EP4042630A1 - Exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographique - Google Patents
Exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographiqueInfo
- Publication number
- EP4042630A1 EP4042630A1 EP20874322.9A EP20874322A EP4042630A1 EP 4042630 A1 EP4042630 A1 EP 4042630A1 EP 20874322 A EP20874322 A EP 20874322A EP 4042630 A1 EP4042630 A1 EP 4042630A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- cryptographic
- coprocessor
- encrypted code
- code
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/02—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
Definitions
- a system comprising: a computing device comprising a processor, a memory, and a cryptographic coprocessor; and machine-readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least: receive encrypted code implementing a cryptographic algorithm from a service via a network; decrypt, by the cryptographic coprocessor, the encrypted code; execute, by the cryptographic coprocessor, the decrypted code to generate a cryptogram including information encrypted using the cryptographic algorithm; and send the cryptogram to the service via the network.
- the cryptographic coprocessor complies with a version of a Trusted Platform Module (TPM) standard.
- TPM Trusted Platform Module
- a computer program comprising instructions which, when the program is executed by a first computing device, cause the first computing device to at least: encrypt a cryptographic algorithm to create encrypted code; send the encrypted code to a second computing device; receive a cryptogram generated with the cryptographic algorithm from the encrypted code from the second computing device; and decrypt the cryptogram with the cryptographic algorithm.
- the encrypted code is sent to the second computing device along with an identifier for a cryptographic key to decrypt the encrypted code.
- the encrypted code excludes an identifier of the cryptographic algorithm.
- the encrypted code is encrypted using one of a predefined plurality of cryptographic algorithms supported by a standard for a cryptographic coprocessor.
- Wireless networks can include cellular networks, satellite networks, Institute of Electrical and Electronic Engineers (IEEE) 802.11 wireless networks (/.e., WI-FI ® ), BLUETOOTH ® networks, microwave transmission networks, as well as other networks relying on radio broadcasts.
- the network 109 can also include a combination of two or more networks 109. Examples of networks 109 can include the Internet, intranets, extranets, virtual private networks (VPNs), and similar networks.
- Various applications or other functionality can be executed in the computing environment 103.
- the components executed on the computing environment 103 include an entity service 113 and other applications, services, processes, systems, engines, or functionality not discussed in detail herein.
- the entity service 113 may be operated by or on behalf of the entity to perform functions such as authentication, payment authorization, payment processing, or other functions. Although one entity service 113 is described for purposes of discussion, it is understood that multiple services may be implemented to perform portions of these functions.
- the client device 106 is representative of one or more client devices 106 that can be coupled to the network 109.
- the client device 106 can include a processor-based system such as a computer system.
- a computer system can be embodied in the form of a personal computer (e.g., a desktop computer, a laptop computer, or similar device), a mobile computing device (e.g., personal digital assistants, cellular telephones, smartphones, web pads, tablet computer systems, music players, portable game consoles, electronic book readers, and similar devices), media playback devices (e.g., media streaming devices, BluRay ® players, digital video disc (DVD) players, set-top boxes, and similar devices), a videogame console, or other devices with like capability.
- a personal computer e.g., a desktop computer, a laptop computer, or similar device
- a mobile computing device e.g., personal digital assistants, cellular telephones, smartphones, web pads, tablet computer systems, music players, portable game consoles, electronic book readers, and similar
- the root key-pair(s) 215 can be asymmetric encryption key-pairs that can be used by the cryptographic coprocessor 206 to encrypt and/or sign data.
- the root key-pair 215 can be replaced if required, although any data encrypted with the root key-pair 215 will be unrecoverable if the root key-pair 215 is replaced with a new root key-pair 215.
- the cryptographic coprocessor 206 can support the use of multiple, independent root key-pairs 215. For example, multiple users of a client device 106 could each have his or her root key-pair 215 that is accessible only to a respective user.
- a flag may be sent to the cryptographic coprocessor 206 indicating which of the predefined cryptographic algorithms 218 are to be selected for a cryptographic operation. It is noted that the predefined cryptographic algorithms 218 may exclude the cryptographic algorithm 121 (FIG. 1) in the encrypted code 118. However, the encrypted code 118 may be encrypted using one of the predefined cryptographic algorithms 218.
- the trusted application 256 provides the encrypted code 118 to the cryptographic coprocessor 206 of the client device 106.
