CN101650764A - Creditable calculation password platform and realization method thereof - Google Patents
Creditable calculation password platform and realization method thereof Download PDFInfo
- Publication number
- CN101650764A CN101650764A CN200910063824A CN200910063824A CN101650764A CN 101650764 A CN101650764 A CN 101650764A CN 200910063824 A CN200910063824 A CN 200910063824A CN 200910063824 A CN200910063824 A CN 200910063824A CN 101650764 A CN101650764 A CN 101650764A
- Authority
- CN
- China
- Prior art keywords
- platform
- module
- execution unit
- hsm
- security module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a creditable calculation password platform and a realization method thereof, which belong to the technical field of computer safety. The creditable calculation password platform comprises a hardware system and an operation system, wherein the hardware system is connected with the operation system; the hardware system comprises a hardware safety module (HSM); the HSM is bound with the platform and the realization method thereof and comprises an embedded safety module (ESM) or/and an inserted and pulled USB/PCI password module which is connected to a main plate; and theoperation system is provided with an operation system safety module comprising a forced access control submodule, a progress monitoring submodule and an application program integrality measurement identification module. The invention has the advantages of increasing the application range of the creditable calculation password platform and the technique of the realization method thereof, increasingthe self attack resisting degree of the forced access control submodule, the progress monitoring submodule and the integrality measurement identification module, measuring the integrality of the whole platform and the realization method thereof, establishing the creditable environment of the whole platform and the realization method thereof and fully ensuring the benefit of a user of the platformand the realization method thereof.
Description
Technical field
The present invention relates to a kind of creditable calculation password platform and its implementation, belong to the computer security technique field, be particularly suitable for the strict occasion of computer information safe and use.
Background technology
Along with the development of infotech and related industry, various calculation elements are widely used, and these calculation elements interconnect in several ways, form information network.Calculation element and information network have promoted social progress, have also brought very big security risk.These risks mainly come from various calculation elements, and rogue programs such as computer virus, wooden horse are implanted in the calculation element, and security of system and data security are constituted grave danger, make these calculation elements no longer " credible ".How guaranteeing that calculation element is credible becomes a very important problem.Described " platform " can represent the calculation element of any kind, comprises the combination of hardware, firmware and software.
For improving the credibility of platform, the measure of being taked mainly contains " installation securing software ", " operating system security enhancing " and several modes such as " increase security coprocessors ": 1. the securing software of An Zhuaning mainly contains antivirus tool and fire wall etc. at present.These softwares mainly adopt passive safeguard procedures, and are only to removing known computer virus and stopping known network attack, then powerless to new virus and attack.Securing software operates on the operating system, and these securing softwares and operating system are also under attack easily.This mode of securing software is installed fundamentally solves information security issue.2. the operating system security enhancing mainly is to add safety practices such as forcing access control on operating system.Rogue program such as computer virus, wooden horse may just be loaded in the internal memory before operating system loads, thereby avoided the safety practice of operating system.Operating system is carried out safe enhancing can not fundamentally solve information security issue.3. increasing security coprocessor is to increase a comparatively safe independent computation environment on platform, uses with security of operation.This mode can not improve the security of original platform itself.
As seen aforesaid way all can not fundamentally solve the information security issue of platform.In view of this, companies such as IBM, Hewlett-Packard, Microsoft, Intel have set up Trusted Computing tissue T CG (Trusted ComputingGroup), in order to improve the credibility of platform, proposed the notion of " credible calculating platform platform and its implementation ", and formulated and a series of standards of having announced relevant credible calculating platform.Credible calculating platform is to have embedded a credible platform module TPM (Trusted Platform Module) on common computing platform, based on the break the wall of mistrust integrality of each parts of chain metrology platform of TPM, parts integrity measurement value is stored among the TPM, and reports the platform integrity metric value to the entity of paying close attention to the platform safety state by TPM.Whether the entity of paying close attention to the platform safety state is credible according to certain security strategy decision platform, takes corresponding responsive measures again.Do not define the credibility that how to improve existing platform in the credible calculating platform related specifications that TCG announced, how definition does not realize credible calculating platform operating system, does not have definition how to measure the integrality of application program.
Password is one of gordian technique of information security.TCG deliberately desalinates the use of symmetric key cipher algorithm, and the symmetric key cipher algorithm is for the asymmetric key cipher algorithm, and its security intensity has more advantage.How to add the support of symmetric key cipher algorithm in credible calculating platform also is a key issue of guaranteeing platform credible.
Summary of the invention
The objective of the invention is to overcome the shortcoming of prior art, a kind of creditable calculation password platform and its implementation are provided, fundamentally guarantee the credibility of calculation element: 1., increase security intensity, the scope of application and application flexibility for existing platform; 2. increase the anti-attack degree of submodule itself; 3. increase process monitoring, record, fully guarantee platform user's interests; 4. the integrality of whole platform is all measured, and the trusted context of whole platform is set up.
Technical scheme of the present invention is: a kind of creditable calculation password platform comprises a hardware system, an operating system; Hardware system is connected with operating system; Described hardware system comprises a hardware security module HSM (Hardware Security Module); This hardware security module HSM binds mutually with platform, comprises that the embedded safety module ESM (Embedded Security Module) that is connected on the mainboard is or/and the USB/PCI crypto module of plug; Described operating system has an operating system security module, comprises forcing access control submodule, process monitoring submodule, application integrity tolerance authentication module.
Described pressure access control submodule comprises access control execution unit and Access Control List (ACL); The process monitoring submodule comprises process monitoring execution unit and process behavioral standard database; Described application integrity tolerance authentication module is a security module that operates on the operating system, comprises tolerance checking execution unit and process integrity value standard database.
Described hardware security module HSM is the safety chip of an individual packages; This hardware security module HSM is the integrated independent security modules of a plurality of chips, or the comprehensive module that directly integrates with other chip, or embeds the composite chip that forms with the form of IP kernel.
