or described policy object handle and carry out associative operation, the associative operation of described hash algorithm module referring in this preferred embodiment to the explanation of Fig. 4.The TCS layer handle that comprises this key object in the key object submodule, when key object manager 401 had obtained the key object attribute in this key object submodule and has been sent to the TCS layer, key object manager 401 sent described key object attribute in the TCS layer to and the corresponding key object of described TCS layer handle according to described TCS layer handle.
Preferred embodiment 3, this preferred embodiment provide a kind of method that interface data is provided, and Fig. 7 is the flow chart of described method.
Step 701 receives data.
Step 703 is carried out hash algorithm to described data and is handled.Step 703 can be that described data are directly carried out the hash computing and not to the operation of described data except that the hash computing; Also can be in to the processing procedure of described data, to carry out the hash computing, the processing of described data is not only comprised the hash computing, also comprise being provided with and wait other operations such as the data attribute value.
Step 704 is carried out cryptographic algorithm to described data and is handled.The execution and the step 703 of step 704 are similar, repeat no more herein.
Step 705 is to the operation of described data except that hash algorithm and cryptographic algorithm.Described operation except that hash algorithm and cryptographic algorithm is meant does not all carry out hash computing, crypto-operation and to the management of key object in the overall process of before sending described data described data being handled.Described management to key object is described referring to preferred embodiment 1.
Step 706 sends data, and described data are the result of step 703, step 704 and step 705.
In the process of execution in step 703, can also judge whether that need carry out cryptographic algorithm to the intermediate object program that described hash algorithm is handled handles, then execution in step 704 and the result that after step 704 is finished step 704 produced are used for step 703 if desired, and continue the execution of step 703.Similar with the execution of step 703, when execution in step 704, can judge whether and to carry out the hash computing to the intermediate object program of described crypto-operation, then execution in step 703 and the result that after step 703 is finished step 703 produced are used for step 704 if desired, and continue the execution of step 704.
After step 703 is finished, can also judges whether and need carry out crypto-operation that if need, then execution in step 704 to the final result of step 703, otherwise execution in step 706.After step 704 is finished, can also judges whether and need carry out the hash computing that if need, then execution in step 703 to the final result of step 704, otherwise execution in step 706.
As seen from the above technical solution, owing to include hash algorithm module and key object administration module in the device that interface data is provided of the present invention, therefore, when being applied to the described device that interface data is provided in the credible accounting system, if the cryptographic algorithm of credible accounting system or hash algorithm change, only need to change the corresponding module of the device that interface data is provided and needn't change other parts in the credible accounting system, therefore can reduce because the hash algorithm of credible accounting system changes or cryptographic algorithm changes the caused workload that credible accounting system is made amendment.
The described credible accounting system of the embodiment of the invention is owing to be provided with the device that interface data is provided with the processing of modularization hash algorithm and modularization cryptographic algorithm processing capacity, therefore when the hash algorithm of described credible accounting system or cryptographic algorithm change, the workload that described credible accounting system is made amendment is less than the workload that existing credible accounting system is made amendment.
When the structure of hash algorithm module as shown in Figure 6 the time, if the hash algorithm of credible accounting system changes, only need to change a hash algorithm computing module 605 and get final product, further reduced the workload that credible accounting system is made amendment.
When the structure of key object administration module as shown in Figure 4 the time, if the cryptographic algorithm of credible accounting system changes, only need change key object module 402 and cryptographic algorithm module 403 to get final product, further reduced the workload that credible accounting system is made amendment.
The method of interface data that provides of the present invention is carried out hash algorithm step of handling and the step of carrying out the cryptographic algorithm processing owing to being provided with separately, therefore, when credible accounting system application this method provides interface data between each layer of portion within it, if the hash algorithm of credible accounting system or cryptographic algorithm change, only need to change the module of carrying out the hash algorithm treatment step or the module of carrying out the cryptographic algorithm treatment step, can reduce the workload that credible accounting system is made amendment.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention, all any modifications of being made within the spirit and principles in the present invention, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (17)
1, a kind of device that interface data is provided is characterized in that, this device comprises hash algorithm module and key object administration module;
Described hash algorithm module is used to receive the data that its outside sends, and according to the selected hash algorithm of described device described data is carried out hash algorithm and handle, and the result who handles according to described hash algorithm provides described device the interface data outside with it;
Described key object administration module is used to receive the data that its outside sends, and according to the selected cryptographic algorithm of described device described data are carried out cryptographic algorithm and handle, the result who handles according to described cryptographic algorithm provides described device the interface data outside with it.