- the trusted application 256 may store the encrypted code 118 in a secure portion of the client data store 209 or in other secure memory, and send a command to the cryptographic coprocessor 206 to load the encrypted code 118 and verify and decrypt it.
- the encrypted code 256 may be provided to the cryptographic coprocessor 206 via an interface between the trusted execution environment 253 and the cryptographic coprocessor 206.
- the entity service 113 may also send encrypted data along with, before, or after the encrypted code 118, where the encrypted data is encrypted using a cryptographic algorithm 121 (FIG. 1) encrypted within the encrypted code 118.
- the encrypted code 118 and encrypted data may be sent along with a signature 124 (FIG. 1).
- the header of the signature 124 can be used to identify a particular root key-pair 215 (FIG. 2B) for decrypting the encrypted code 118.
- the entity service 113 may send a different type of key identifier.
- the memory includes both volatile and nonvolatile memory and data storage components. Volatile components are those that do not retain data values upon loss of power. Nonvolatile components are those that retain data upon a loss of power.
- the memory can include random access memory (RAM), read only memory (ROM), hard disk drives, solid-state drives, USB flash drives, memory cards accessed via a memory card reader, floppy disks accessed via an associated floppy disk drive, optical discs accessed via an optical disc drive, magnetic tapes accessed via an appropriate tape drive, non-volatile random access memory (NVRAM), or other memory components, or a combination of any two or more of these memory components.
- Embodiment 4 The system of embodiment 1 , wherein the service is operated by an entity, and the cryptographic algorithm is a preferred cryptographic algorithm of the entity.
- Embodiment ? The system of embodiment 1 , wherein the service comprises a first service and a second service which are associated with an entity, the encrypted code is received from the first service, and the cryptogram is sent to the second service.
- Embodiment 20 The non-transitory computer-readable medium of embodiment 17, wherein encrypted code is encrypted using one of a predefined plurality of cryptographic algorithms supported by a standard for a cryptographic coprocessor.
- Embodiment 24 The system of embodiment 21 , wherein the encrypted code is provided to the application via an interface between the trusted execution environment of the computing device and an untrusted execution environment of the computing device.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Bioethics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
Abstract
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201962914272P | 2019-10-11 | 2019-10-11 | |
US201962914275P | 2019-10-11 | 2019-10-11 | |
US16/668,973 US11341280B2 (en) | 2019-10-11 | 2019-10-30 | Executing entity-specific cryptographic code in a cryptographic coprocessor |
US16/669,002 US20210111901A1 (en) | 2019-10-11 | 2019-10-30 | Executing entity-specific cryptographic code in a trusted execution environment |
PCT/US2020/053520 WO2021071719A1 (fr) | 2019-10-11 | 2020-09-30 | Exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographique |
Publications (2)
Publication Number | Publication Date |
---|---|
EP4042630A1 true EP4042630A1 (fr) | 2022-08-17 |
EP4042630A4 EP4042630A4 (fr) | 2023-10-11 |
Family
ID=75437590
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP20874322.9A Pending EP4042630A4 (fr) | 2019-10-11 | 2020-09-30 | Exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographique |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP4042630A4 (fr) |
JP (1) | JP7385025B2 (fr) |
KR (1) | KR20220069042A (fr) |
CN (1) | CN114556344A (fr) |
WO (1) | WO2021071719A1 (fr) |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001125481A (ja) * | 1999-10-25 | 2001-05-11 | Toshiba Corp | 暗号通信端末、暗号通信センター装置及び暗号通信システム並びに記録媒体 |
JP2001338271A (ja) * | 2000-03-23 | 2001-12-07 | Matsushita Electric Ind Co Ltd | Icカード及びicカード利用システム |