Described hardware security module HSM and platform bind mutually be embedded safety module ESM direct physical welding physical bindings on platform motherboard, or pluggable USB/PCI crypto module and platform authenticate the crypto module realized and the logic binding of platform mutually.
Described hardware security module HSM also has can carry out high speed symmetric key cipher algorithm engine; Also has the high-speed interface that carries out the quick transmission of data with main platform.
A kind of implementation method of creditable calculation password platform, it comprises following program:
1), carries out the computing of high speed symmetric key cipher algorithm encryption and decryption, changes the symmetric key cipher algorithm by the symmetric key cipher algorithm engine by hardware security module HSM; 2), control executive component, process monitoring execution unit and tolerance checking execution unit are carried out integrity protection by security module HSM; 3), process behavioral standard database is evaluated and tested, monitored by the process monitoring submodule; 4), process integrity value standard database is evaluated and tested, responded by application integrity tolerance authentication module.
Described step of carrying out the computing of high speed symmetric key cipher algorithm encryption and decryption, replacing symmetric key cipher algorithm by the symmetric key cipher algorithm engine by hardware security module HSM is:
For the embedded safety module ESM that directly is welded on the mainboard, then with new cryptographic algorithm code security download among the embedded safety module ESM, and remove original cryptographic algorithm code; Control executive component, process monitoring execution unit and tolerance checking execution unit are to be subjected to security module HSM integrity protection
For pluggable USB/PCI crypto module, then platform inserts the crypto module with new symmetric key cipher algorithm engine, and authenticates mutually with platform, the completion logic binding.
Described embedded safety module ESM with new cryptographic algorithm code security download to step among the embedded safety module ESM: be to guarantee the new secret of symmetric key cipher algorithmic code in downloading process of downloading by embedded safety module ESM in advance, authenticating new cryptographic algorithm code is the algorithmic code that trusted party is write really, guarantee that the algorithmic code of being downloaded is not distorted, write embedded safety module ESM then entirely truely, remove original cryptographic algorithm code at last again; Described insertion has the step of the crypto module of new symmetric key cipher algorithm engine: the data such as key relevant with platform need to be moved to safely on the crypto module with new symmetric key cipher algorithm engine on the old before this USB/PCI crypto module, authenticate mutually by old crypto module and new module then, guarantee that two modules all are the crypto modules of binding mutually with same platform, and guarantee the secret and the integrality of migration data.
Describedly by hardware security module HSM access control execution unit, process monitoring execution unit and tolerance checking execution unit are carried out the integrity protection step and be, at first when operating system nucleus starts, carry out alternately, confirm that these protected parts are not distorted with hardware security module HSM; After it is not distorted in affirmation, then access control execution unit, process monitoring execution unit and tolerance checking execution unit are loaded in the platform internal memory, and bring into operation; If find to be distorted, then these protected parts carried out trusted recovery.
Described by the process monitoring submodule process behavioral standard database is evaluated and tested, is monitored be: the access control execution unit reads before the queried access control tabulation, judges alternately with hardware security module HSM whether Access Control List (ACL) is distorted earlier; If find that Access Control List (ACL) is distorted, it carried out trusted recovery; When the process on operating system will be moved, the process monitoring execution unit generates a process companion for this process, process companion judged alternately with hardware security module HSM whether process behavioral standard database is distorted earlier before query procedure behavioral standard database; If the process of discovery behavioral standard database is distorted, it is carried out trusted recovery; The tolerance verification component was carried out alternately with hardware security module HSM earlier before polling routine integrity value standard database, judged whether it is distorted; If discovery procedure integrity value standard database is distorted, then it is carried out trusted recovery; Described process behavioral standard database is set up according to program development merchant or publisher's instructions by the process monitoring submodule, or the trusted party that program process is evaluated and tested is obtained or from thinking that this program process is that believable recommendation side obtains.
Described by application integrity tolerance authentication module process integrity value standard database is evaluated and tested, is responded be: when having application program to move, tolerance checking execution unit reads the code and the configuration data of this program, and utilize fundamental function to calculate separately actual integrity value respectively, and should actual integrity value store among the hardware security module HSM, to form the completeness of platform status data; After obtaining actual integrity value, tolerance is verified execution unit polling routine integrity value standard database, obtains the standard integrity value of this program code and configuration data; Tolerance checking execution unit is actual integrity value and the standard integrity value of this program code and data relatively, then allows this program run as if both unanimities, otherwise forbids this program run; The described formed completeness of platform status data of the actual integrity value of program that stores among the hardware security module HSM, the entity of paying close attention to the platform safety state is arranged when inquiry platform credible, hardware security module HSM reports to this entity with the completeness of platform status data; Entity judges according to certain security strategy whether platform is credible, thereby takes corresponding responsive measures.
Advantage of the present invention mainly contains:
1. for existing platform, can increase the security of whole platform, increase the scope of application of creditable calculation password platform technology described herein greatly by inserting USB/PCI password card.In hardware security module HSM, add the symmetric key cipher algorithm engine, increased the security intensity of hardware security module HSM.The symmetric key cipher algorithm of hardware security module HSM is replaceable, makes that the application of described creditable calculation password platform is more flexible, is applicable to different applications.
2. have the access control of pressure submodule in the creditable calculation password platform operating system, access control execution unit that it comprises and Access Control List (ACL) are subjected to hardware security module HSM to receive protection, and this has increased the anti-attack degree of forcing access control submodule itself.
3. have the process monitoring submodule in the creditable calculation password platform operating system, process monitoring execution unit that it comprises and process behavioral standard database are subjected to hardware security module HSM to receive protection, and this has increased the anti-attack degree of process monitoring submodule itself.The process monitoring submodule can write down the behavior performance of platform process, if find to have inconsistent that the performance of program process and its developer or publisher declared, then can litigate to this manufacturer by record data.Interests with abundant assurance platform user.