2, device as claimed in claim 1 is characterized in that, described hash algorithm module further comprises the hash algorithm computing module;
Described hash algorithm computing module is used to receive the data of described hash algorithm inside modules other parts or the data that described hash algorithm module-external sends, and described data are carried out the hash computing, the result of described hash computing is returned described hash algorithm inside modules other parts or described hash algorithm module-external.
3, device as claimed in claim 1 is characterized in that, described key object administration module further comprises the cryptographic algorithm module;
Described cryptographic algorithm module is used to receive the data of inner other parts of described key object administration module or described key object administration module outside, and described data are carried out cryptographic algorithm handle, the result that described cryptographic algorithm is handled returns inner other parts of described key object administration module or described key object administration module outside.
4, device as claimed in claim 3 is characterized in that, described cryptographic algorithm module further comprises enciphering algorithm module and deciphering algoritic module;
Described enciphering algorithm module is used to receive the data that described cryptographic algorithm module-external sends, and finishes the realization of cryptographic calculation according to described data, and the result of described cryptographic calculation is returned to described cryptographic algorithm module-external;
Described decipherment algorithm module is used to receive the data that described cryptographic algorithm module-external sends, and finishes the realization of decrypt operation according to described data, and the result of described decrypt operation is returned to described cryptographic algorithm module-external.
5, device as claimed in claim 4, it is characterized in that, described cryptographic algorithm module further comprises symmetric encipherment algorithm module and symmetry deciphering algoritic module, perhaps comprise rivest, shamir, adelman module and asymmetric decipherment algorithm module, perhaps comprise symmetric encipherment algorithm module, symmetry deciphering algoritic module, rivest, shamir, adelman module and asymmetric decipherment algorithm module;
Described symmetric encipherment algorithm module is used to receive the data that the outside of described cryptographic algorithm module sends, and finishes the realization of symmetric cryptography computing according to described data, and the result of described symmetric cryptography computing is returned to described outside;
Described symmetry deciphering algoritic module is used to receive the data that the outside of described cryptographic algorithm module sends, and finishes the realization of symmetrical decrypt operation according to described data, and the result of described symmetrical decrypt operation is returned to described outside;
Described rivest, shamir, adelman module is used to receive the data that the outside of described cryptographic algorithm module sends, and finishes the realization of asymmetric encryption computing according to described data, and the result of described asymmetric encryption computing is returned to described outside;
Described asymmetric decipherment algorithm module is used to receive the data that the outside of described cryptographic algorithm module sends, and finishes the realization of asymmetric decrypt operation according to described data, and the result of described asymmetric decrypt operation is returned to described outside.
6, device as claimed in claim 3 is characterized in that, described key object administration module further comprises key object manager and key object module;
Described key object manager is used to receive the data that the outside of described key object administration module sends, and according to described data and the selected cipher protocol of described device each the key object submodule in the described key object module is managed.
7, device as claimed in claim 6 is characterized in that, described cryptographic algorithm module is used for by the key object module invokes, and finishes crypto-operation according to call instruction, and the result of described crypto-operation is returned to the key object module.
8, as claim 1 described device of arbitrary claim to the claim 7, it is characterized in that described hash algorithm module, hash algorithm computing module, key object administration module, cryptographic algorithm module, enciphering algorithm module, decipherment algorithm module, symmetric encipherment algorithm module, symmetry deciphering algoritic module, rivest, shamir, adelman module, asymmetric decipherment algorithm module, key object manager, key object module or key object submodule are realized by the equivalent of class or class.
9, device as claimed in claim 2 is characterized in that, described hash algorithm computing module is realized by the monomer class.
As claim 6 or the described device of claim 7, it is characterized in that 10, described key object manager further comprises key object manager parent and key object manager subclass;
Described key object manager parent is used to realize the common key bookkeeping;
Described key object manager subclass is used to realize the specific key bookkeeping.
