EP4042630A1 - Exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographique - Google Patents

Exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographique

Info

Publication number
EP4042630A1
EP4042630A1 EP20874322.9A EP20874322A EP4042630A1 EP 4042630 A1 EP4042630 A1 EP 4042630A1 EP 20874322 A EP20874322 A EP 20874322A EP 4042630 A1 EP4042630 A1 EP 4042630A1
Authority
EP
European Patent Office
Prior art keywords
cryptographic
coprocessor
encrypted code
code
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP20874322.9A
Other languages
German (de)
English (en)
Other versions
EP4042630A4 (fr
Inventor
Wael Ibrahim
Manish DELIWALA
Manik BISWAS
Subrahmanyam VISHNUVAJHALA
Andrew Lei
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
American Express Travel Related Services Co Inc
Original Assignee
American Express Travel Related Services Co Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US16/668,973 external-priority patent/US11341280B2/en
Priority claimed from US16/669,002 external-priority patent/US20210111901A1/en
Application filed by American Express Travel Related Services Co Inc filed Critical American Express Travel Related Services Co Inc
Publication of EP4042630A1 publication Critical patent/EP4042630A1/fr
Publication of EP4042630A4 publication Critical patent/EP4042630A4/fr
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • a system comprising: a computing device comprising a processor, a memory, and a cryptographic coprocessor; and machine-readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least: receive encrypted code implementing a cryptographic algorithm from a service via a network; decrypt, by the cryptographic coprocessor, the encrypted code; execute, by the cryptographic coprocessor, the decrypted code to generate a cryptogram including information encrypted using the cryptographic algorithm; and send the cryptogram to the service via the network.
  • the cryptographic coprocessor complies with a version of a Trusted Platform Module (TPM) standard.
  • TPM Trusted Platform Module
  • a computer program comprising instructions which, when the program is executed by a first computing device, cause the first computing device to at least: encrypt a cryptographic algorithm to create encrypted code; send the encrypted code to a second computing device; receive a cryptogram generated with the cryptographic algorithm from the encrypted code from the second computing device; and decrypt the cryptogram with the cryptographic algorithm.
  • the encrypted code is sent to the second computing device along with an identifier for a cryptographic key to decrypt the encrypted code.
  • the encrypted code excludes an identifier of the cryptographic algorithm.
  • the encrypted code is encrypted using one of a predefined plurality of cryptographic algorithms supported by a standard for a cryptographic coprocessor.
  • Wireless networks can include cellular networks, satellite networks, Institute of Electrical and Electronic Engineers (IEEE) 802.11 wireless networks (/.e., WI-FI ® ), BLUETOOTH ® networks, microwave transmission networks, as well as other networks relying on radio broadcasts.
  • the network 109 can also include a combination of two or more networks 109. Examples of networks 109 can include the Internet, intranets, extranets, virtual private networks (VPNs), and similar networks.
  • Various applications or other functionality can be executed in the computing environment 103.
  • the components executed on the computing environment 103 include an entity service 113 and other applications, services, processes, systems, engines, or functionality not discussed in detail herein.
  • the entity service 113 may be operated by or on behalf of the entity to perform functions such as authentication, payment authorization, payment processing, or other functions. Although one entity service 113 is described for purposes of discussion, it is understood that multiple services may be implemented to perform portions of these functions.
  • the client device 106 is representative of one or more client devices 106 that can be coupled to the network 109.
  • the client device 106 can include a processor-based system such as a computer system.
  • a computer system can be embodied in the form of a personal computer (e.g., a desktop computer, a laptop computer, or similar device), a mobile computing device (e.g., personal digital assistants, cellular telephones, smartphones, web pads, tablet computer systems, music players, portable game consoles, electronic book readers, and similar devices), media playback devices (e.g., media streaming devices, BluRay ® players, digital video disc (DVD) players, set-top boxes, and similar devices), a videogame console, or other devices with like capability.
  • a personal computer e.g., a desktop computer, a laptop computer, or similar device
  • a mobile computing device e.g., personal digital assistants, cellular telephones, smartphones, web pads, tablet computer systems, music players, portable game consoles, electronic book readers, and similar
  • the root key-pair(s) 215 can be asymmetric encryption key-pairs that can be used by the cryptographic coprocessor 206 to encrypt and/or sign data.
  • the root key-pair 215 can be replaced if required, although any data encrypted with the root key-pair 215 will be unrecoverable if the root key-pair 215 is replaced with a new root key-pair 215.
  • the cryptographic coprocessor 206 can support the use of multiple, independent root key-pairs 215. For example, multiple users of a client device 106 could each have his or her root key-pair 215 that is accessible only to a respective user.
  • a flag may be sent to the cryptographic coprocessor 206 indicating which of the predefined cryptographic algorithms 218 are to be selected for a cryptographic operation. It is noted that the predefined cryptographic algorithms 218 may exclude the cryptographic algorithm 121 (FIG. 1) in the encrypted code 118. However, the encrypted code 118 may be encrypted using one of the predefined cryptographic algorithms 218.
  • the trusted application 256 provides the encrypted code 118 to the cryptographic coprocessor 206 of the client device 106.
  • the trusted application 256 may store the encrypted code 118 in a secure portion of the client data store 209 or in other secure memory, and send a command to the cryptographic coprocessor 206 to load the encrypted code 118 and verify and decrypt it.
  • the encrypted code 256 may be provided to the cryptographic coprocessor 206 via an interface between the trusted execution environment 253 and the cryptographic coprocessor 206.
  • the entity service 113 may also send encrypted data along with, before, or after the encrypted code 118, where the encrypted data is encrypted using a cryptographic algorithm 121 (FIG. 1) encrypted within the encrypted code 118.
  • the encrypted code 118 and encrypted data may be sent along with a signature 124 (FIG. 1).
  • the header of the signature 124 can be used to identify a particular root key-pair 215 (FIG. 2B) for decrypting the encrypted code 118.
  • the entity service 113 may send a different type of key identifier.
  • the memory includes both volatile and nonvolatile memory and data storage components. Volatile components are those that do not retain data values upon loss of power. Nonvolatile components are those that retain data upon a loss of power.
  • the memory can include random access memory (RAM), read only memory (ROM), hard disk drives, solid-state drives, USB flash drives, memory cards accessed via a memory card reader, floppy disks accessed via an associated floppy disk drive, optical discs accessed via an optical disc drive, magnetic tapes accessed via an appropriate tape drive, non-volatile random access memory (NVRAM), or other memory components, or a combination of any two or more of these memory components.
  • Embodiment 4 The system of embodiment 1 , wherein the service is operated by an entity, and the cryptographic algorithm is a preferred cryptographic algorithm of the entity.
  • Embodiment ? The system of embodiment 1 , wherein the service comprises a first service and a second service which are associated with an entity, the encrypted code is received from the first service, and the cryptogram is sent to the second service.
  • Embodiment 20 The non-transitory computer-readable medium of embodiment 17, wherein encrypted code is encrypted using one of a predefined plurality of cryptographic algorithms supported by a standard for a cryptographic coprocessor.
  • Embodiment 24 The system of embodiment 21 , wherein the encrypted code is provided to the application via an interface between the trusted execution environment of the computing device and an untrusted execution environment of the computing device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)