4. creditable calculation password platform has the integrity measurement authentication module, and its tolerance that comprises checking execution unit and process integrity value standard database are protected by hardware security module HSM, and this has increased the anti-attack degree of integrity measurement authentication module itself.The integrity measurement authentication module, the integrality by tolerance and verifying application programs makes that the integrality of whole platform is all measured, the trusted context of whole platform is set up.
Description of drawings
Fig. 1 is the synoptic diagram of creditable calculation password platform of the present invention;
Fig. 2 is an embodiment synoptic diagram of embedded safety module ESM high-speed encryption and decryption function;
Fig. 3 is an encryption and decryption process flow diagram embodiment illustrated in fig. 2;
Fig. 4 changes an embodiment synoptic diagram of symmetric key cipher algorithm for embedded safety module ESM;
Fig. 5 guarantees to download to the embodiment synoptic diagram of symmetric key cipher algorithm new among the embedded safety module ESM from trusted party for creditable calculation password platform;
Fig. 6 becomes the process flow diagram of trusted party for symmetric key cipher algorithmic code developer embodiment illustrated in fig. 5 or publisher;
Fig. 7 is a symmetric key cipher algorithm data download bag synoptic diagram embodiment illustrated in fig. 5;
Whether the algorithmic code that Fig. 8 is downloaded for embedded safety module ESM in embodiment illustrated in fig. 5 judges is from the process flow diagram of trusted party;
Fig. 9 is an embodiment synoptic diagram of pluggable USB/PCI crypto module and platform logic binding.
Figure 10 is the process flow diagram of middle platform authentication crypto module embodiment illustrated in fig. 9;
Figure 11 is the process flow diagram of middle crypto module authentication platform embodiment illustrated in fig. 9;
The embodiment synoptic diagram of Figure 12 for preventing that by hardware security module HSM access control execution unit, process monitoring execution unit and tolerance checking execution unit from being distorted;
Figure 13 is for to prevent the embodiment synoptic diagram that Access Control List (ACL), process behavioral standard database, process integrity value standard database are distorted by hardware security module HSM.
Embodiment
It is as follows that the invention will be further described in conjunction with the accompanying drawings and embodiments.
As shown in the figure, a kind of creditable calculation password platform adopts multilayered structure, and 100, one operating systems 200 of a hardware system are arranged; Hardware system 100 is connected with operating system 200; Described hardware system 100 has a hardware security module HSM 110 (Hardware Security Module); This hardware security module HSM 110 binds mutually with platform, be the embedded safety module ESM 130 (Embedded Security Module) that is connected on the mainboard, it also can be the USB/PCI crypto module 170/150 of plug, when the USB crypto module 170 that is plug, or PCI crypto module 150, or the three then is different embodiment when all having; Described operating system 200 has an operating system security module, and it can also have other modules by forcing access control submodule 220, process monitoring submodule 240, application integrity tolerance authentication module 260 to be formed.Described pressure access control submodule 220, access control execution unit and Access Control List (ACL) are wherein arranged, access control submodule 220 is subjected to the protection of hardware security module HSM110, finishes the control of authority that system is comprised the reading and writing, execution etc. of the main object of application; Process monitoring submodule 240 wherein has process monitoring execution unit and process behavioral standard database, is subjected to the protection of hardware security module HSM 110, the main operation action of being responsible for monitoring application 300 program process; Described application integrity tolerance authentication module 260 is security modules that operate on the operating system; a tolerance checking execution unit and process integrity value standard database are arranged; be subjected to the protection of hardware security module HSM 110, main integrity measurement and the checking of being responsible for using 300 program codes and configuration data.Described hardware security module HSM 110 is safety chips of an individual packages; This hardware security module HSM 110 is the integrated independent security modules of a plurality of chips, or the comprehensive module that directly integrates with other chip, or embeds the composite chip that forms with the form of IP kernel.No matter adopt which kind of mode, hardware security module HSM 110 has relatively independent architecture, basic function and use-pattern.Described hardware security module HSM 110 and platform bind mutually be embedded safety module ESM 130 direct physical welding physical bindings on platform motherboard, or pluggable USB/PCI crypto module 170/150 and platform authenticate the crypto module realized and the logic binding of platform mutually.Described access control execution unit, process monitoring execution unit and tolerance checking execution unit are the parts that are subjected to security module HSM 110 integrity protection, the step of described protection is, at first when operating system 200 kernels start, protected access control execution unit, process monitoring execution unit and tolerance checking execution unit and hardware security module HSM 110 are carried out confirming that these protected parts are not distorted alternately; After it is not distorted in affirmation, then these protected parts are loaded in the platform internal memory, and bring into operation; If find to be distorted, then these protected parts carried out trusted recovery.Described hardware security module HSM 110 also has can carry out high speed symmetric key cipher algorithm encryption and decryption symmetric key cipher algorithm engine computing, replaceable symmetric key cipher algorithm; Also has the high-speed interface that carries out the quick transmission of data with main platform.