11, device as claimed in claim 6 is characterized in that, described key object module comprises key object parent and key object subclass;
The data-interface that described key object parent is used to receive data that the key object manager sends and provides the attribute to key object to be provided with according to described data;
The data that described key object subclass provides according to the data-interface of described key object parent realize the concrete operations that the attribute to each key object is provided with.
12, device as claimed in claim 11 is characterized in that, described key object parent further comprises first order key object parent and second level key object parent;
The data-interface that the key object that described first order key object parent is used to provide all needs;
The data-interface that the key object that described second level key object parent is used to provide not all needs.
13, a kind of credible accounting system comprises application layer, credible software stack kernel service layer TCS and credible platform module TPM, it is characterized in that this system also comprises the device that interface data is provided;
Described application layer is used to send the requirement of the user of described credible accounting system to described credible accounting system;
The described device of interface data that provides is between application layer and TCS layer, be used to receive described requirement and TPM and carry out processing of modularization hash algorithm or the processing of modularization cryptographic algorithm to the result of described requirement and to the content that described device receives, send to the TCS layer and to handle through the modularization hash algorithm or the described requirement of modularization cryptographic algorithm after handling, will through hash algorithm handle or the cryptographic algorithm processing after TPM the result of described requirement is sent to application layer;
Described TCS layer is used to receive, store and send the TPM module to the result of described requirement and the described requirement that process modularization hash algorithm is handled or the modularization cryptographic algorithm is handled.
14, system as claimed in claim 13 is characterized in that, the described device of interface data that provides comprises hash algorithm module and key object administration module;
Described hash algorithm module is used to receive the data that described requirement, TPM send the result or the key object administration module of described requirement, and the modularization hash algorithm that partly or entirely carries out of the content that the hash algorithm module is received handles, and stores or send the result that described modularization hash algorithm is handled;
Described key object administration module is used to receive the data that described requirement, TPM send the result or the hash algorithm module of described requirement, and the modularization cryptographic algorithm that partly or entirely carries out of the content that the key object administration module is received handles, and stores or send the result that described modularization cryptographic algorithm is handled.
15, system as claimed in claim 14 is characterized in that, described hash algorithm module further comprises platform configuration register PCR Object Management group module, PCR object module, policy object administration module and policy object module;
Described PCR Object Management group module is used for receiving the data of hash algorithm module-external and according to the PCR object of the described PCR object module of described data management, perhaps is used for obtaining the data of PCR object module and part or all of described data returned to described hash algorithm module-external;
Described policy object administration module is used for receiving the data of hash algorithm module-external and according to the policy object of the described policy object module of described data management, perhaps is used for the data of acquisition strategy object module and part or all of described data returned to described hash algorithm module-external.
16, device as claimed in claim 15, it is characterized in that, described hash algorithm computing module is used for by PCR object module or policy object module invokes, and finishes the hash computing according to call instruction, and the result of described hash computing is returned to PCR object module or policy object module.