Abstract

L'invention concerne divers modes de réalisation d'exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographique. Dans un mode de réalisation, un code chiffré mettant en œuvre un algorithme cryptographique est reçu en provenance d'un service par l'intermédiaire d'un réseau. Le coprocesseur cryptographique déchiffre le code chiffré. Le coprocesseur cryptographique exécute le code déchiffré de façon à générer un cryptogramme comprenant des informations chiffrées à l'aide de l'algorithme cryptographique. Le cryptogramme est envoyé au service par l'intermédiaire du réseau.
EP20874322.9A 2019-10-11 2020-09-30 Exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographique Pending EP4042630A4 (fr)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US201962914272P 2019-10-11 2019-10-11
US201962914275P 2019-10-11 2019-10-11
US16/668,973 US11341280B2 (en) 2019-10-11 2019-10-30 Executing entity-specific cryptographic code in a cryptographic coprocessor
US16/669,002 US20210111901A1 (en) 2019-10-11 2019-10-30 Executing entity-specific cryptographic code in a trusted execution environment
PCT/US2020/053520 WO2021071719A1 (fr) 2019-10-11 2020-09-30 Exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographique

Publications (2)

Publication Number Publication Date
EP4042630A1 true EP4042630A1 (fr) 2022-08-17
EP4042630A4 EP4042630A4 (fr) 2023-10-11

Family

ID=75437590

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20874322.9A Pending EP4042630A4 (fr) 2019-10-11 2020-09-30 Exécution d'un code cryptographique spécifique à une entité dans un coprocesseur cryptographique

Country Status (5)

Country Link
EP (1) EP4042630A4 (fr)
JP (1) JP7385025B2 (fr)
KR (1) KR20220069042A (fr)
CN (1) CN114556344A (fr)
WO (1) WO2021071719A1 (fr)