A kind of implementation method of creditable calculation password platform, it has following program:
1), carries out the computing of high speed symmetric key cipher algorithm encryption and decryption, changes the symmetric key cipher algorithm by the symmetric key cipher algorithm engine by hardware security module HSM110; 2), control executive component, process monitoring execution unit and tolerance checking execution unit are carried out integrity protection by security module HSM110; 3), evaluate and test, monitor by 240 pairs of process behavioral standards of process monitoring submodule database; 4), by application integrity tolerance authentication module 260) process integrity value standard database is evaluated and tested, responded.Described step of carrying out the computing of high speed symmetric key cipher algorithm encryption and decryption, replacing symmetric key cipher algorithm by the symmetric key cipher algorithm engine by hardware security module HSM110 is: for the embedded safety module ESM130 that directly is welded on the mainboard, then with new cryptographic algorithm code security download among the embedded safety module ESM130, and remove original cryptographic algorithm code; Control executive component, process monitoring execution unit and tolerance checking execution unit are to be subjected to security module HSM110 integrity protection for pluggable USB/PCI crypto module 170/150; then platform inserts the crypto module with new symmetric key cipher algorithm engine; and authenticate the completion logic binding mutually with platform.Described embedded safety module ESM130 with new cryptographic algorithm code security download to step among the embedded safety module ESM130: be to guarantee the new secret of symmetric key cipher algorithmic code in downloading process of downloading by embedded safety module ESM130 in advance, authenticating new cryptographic algorithm code is the algorithmic code that trusted party is write really, guarantee that the algorithmic code of being downloaded is not distorted, write embedded safety module ESM130 then entirely truely, remove original cryptographic algorithm code at last again; Described insertion has the step of the crypto module of new symmetric key cipher algorithm engine: the data such as key relevant with platform need to be moved to safely on the crypto module with new symmetric key cipher algorithm engine on the old before this USB/PCI crypto module 170/150, authenticate mutually by old crypto module and new module then, guarantee that two modules all are the crypto modules of binding mutually with same platform, and guarantee the secret and the integrality of migration data.Describedly by hardware security module HSM110 access control execution unit, process monitoring execution unit and tolerance checking execution unit are carried out the integrity protection step and be, at first when starting, operating system 200 kernels carry out confirming that these protected parts are not distorted alternately with hardware security module HSM 110; After it is not distorted in affirmation, then access control execution unit, process monitoring execution unit and tolerance checking execution unit are loaded in the platform internal memory, and bring into operation; If find to be distorted, then these protected parts carried out trusted recovery.Described evaluate and test, monitor by 240 pairs of process behavioral standards of process monitoring submodule database be: the access control execution unit reads before the queried access control tabulation, judges alternately with hardware security module HSM110 whether Access Control List (ACL) is distorted earlier; If find that Access Control List (ACL) is distorted, it carried out trusted recovery; When the process on operating system will be moved, the process monitoring execution unit generates a process companion for this process, process companion judged alternately with hardware security module HSM110 whether process behavioral standard database is distorted earlier before query procedure behavioral standard database; If the process of discovery behavioral standard database is distorted, it is carried out trusted recovery; The tolerance verification component was carried out alternately with hardware security module HSM110 earlier before polling routine integrity value standard database, judged whether it is distorted; If discovery procedure integrity value standard database is distorted, then it is carried out trusted recovery; Described process behavioral standard database is set up according to program development merchant or publisher's instructions by the process monitoring submodule, or the trusted party that program process is evaluated and tested is obtained or from thinking that this program process is that believable recommendation side obtains.Described evaluate and test, respond by 260 pairs of process integrity values of application integrity tolerance authentication module standard database be: when having application program to move, tolerance checking execution unit reads the code and the configuration data of this program, and utilize fundamental function to calculate separately actual integrity value respectively, and should actual integrity value store among the hardware security module HSM110, to form the completeness of platform status data; After obtaining actual integrity value, tolerance is verified execution unit polling routine integrity value standard database, obtains the standard integrity value of this program code and configuration data; Tolerance checking execution unit is actual integrity value and the standard integrity value of this program code and data relatively, then allows this program run as if both unanimities, otherwise forbids this program run; The described formed completeness of platform status data of the actual integrity value of program that stores among the hardware security module HSM110, the entity of paying close attention to the platform safety state is arranged when inquiry platform credible, hardware security module HSM110 reports to this entity with the completeness of platform status data; Entity judges according to certain security strategy whether platform is credible, thereby takes corresponding responsive measures.
Described process monitoring execution unit, when the process on operating system is arranged will be moved, the process monitoring execution unit generates a process companion for this process, process companion's query procedure behavioral standard database obtains the behavioral standard data of this process, process companion writes down the actual motion behavior of this process, and compare with criterion behavior, if the operation action and the criterion behavior of this process of discovery are inconsistent, and may cause the destruction bigger to system, process companion can stop the operation of this process.In finish normal termination or during by abort, process companion also finishes operation of process operation.Actual motion behavioral data with this process before process companion finishes to move is written among the HSM, to form platform running status report data.
Described process companion is written to the process actual motion behavioral data among the HSM, and during at inquiry platform credible, HSM reports to this entity with the actual operating data of all processes of platform at the entity of paying close attention to the platform safety state.Entity judges according to certain security strategy whether platform is credible, thereby takes corresponding responsive measures.
Described process integrity value standard database can be measured authentication module by application integrity and set up according to application developers or program code that the publisher announced and the standard integrity value of configuration data, also can obtain from the trusted party that application programs is evaluated and tested or from thinking that this program is that believable recommendation side obtains.
Embodiment shown in Figure 2 adopts FPGA136 to carry out the high-speed encryption and decryption computing, and 133 of safety chips are responsible for accepting the encryption and decryption order and are loaded key to FPGA136 again.The PCIE bridge 139 of embedded safety module ESM 130 is finished the high-speed transfer of a large amount of encryption and decryption datas by platform pci bus 102.
Fig. 3 is an encryption and decryption process flow diagram embodiment illustrated in fig. 2, illustrates that embedded safety module ESM 130 carries out an embodiment of high-speed encryption and decryption.Described high-speed encryption and decryption starts from square frame 1331, and safety chip 133 receives the encryption and decryption order.At square frame 1335, safety chip 133 loads key in FPGA136.At square frame 1361, FPGA136 accepts encryption and decryption data.At square frame 1364, FPGA 136 carries out the encryption and decryption computing.At square frame 1367, FPGA 136 returns encryption and decryption data, and whole high-speed encryption and decryption process finishes.