17, a kind of method that interface data is provided is characterized in that, comprises step:
A, reception data;
B, judgement need be carried out hash algorithm processing still carrying out cryptographic algorithm to described data and handle, handle then execution in step C if need carry out hash algorithm, if need carry out cryptographic algorithm and handle then execution in step D, handle and also do not need to carry out cryptographic algorithm and handle then execution in step E if neither need to carry out hash algorithm;
C, described data are carried out hash algorithm handle, and judge whether that need carry out cryptographic algorithm to the result that described hash algorithm is handled handles, if need then execution in step D, otherwise execution in step F;
D, described data are carried out cryptographic algorithm handle, and judge whether that need carry out hash algorithm to the result that described cryptographic algorithm is handled handles, if need then execution in step C, otherwise execution in step F;
E, to the operation of described data except that hash algorithm process and cryptographic algorithm are handled;
Result, the result of step D or the result of step e of F, the described step C of transmission.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101770140A CN101431403A (en) | 2007-11-08 | 2007-11-08 | Apparatus and method for providing interface data and credible computing system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101770140A CN101431403A (en) | 2007-11-08 | 2007-11-08 | Apparatus and method for providing interface data and credible computing system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101431403A true CN101431403A (en) | 2009-05-13 |
Family
ID=40646585
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007101770140A Pending CN101431403A (en) | 2007-11-08 | 2007-11-08 | Apparatus and method for providing interface data and credible computing system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101431403A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102427449A (en) * | 2011-11-04 | 2012-04-25 | 北京工业大学 | Trusted mobile storage method based on security chips |
| CN103250145A (en) * | 2010-12-21 | 2013-08-14 | 亚马逊技术股份有限公司 | Techniques for capturing data sets |
| CN103875001A (en) * | 2011-03-31 | 2014-06-18 | 耶德托公司 | Method and system for protecting execution of cryptographic hash functions |
| CN107277805A (en) * | 2016-04-06 | 2017-10-20 | 中国联合网络通信集团有限公司 | Data transferring method and terminal based on man-machine interaction |
-
2007
- 2007-11-08 CN CNA2007101770140A patent/CN101431403A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103250145A (en) * | 2010-12-21 | 2013-08-14 | 亚马逊技术股份有限公司 | Techniques for capturing data sets |
| CN103875001A (en) * | 2011-03-31 | 2014-06-18 | 耶德托公司 | Method and system for protecting execution of cryptographic hash functions |
| CN102427449A (en) * | 2011-11-04 | 2012-04-25 | 北京工业大学 | Trusted mobile storage method based on security chips |
| CN102427449B (en) * | 2011-11-04 | 2014-04-09 | 北京工业大学 | Trusted mobile storage method based on security chips |
| CN107277805A (en) * | 2016-04-06 | 2017-10-20 | 中国联合网络通信集团有限公司 | Data transferring method and terminal based on man-machine interaction |
| CN107277805B (en) * | 2016-04-06 | 2020-03-13 | 中国联合网络通信集团有限公司 | Data transmission method and terminal based on man-machine interaction |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111654367B (en) | Method for cryptographic operation and creation of working key, cryptographic service platform and device | |
| CN109144961B (en) | Authorization file sharing method and device | |
| US5103478A (en) | Secure management of keys using control vectors with multi-path checking | |
| JP5100286B2 (en) | Cryptographic module selection device and program | |
| US8379866B2 (en) | Method of distributing encoding/decoding program and symmetric key in security domain environment and data divider and data injector therefor | |
| US20210067326A1 (en) | Cryptographic operation method, method for creating working key, cryptographic service platform, and cryptographic service device | |
| EP1786138A1 (en) | Secure customer communication method and system | |
| CN109728906B (en) | Anti-quantum-computation asymmetric encryption method and system based on asymmetric key pool | |
| JP2001236014A (en) | Mechanism for merging a plurality of policies | |
| CN106059760B (en) | A kind of cryptographic system from user terminal crypto module calling system private key | |
| WO2024078347A1 (en) | Acceleration device, computing system and acceleration method | |
| EP4348919A1 (en) | Data management and encryption in a distributed computing system | |
| CN110648241A (en) | Claim settlement processing method and device based on micro-service architecture | |
| WO2019191635A1 (en) | System and methods for preventing reverse transactions in a distributed environment | |
| CN101431403A (en) | Apparatus and method for providing interface data and credible computing system | |
| CN109768969A (en) | Authority control method and internet-of-things terminal, electronic equipment | |
| CN112765610A (en) | Transaction scheduling method and device | |
| Lavanya et al. | Secured two factor authentication, graph based replication and encryption strategy in cloud computing | |
| EP0396894B1 (en) | Secure management of keys using control vectors with multi-path checking | |
| Shin et al. | A Software Product Line Approach for Feature Modeling and Design of Secure Connectors. | |
| US20050273443A1 (en) | Secure customer communication method and system | |
| CN112800480A (en) | User data protection method for security computer | |
| CN113761513A (en) | Data processing method, device, equipment and computer readable storage medium | |
| JP2001216043A (en) | Mechanism for deciding constraint to be charged on mounting of service | |
| US20240220985A1 (en) | Authenticating blockchain addresses |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20090513 |
|
| C20 | Patent right or utility model deemed to be abandoned or is abandoned |