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001125481A (ja) * 1999-10-25 2001-05-11 Toshiba Corp 暗号通信端末、暗号通信センター装置及び暗号通信システム並びに記録媒体
JP2001338271A (ja) * 2000-03-23 2001-12-07 Matsushita Electric Ind Co Ltd Icカード及びicカード利用システム
DE10107373A1 (de) * 2001-02-16 2002-08-29 Infineon Technologies Ag Sicherheitsmodul mit flüchtigem Speicher zur Speicherung eines Algorithmuscodes
US7657033B2 (en) * 2004-12-10 2010-02-02 Fiske Software Llc Cryptography related to keys
KR20090059602A (ko) * 2007-12-07 2009-06-11 한국전자통신연구원 세션 메모리 버스를 구비한 암호화 장치
US9026803B2 (en) 2009-11-30 2015-05-05 Hewlett-Packard Development Company, L.P. Computing entities, platforms and methods operable to perform operations selectively using different cryptographic algorithms
CN102546562A (zh) 2010-12-22 2012-07-04 腾讯科技(深圳)有限公司 在web中传输数据时进行加解密的方法及系统
CN103297958B (zh) * 2012-02-22 2017-04-12 华为技术有限公司 建立安全上下文的方法、装置及系统
US10243727B2 (en) * 2013-10-31 2019-03-26 Ati Technologies Ulc Method and system for constant time cryptography using a co-processor

Also Published As

Publication number Publication date
KR20220069042A (ko) 2022-05-26
EP4042630A4 (fr) 2023-10-11
JP2022551586A (ja) 2022-12-12
CN114556344A (zh) 2022-05-27
JP7385025B2 (ja) 2023-11-21
WO2021071719A1 (fr) 2021-04-15

Similar Documents

Publication Publication Date Title
CN111181720B (zh) 基于可信执行环境的业务处理方法及装置
US10069806B2 (en) Secure transfer and use of secret material in a shared environment
CN107743133B (zh) 移动终端及其基于可信安全环境的访问控制方法和系统
CN107959567B (zh) 数据存储方法、数据获取方法、装置及系统
EP2954448B1 (fr) Transmission de données sensibles à des dispositifs tiers compatibles réseau
US20140281548A1 (en) Intra-computer protected communications between applications
US20140096213A1 (en) Method and system for distributed credential usage for android based and other restricted environment devices
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN107453880B (zh) 一种云数据安全存储方法和系统
CN104618096B (zh) 保护密钥授权数据的方法、设备和tpm密钥管理中心
US11783091B2 (en) Executing entity-specific cryptographic code in a cryptographic coprocessor
CN106797316B (zh) 路由器、数据设备、分发数据的方法和系统
CN110650010A (zh) 一种非对称密钥中的私钥生成和使用方法、装置和设备
CN102571329A (zh) 密码密钥管理
JP2017112604A (ja) 対称鍵暗号化と非対称鍵二重暗号化を複合的に適用した暗/復号化速度改善方法
US20210111901A1 (en) Executing entity-specific cryptographic code in a trusted execution environment
US20230021749A1 (en) Wrapped Keys with Access Control Predicates
EP3886355A2 (fr) (official translation required)
US20240232441A1 (en) Executing entity-Specific Cryptographic Code in a Cryptographic
WO2022199796A1 (fr) Procédé et système informatique pour la gestion de clés
JP7385025B2 (ja) 暗号化コプロセッサにおけるエンティティ固有の暗号化コードの実行
Xiong et al. Cloudsafe: Securing data processing within vulnerable virtualization environments in the cloud
Malik et al. Cloud computing security improvement using Diffie Hellman and AES
US11012245B1 (en) Decentralized management of data access and verification using data management hub
US10931454B1 (en) Decentralized management of data access and verification using data management hub

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20220331

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

RIN1 Information on inventor provided before grant (corrected)

Inventor name: LEI, ANDREW

Inventor name: VISHNUVAJHALA, SUBRAHMANYAM

Inventor name: BISWAS, MANIK

Inventor name: DELIWALA, MANISH

Inventor name: IBRAHIM, WAEL

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230509

A4 Supplementary search report drawn up and despatched

Effective date: 20230911

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/40 20220101ALI20230905BHEP

Ipc: H04L 9/32 20060101ALI20230905BHEP

Ipc: G06F 21/60 20130101ALI20230905BHEP

Ipc: H04L 9/08 20060101AFI20230905BHEP