Figure 4 shows that embedded safety module ESM130 changes an embodiment of symmetric key cipher algorithm.In the embodiment shown in fig. 4, embedded safety module ESM 130 comprises safety chip 133, field programmable gate array FPGA136, and the general I/O GPI/O pin on the safety chip 133 links to each other with the GPI/O103 pin that the platform I/O is controlled on the hub ICH.Adopt self-defining GPI/O security protocol to realize the safe transmission of data between safety chip 133 and the platform host, guarantee the security of symmetric key cipher algorithmic code.It is that trusted party is write that creditable calculation password platform will guarantee to download to symmetric key cipher algorithm new among the FPGA136, and guarantees that this code is not distorted, its by complete correctly write go among the FPGA after, remove old algorithmic code again.
Figure 5 shows that creditable calculation password platform guarantees to download to the embodiment of symmetric key cipher algorithm new among the embedded safety module ESM 130 from trusted party TP400.In the embodiment shown in fig. 5, embedded safety module ESM 130 has a public private key pair KESM, this public private key pair can be generated in the fabrication phase by the manufacturer of embedded safety module ESM 130, also can use corresponding order to generate when platform is carried out initial configuration by platform user.The private key PRIKESM1303 of KESM is stored in the protected storage zone of embedded safety module ESM 130, and embedded safety module ESM 130 will guarantee secret, integrality and the control of authority of PRIKESM1303.If have new symmetric key cipher algorithmic code developer or publisher to be thought of as is the believable developer or the publisher of an algorithmic code, be trusted party TP400, this developer or publisher generate a public private key pair KTP, send the PKI PUBKTP of KTP and the related data of algorithmic code developer or publisher to embedded safety module ESM130.Embedded safety module ESM 130 is by modes such as employing data verifications, whether evaluation algorithm code developer or publisher be credible, in definite algorithmic code developer or publisher credible after, with PRIKESM1303 is this developer or issuer-signed certificate CERTPubktp4007, comprises in this certificate to have the statement that this algorithmic code developer or publisher hold PKI PUBKTP.Algorithmic code developer or publisher will guarantee the safety of the private key PRIKTP4003 of KTP.Embedded safety module ESM130 sends the certificate CERTPubktp4007 of signature to algorithmic code developer or publisher, developer or the publisher correctness of the PKI PUBKESM authentication certificate of KESM, after checking is passed through, Store Credentials CERTPubktp4007, the developer of this algorithmic code or publisher become the algorithmic code exploitation of embedded safety module ESM 130 or the trusted party of issuing.Trusted party is signed to algorithmic code with PRIKTP4003 after developing good or obtaining new symmetric key cipher algorithmic code, sends algorithmic code, code signature and CERTPubktp4007 to embedded safety module ESM 130 together.Embedded safety module ESM 130 at first verifies the correctness of CERTPubktp4007, checking is by obtaining afterwards PUBKTP from certificate, use the correctness of PUBKTP verification algorithm code signature again, if checking is developed or distribution by trusted party by then determining this algorithmic code, otherwise determine that then this algorithmic code is by exploitation of untrusted side or distribution.
Fig. 6 illustrates for the process flow diagram that symmetric key cipher algorithmic code developer embodiment illustrated in fig. 5 or publisher become trusted party how algorithmic code developer or publisher become the embodiment of a trusted party.Described flow process starts from square frame 4011, and algorithmic code developer or publisher produce public private key pair KTP.At square frame 4015, algorithmic code developer or publisher send PKI PUBKTP and the related data of KTP to embedded safety module ESM 130.At square frame 4019,130 couples of algorithmic code developers of embedded safety module ESM or publisher carry out qualification.At square frame 4023, qualification passes through, with PRIKESM self-signing certificate CERTPubktp.At square frame 4027, embedded safety module ESM 130 sends certificate CERTPubktp to algorithmic code developer or publisher.At square frame 4031, the correctness of algorithmic code developer or the checking CERTPubktp of publisher, checking is passed through, and becomes trusted party TP.
Fig. 7 is a symmetric key cipher algorithmic code data download bag synoptic diagram embodiment illustrated in fig. 5, illustrate that trusted party TP400 is sent to the composition of the algorithmic code data download bag 4035 of embedded safety module ESM 130, comprise algorithmic code 4039, algorithmic code signature 4043 and certificate CERTPubktp4007.
Whether the algorithmic code that Fig. 8 is downloaded for embedded safety module ESM in embodiment illustrated in fig. 5 130 judges from the process flow diagram of trusted party, illustrate how embedded safety module ESM 130 downloads new symmetric key cipher algorithmic code and how to judge that it is whether by the trusted party exploitation or issue.Described flow process starts from square frame 4051, and algorithmic code is developed or obtained to trusted party.At square frame 4055, trusted party sends algorithmic code data download bag 4035 to embedded safety module ESM 130.At square frame 4059, the correctness of embedded safety module ESM 130 authentication certificate CERTPubktp4007.At square frame 4063, certification authentication is passed through, and obtains PUBKTP from certificate.At rhombus 4067, the correctness of embedded safety module ESM 130 usefulness PUBKTP verification algorithm code signature data.If signed data correctly then forwards square frame 4071 to, determine that algorithmic code is from trusted party; If the signed data mistake then forwards square frame 4075 to, evaluation algorithm is from untrusted side.
Figure 9 shows that an embodiment of pluggable USB/PCI crypto module and platform logic binding.In the embodiment shown in fig. 9, store platform key PKEY1065 and module key MKEY1105 among the BIOS106 of platform motherboard 105.Platform key PKEY1065 can be generated in the fabrication phase by platform manufacturer, also can be generated when platform initialization disposes by platform user; Module key MKEY1105 is imported among the BIOS 106 by secure way when platform initialization disposes by platform user.Also store platform key PKEY1065 and module key MKEY1105 in the USB/PCI crypto module, the both is loaded in the module by secure way when issuing crypto module by the keeper.