DE10107373A1 (de) * | 2001-02-16 | 2002-08-29 | Infineon Technologies Ag | Sicherheitsmodul mit flüchtigem Speicher zur Speicherung eines Algorithmuscodes |
US7657033B2 (en) * | 2004-12-10 | 2010-02-02 | Fiske Software Llc | Cryptography related to keys |
KR20090059602A (ko) * | 2007-12-07 | 2009-06-11 | 한국전자통신연구원 | 세션 메모리 버스를 구비한 암호화 장치 |
US9026803B2 (en) | 2009-11-30 | 2015-05-05 | Hewlett-Packard Development Company, L.P. | Computing entities, platforms and methods operable to perform operations selectively using different cryptographic algorithms |
CN102546562A (zh) | 2010-12-22 | 2012-07-04 | 腾讯科技(深圳)有限公司 | 在web中传输数据时进行加解密的方法及系统 |
CN103297958B (zh) * | 2012-02-22 | 2017-04-12 | 华为技术有限公司 | 建立安全上下文的方法、装置及系统 |
US10243727B2 (en) * | 2013-10-31 | 2019-03-26 | Ati Technologies Ulc | Method and system for constant time cryptography using a co-processor |
-
2020
- 2020-09-30 EP EP20874322.9A patent/EP4042630A4/fr active Pending
- 2020-09-30 KR KR1020227013092A patent/KR20220069042A/ko unknown
- 2020-09-30 CN CN202080071365.7A patent/CN114556344A/zh active Pending
- 2020-09-30 WO PCT/US2020/053520 patent/WO2021071719A1/fr unknown
- 2020-09-30 JP JP2022520312A patent/JP7385025B2/ja active Active
Also Published As
Publication number | Publication date |
---|---|
KR20220069042A (ko) | 2022-05-26 |
EP4042630A4 (fr) | 2023-10-11 |
JP2022551586A (ja) | 2022-12-12 |
CN114556344A (zh) | 2022-05-27 |
JP7385025B2 (ja) | 2023-11-21 |
WO2021071719A1 (fr) | 2021-04-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111181720B (zh) | 基于可信执行环境的业务处理方法及装置 | |
US10069806B2 (en) | Secure transfer and use of secret material in a shared environment | |
CN107743133B (zh) | 移动终端及其基于可信安全环境的访问控制方法和系统 | |
CN107959567B (zh) | 数据存储方法、数据获取方法、装置及系统 | |
EP2954448B1 (fr) | Transmission de données sensibles à des dispositifs tiers compatibles réseau | |
US20140281548A1 (en) | Intra-computer protected communications between applications | |
US20140096213A1 (en) | Method and system for distributed credential usage for android based and other restricted environment devices | |
US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
CN107453880B (zh) | 一种云数据安全存储方法和系统 | |
CN104618096B (zh) | 保护密钥授权数据的方法、设备和tpm密钥管理中心 | |
US11783091B2 (en) | Executing entity-specific cryptographic code in a cryptographic coprocessor | |
CN106797316B (zh) | 路由器、数据设备、分发数据的方法和系统 | |
CN110650010A (zh) | 一种非对称密钥中的私钥生成和使用方法、装置和设备 | |
CN102571329A (zh) | 密码密钥管理 | |
JP2017112604A (ja) | 対称鍵暗号化と非対称鍵二重暗号化を複合的に適用した暗/復号化速度改善方法 | |
US20210111901A1 (en) | Executing entity-specific cryptographic code in a trusted execution environment | |
US20230021749A1 (en) | Wrapped Keys with Access Control Predicates | |
EP3886355A2 (fr) | (official translation required) | |
US20240232441A1 (en) | Executing entity-Specific Cryptographic Code in a Cryptographic | |
WO2022199796A1 (fr) | Procédé et système informatique pour la gestion de clés | |
JP7385025B2 (ja) | 暗号化コプロセッサにおけるエンティティ固有の暗号化コードの実行 | |
Xiong et al. | Cloudsafe: Securing data processing within vulnerable virtualization environments in the cloud | |
Malik et al. | Cloud computing security improvement using Diffie Hellman and AES | |
US11012245B1 (en) | Decentralized management of data access and verification using data management hub | |
US10931454B1 (en) | Decentralized management of data access and verification using data management hub |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20220331 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: LEI, ANDREW Inventor name: VISHNUVAJHALA, SUBRAHMANYAM Inventor name: BISWAS, MANIK Inventor name: DELIWALA, MANISH Inventor name: IBRAHIM, WAEL |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
P01 | Opt-out of the competence of the unified patent court (upc) registered |
Effective date: 20230509 |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20230911 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/40 20220101ALI20230905BHEP Ipc: H04L 9/32 20060101ALI20230905BHEP Ipc: G06F 21/60 20130101ALI20230905BHEP Ipc: H04L 9/08 20060101AFI20230905BHEP |