Figure 10 is the process flow diagram of middle platform authentication crypto module embodiment illustrated in fig. 9, illustrates that how platform authenticates the USB/PCI crypto module that is inserted on the platform is the correct module of binding mutually with platform.Described flow process starts from square frame 1063, and BIOS generates random number N.At square frame 1067, BIOS sends random number N to crypto module.At square frame 1109, crypto module with module key MKEY to N encrypt M=Enc (N, MKEY).At square frame 1113, crypto module sends M to BIOS.At square frame 1071, BIOS with module key MKEY to M be decrypted N '=Dec (M, MKEY).At rhombus 1075, BIOS compares the similarities and differences of N and N '.If both are identical, forward square frame 1079 to, crypto module is correct; If both are inequality, forward square frame 1083 to, the crypto module mistake.
Figure 11 be embodiment illustrated in fig. 9 in the process flow diagram of crypto module authentication platform, illustrate how the USB/PCI crypto module that is inserted on the platform authenticates the correct platform that the platform at place is and binds mutually.Described flow process starts from square frame 1117, and module generates random number N.At square frame 1121, crypto module sends random number N to BIOS.At square frame 1087, BIOS with platform key PKEY to N encrypt M=Enc (N, PKEY).At square frame 1091, BIOS sends M to crypto module.At square frame 1125, module with platform key PKEY to M be decrypted N '=Dec (M, PKEY).At rhombus 1129, module compares the similarities and differences of N and N '.If both are identical, forward square frame 1133 to, platform is correct; If both are inequality, forward square frame 1137 to, platform errors.
Figure 12 shows that by hardware security module HSM 110 and prevent the embodiment that access control execution unit, process monitoring execution unit and tolerance checking execution unit are distorted.In the embodiment shown in fig. 12; store each execution unit integrality standard value 1141 among the hardware security module HSM 110; this standard value 1141 is stored in the protected storage zone territory of hardware security module HSM 110, and hardware security module HSM 110 guarantees that this standard value can not arbitrarily be distorted.Operating system nucleus 210 calculated the current integrity value of each execution unit earlier before loading access control execution unit 230, process monitoring execution unit 250 and tolerance checking execution unit 270; From hardware security module HSM 110, obtain the integrality standard value 1141 of each parts again; Relatively whether the current integrity value of each execution unit is consistent with the integrality standard value, if execution unit is then loaded and moved to unanimity, otherwise execution unit carried out trusted recovery.
Figure 13 shows that by hardware security module HSM 110 and prevent the embodiment that Access Control List (ACL), process behavioral standard database, process integrity value standard database are distorted.In the embodiment shown in fig. 13; store Access Control List (ACL) integrality standard value 1145, process behavioral standard data base integrity standard value 1149 and process integrity value standard database integrality standard value 1153 among the hardware security module HSM 110; these standard values are stored in the protected storage zone territory of hardware security module HSM 110, and hardware security module HSM 110 guarantees that these standard values can not arbitrarily be distorted.Each execution unit before corresponding tabulation of inquiry or standard database, the current integrity value of first calculations list or standard database; From hardware security module HSM 110, obtain the integrality standard value of tabulation or standard database again; Relatively whether the current integrity value of tabulation or standard database is consistent with the integrality standard value, then inquires about as if unanimity, otherwise execution unit is carried out trusted recovery.
Claims (10)
1. a creditable calculation password platform comprises a hardware system (100), an operating system (200); Hardware system (100) is connected with operating system (200); It is characterized in that: described hardware system (100) comprises a hardware security module HSM (110); This hardware security module HSM (110) binds mutually with platform, comprises that the embedded safety module ESM (130) that is connected on the mainboard is or/and the USB/PCI crypto module (170/150) of plug; Described operating system (200) has an operating system security module, comprises forcing access control submodule (220), process monitoring submodule (240), application integrity tolerance authentication module (260).
2. according to the described creditable calculation password platform of claim 1, it is characterized in that described pressure access control submodule (220) comprises access control execution unit and Access Control List (ACL); Process monitoring submodule (240) comprises process monitoring execution unit and process behavioral standard database; Described application integrity tolerance authentication module (260) is a security module that operates on the operating system 200, comprises tolerance checking execution unit and process integrity value standard database.
3. according to the described creditable calculation password platform of claim 1, it is characterized in that described hardware security module HSM (110) is the safety chip of an individual packages; This hardware security module HSM (110) is the integrated independent security modules of a plurality of chips, or the comprehensive module that directly integrates with other chip, or embeds the composite chip that forms with the form of IP kernel.
4. according to the described creditable calculation password platform of claim 1, it is characterized in that, described hardware security module HSM (110) and platform bind mutually be embedded safety module ESM (130) direct physical welding physical bindings on platform motherboard, or pluggable USB/PCI crypto module (170/150) and platform authenticate the crypto module realized and the logic binding of platform mutually.
5. according to the described creditable calculation password platform of claim 1, it is characterized in that described hardware security module HSM (110) also has can carry out high speed symmetric key cipher algorithm engine; Also has the high-speed interface that carries out the quick transmission of data with main platform.
6. the implementation method of a creditable calculation password platform, it is characterized in that: it comprises following program:
1), carries out the computing of high speed symmetric key cipher algorithm encryption and decryption, changes the symmetric key cipher algorithm by the symmetric key cipher algorithm engine by hardware security module HSM (110);
2), control executive component, process monitoring execution unit and tolerance checking execution unit are carried out integrity protection by security module HSM (110);
3), process behavioral standard database is evaluated and tested, monitored by process monitoring submodule (240);
4), process integrity value standard database is evaluated and tested, responded by application integrity tolerance authentication module (260).
7. according to the implementation method of the described creditable calculation password platform of claim 6, it is characterized in that: described step of carrying out the computing of high speed symmetric key cipher algorithm encryption and decryption, replacing symmetric key cipher algorithm by the symmetric key cipher algorithm engine by hardware security module HSM (110) comprises:
For the embedded safety module ESM (130) that directly is welded on the mainboard, then with new cryptographic algorithm code security download among the embedded safety module ESM (130), and remove original cryptographic algorithm code; Control executive component, process monitoring execution unit and tolerance checking execution unit are to be subjected to security module HSM (110) integrity protection;
For pluggable USB/PCI crypto module (170/150), then platform inserts the crypto module with new symmetric key cipher algorithm engine, and authenticates mutually with platform, the completion logic binding.
8. according to the implementation method of the described creditable calculation password platform of claim 7, it is characterized in that, described embedded safety module ESM (130) with new cryptographic algorithm code security download to step among the embedded safety module ESM (130): be to guarantee the new secret of symmetric key cipher algorithmic code in downloading process of downloading by embedded safety module ESM (130) in advance, authenticating new cryptographic algorithm code is the algorithmic code that trusted party is write really, guarantee that the algorithmic code of being downloaded is not distorted, write embedded safety module ESM (130) then entirely truely, remove original cryptographic algorithm code at last again; Described insertion has the step of the crypto module of new symmetric key cipher algorithm engine: old before this USB/PCI crypto module (170/150) is gone up the data such as key relevant with platform and is needed to be moved to safely on the crypto module with new symmetric key cipher algorithm engine, authenticate mutually by old crypto module and new module then, guarantee that two modules all are the crypto modules of binding mutually with same platform, and guarantee the secret and the integrality of migration data.
9. according to the implementation method of claim 6 or 7 or 8 described creditable calculation password platforms, it is characterized in that, describedly by hardware security module HSM (110) access control execution unit, process monitoring execution unit and tolerance checking execution unit are carried out the integrity protection step and be, at first when operating system (200) kernel starts, carry out alternately, confirm that these protected parts are not distorted with hardware security module HSM (110); After it is not distorted in affirmation, then access control execution unit, process monitoring execution unit and tolerance checking execution unit are loaded in the platform internal memory, and bring into operation; If find to be distorted, then these protected parts carried out trusted recovery.
10. according to the implementation method of the described creditable calculation password platform of claim 6, it is characterized in that, described by process monitoring submodule (240) process behavioral standard database is evaluated and tested, is monitored be: the access control execution unit reads before the queried access control tabulation, judges alternately with hardware security module HSM (110) whether Access Control List (ACL) is distorted earlier; If find that Access Control List (ACL) is distorted, it carried out trusted recovery; When the process on operating system will be moved, the process monitoring execution unit generates a process companion for this process, process companion judged alternately with hardware security module HSM (110) whether process behavioral standard database is distorted earlier before query procedure behavioral standard database; If the process of discovery behavioral standard database is distorted, it is carried out trusted recovery; The tolerance verification component was carried out alternately with hardware security module HSM (110) earlier before polling routine integrity value standard database, judged whether it is distorted; If discovery procedure integrity value standard database is distorted, then it is carried out trusted recovery; Described process behavioral standard database is set up according to program development merchant or publisher's instructions by the process monitoring submodule, or the trusted party that program process is evaluated and tested is obtained or from thinking that this program process is that believable recommendation side obtains.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100638242A CN101650764B (en) | 2009-09-04 | 2009-09-04 | Creditable calculation password platform and realization method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100638242A CN101650764B (en) | 2009-09-04 | 2009-09-04 | Creditable calculation password platform and realization method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101650764A true CN101650764A (en) | 2010-02-17 |
| CN101650764B CN101650764B (en) | 2011-08-24 |
Family
ID=41673002
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100638242A Expired - Fee Related CN101650764B (en) | 2009-09-04 | 2009-09-04 | Creditable calculation password platform and realization method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101650764B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102271333A (en) * | 2011-08-08 | 2011-12-07 | 东南大学 | Safe receiving and dispatching method for 3G (3rd Generation) message on basis of trusted chain transmission |
| CN103455756A (en) * | 2013-08-02 | 2013-12-18 | 国家电网公司 | Dependable computing based process control method |
| CN104243168A (en) * | 2014-10-09 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Credible mobile module based on Java smart card |
| CN105094004A (en) * | 2014-05-12 | 2015-11-25 | 罗伯特·博世有限公司 | Method for operating a control unit |
| CN106228087A (en) * | 2016-07-11 | 2016-12-14 | 武汉瑞纳捷电子技术有限公司 | A kind of confidential information guard method based on safety chip and system |
| CN106326751A (en) * | 2016-08-09 | 2017-01-11 | 中国船舶重工集团公司第七0九研究所 | Trusted DeltaOS and implementing method thereof |
| CN106934303A (en) * | 2015-12-29 | 2017-07-07 | 大唐高鸿信安(浙江)信息科技有限公司 | Trusted operating system based on credible chip creates the system and method for trusted process |
| CN107919925A (en) * | 2017-11-15 | 2018-04-17 | 四川阵风科技有限公司 | Radio monitoring device and system |
| CN110325995A (en) * | 2016-06-30 | 2019-10-11 | 通用电气公司 | The industrial control platform of safety |
| CN111159691A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Dynamic credibility verification method and system for application program |
| CN111566644A (en) * | 2017-12-27 | 2020-08-21 | 西门子股份公司 | Interface for hardware security module |
| CN112260721A (en) * | 2020-10-21 | 2021-01-22 | 深圳创维-Rgb电子有限公司 | A-CAS communication circuit, control method and A-CAS communication device |
| CN112966254A (en) * | 2021-02-27 | 2021-06-15 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system for host and trusted cryptographic module |
| WO2022028081A1 (en) * | 2020-08-04 | 2022-02-10 | 华为技术有限公司 | Integrity measurement method and integrity measurement device |
-
2009
- 2009-09-04 CN CN2009100638242A patent/CN101650764B/en not_active Expired - Fee Related
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102271333A (en) * | 2011-08-08 | 2011-12-07 | 东南大学 | Safe receiving and dispatching method for 3G (3rd Generation) message on basis of trusted chain transmission |
| CN102271333B (en) * | 2011-08-08 | 2014-04-16 | 东南大学 | Safe receiving and dispatching method for 3G (3rd Generation) message on basis of trusted chain transmission |
| CN103455756A (en) * | 2013-08-02 | 2013-12-18 | 国家电网公司 | Dependable computing based process control method |
| CN103455756B (en) * | 2013-08-02 | 2016-12-28 | 国家电网公司 | A kind of course control method based on trust computing |
| CN105094004A (en) * | 2014-05-12 | 2015-11-25 | 罗伯特·博世有限公司 | Method for operating a control unit |
| CN104243168A (en) * | 2014-10-09 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Credible mobile module based on Java smart card |
| CN106934303A (en) * | 2015-12-29 | 2017-07-07 | 大唐高鸿信安(浙江)信息科技有限公司 | Trusted operating system based on credible chip creates the system and method for trusted process |
| CN110325995A (en) * | 2016-06-30 | 2019-10-11 | 通用电气公司 | The industrial control platform of safety |
| CN106228087A (en) * | 2016-07-11 | 2016-12-14 | 武汉瑞纳捷电子技术有限公司 | A kind of confidential information guard method based on safety chip and system |
| CN106326751B (en) * | 2016-08-09 | 2019-04-19 | 中国船舶重工集团公司第七0九研究所 | One kind can channel system and its implementation |
| CN106326751A (en) * | 2016-08-09 | 2017-01-11 | 中国船舶重工集团公司第七0九研究所 | Trusted DeltaOS and implementing method thereof |
| CN107919925A (en) * | 2017-11-15 | 2018-04-17 | 四川阵风科技有限公司 | Radio monitoring device and system |
| CN111566644A (en) * | 2017-12-27 | 2020-08-21 | 西门子股份公司 | Interface for hardware security module |
| US11755719B2 (en) | 2017-12-27 | 2023-09-12 | Siemens Aktiengesellschaft | Interface for a hardware security module |
| CN111159691A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Dynamic credibility verification method and system for application program |
| CN111159691B (en) * | 2019-12-23 | 2022-03-11 | 北京工业大学 | Dynamic credibility verification method and system for application program |
| WO2022028081A1 (en) * | 2020-08-04 | 2022-02-10 | 华为技术有限公司 | Integrity measurement method and integrity measurement device |
| EP4184367A4 (en) * | 2020-08-04 | 2024-01-24 | Huawei Technologies Co., Ltd. | Integrity measurement method and integrity measurement device |
| CN112260721A (en) * | 2020-10-21 | 2021-01-22 | 深圳创维-Rgb电子有限公司 | A-CAS communication circuit, control method and A-CAS communication device |
| CN112966254A (en) * | 2021-02-27 | 2021-06-15 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system for host and trusted cryptographic module |
| CN112966254B (en) * | 2021-02-27 | 2022-04-05 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system for host and trusted cryptographic module |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101650764B (en) | 2011-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101650764B (en) | Creditable calculation password platform and realization method thereof | |
| CN103038745B (en) | Extension integrity measurement | |
| CN109313690B (en) | Self-contained encrypted boot policy verification | |
| US20220224550A1 (en) | Verification of identity using a secret key | |
| US9953166B2 (en) | Method for securely booting target processor in target system using a secure root of trust to verify a returned message authentication code recreated by the target processor | |
| Sadeghi et al. | TCG inside? A note on TPM specification compliance | |
| JP4855679B2 (en) | Encapsulation of reliable platform module functions by TCPA inside server management coprocessor subsystem | |
| KR20210131444A (en) | Identity creation for computing devices using physical copy protection | |
| CN101523401B (en) | Secure use of user secrets on a computing platform | |
| JP2022528070A (en) | Verification of the ID of an emergency vehicle while driving | |
| WO2012064171A1 (en) | A method for enabling a trusted platform in a computing system | |
| US9026803B2 (en) | Computing entities, platforms and methods operable to perform operations selectively using different cryptographic algorithms | |
| CN101983375A (en) | Binding a cryptographic module to a platform | |
| US11755406B2 (en) | Error identification in executed code | |
| US11816202B2 (en) | Run-time code execution validation | |
| US9122864B2 (en) | Method and apparatus for transitive program verification | |
| Muñoz et al. | TPM, a pattern for an architecture for trusted computing | |
| CN101147154A (en) | Methods, devices and data structures for trusted data | |
| Crowther et al. | Securing Over-the-Air Firmware Updates (FOTA) for Industrial Internet of Things (IIOT) Devices | |
| Lee et al. | A brief review on jtag security | |
| CN201477599U (en) | Dependable computing cipher platform | |
| Qin et al. | RIPTE: runtime integrity protection based on trusted execution for IoT device | |
| CN117494232B (en) | Method, device, system, storage medium and electronic equipment for executing firmware | |
| Boyes et al. | Trustworthy Software: lessons fromgoto fail'& Heartbleed bugs | |
| US20200401690A1 (en) | Techniques for authenticating and sanitizing semiconductor devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Creditable calculation password platform and realization method thereof Effective date of registration: 20120428 Granted publication date: 20110824 Pledgee: Wuhan science and technology Company limited by guarantee Pledgor: JETWAY Information Security Industry Co., Ltd. Registration number: 2012990000181 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110824 Termination date: 20180904 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |