KR101656092B1 - Secured computing system with asynchronous authentication - Google Patents

Abstract

The computing device includes an input bridge, an output bridge, a processing core, and authentication logic. The input bridge is coupled to receive a sequence of data items for use by a device executing the program. The processing core is coupled to receive a data item from an input bridge and to execute a program to output a signal in an output bridge in response to a given data item in the sequence, wherein the authentication logic receives the data item while the processing core is executing the program, And is connected to inhibit output of the signal by the output bridge until a given data item is authenticated.

Description

[0001] SECURED COMPUTING SYSTEM WITH ASYNCHRONOUS AUTHENTICATION [0002]

Cross-reference to related application

This application claims the benefit of U.S. Provisional Patent Application No. 61 / 702,763, filed September 19, 2012, the entirety of which is incorporated herein by reference.

Technical field

FIELD OF THE INVENTION The present invention relates generally to computing systems, and more particularly to a method and system for securely executing programs stored on external devices.

In secure computing systems, secure computing devices often communicate with one or more external devices. The external device generally includes at least a memory device that stores program instructions that are executed by a processing core in a computing device. In the event that the communication link between the computing device and the external device is not secured, the secure computing device often needs to validate the integrity and authenticity of the data received over the link. Authenticity verification means that the receiving device (e.g., a secure computing device) can verify that the data has been transmitted from a legitimate source (e.g., an authorized memory device). Integrity means that the data has not changed before being input to the receiving device. In the following description and claims, the term "authentication" collectively refers to a technique for verifying authenticity or integrity of data or both.

Methods for authenticating codes and data stored in devices outside the computing environment are known in the art. For example, U.S. Patent Application Publication No. 2010/0070779, which is incorporated herein by reference in its entirety, discloses an encryption algorithm that provides at least one intermediate state, which means the same in ciphering and deciphering, Which is sampled during encryption to generate a signature. ≪ RTI ID = 0.0 > [0031] < / RTI > The present invention is more particularly applied to protect the privacy and integrity (or authenticity) of the contents of a memory external to an integrated circuit considered security.

U.S. Patent No. 8,108,941, which is incorporated herein by reference in its entirety, describes a processor coupled to a non-volatile memory for storing first memory authentication information for authenticating non-volatile memory. The processor includes an operation unit configured to perform an operation using information stored in a nonvolatile memory, an authentication memory formed integrally with the operation unit and storing second memory authentication information for authenticating the nonvolatile memory, An authentication information obtaining unit configured to obtain the first memory authentication information from the memory, a memory authentication unit configured to compare the first memory authentication information and the second memory authentication information to authenticate the nonvolatile memory, And a memory access control unit configured to permit access to the nonvolatile memory when the authentication is successful.

U.S. Patent No. 8,140,824, which is incorporated herein by reference in its entirety, describes a computer program product comprising a computer usable medium having a computer readable program for authenticating a code, such as a boot code. The memory addressing engine is usable to select a portion of memory as a first input hash value, as a function of the step value. The step value enables a non-commutative cumulative hash of a plurality of memory portions having a second input hash value equal to the previous hash value rotated to the left. The authenticator circuit is operable to perform a hash on the portion of the memory and the second input hash value. The comparison circuit can be used to compare the output of the authenticator circuit with the expected value.

One embodiment of the present invention provides a computing device comprising an input bridge, an output bridge, a processing core, and authentication logic. The input bridge is connected to receive a sequence of data items for use by the device executing the program. Wherein the processing core is coupled to receive a data item from an input bridge and to execute a program to output a signal in an output bridge in response to a given data item in the sequence, Receive and authenticate, and are inhibited from outputting the signal by the output bridge until the given data item is authenticated.

In some embodiments, the data item comprises a program instruction, the given data item comprises an output instruction, and the processing core is configured to execute the program by executing a program instruction comprising an output instruction. In another embodiment, the authentication logic is configured to authenticate the data item asynchronously with the execution of the program by the processing core. In yet another embodiment, the authentication logic authenticates a given data item after a given data item is used to execute the program by the processing core, and outputs the signal by the output bridge until authentication of the given data item is completed .

In one embodiment, the authentication logic is configured to authenticate the data item by calculating one or more digital signatures of the data item and comparing the calculated signature with each original signature received by the device via the input bridge. In another embodiment, the authentication logic is configured to generate an alert signal if at least one of the calculated signatures does not match each original signature. In another embodiment, the input bridge is configured to receive a data item by receiving first and second blocks of data items, and receiving the second block is configured to use all of the data items of the first block Only after you have authenticated.

An additional method is provided according to an embodiment of the invention, the method comprising: receiving at a computing device via an input bridge a sequence of data items for use in executing a program by a processing core of the device; And outputting a signal from the device in response to a given data item in the sequence; and authenticating the data item using the authentication logic while the processing core is executing the program, until a given data item is authenticated And inhibiting the output of the signal.

In accordance with an embodiment of the present invention, a computing system is additionally provided, which includes an external device and a computing device. The external device is configured to provide a sequence of data items, and the computing device further includes an input bridge, an output bridge, a processing core, and authentication logic. The input bridge is coupled to receive a sequence of data items for use by a computing device executing a program from an external device. The processing core is coupled to receive a data item from an input bridge and execute the program to output a signal in an output bridge in response to a given data item in the sequence, wherein the authentication logic receives the data item while the processing core is executing the program And is connected to prohibit the output of the signal by the output bridge until a given data item is authenticated.

BRIEF DESCRIPTION OF THE DRAWINGS The invention will be more fully understood from the following detailed description of the embodiments, taken in conjunction with the accompanying drawings, in which: FIG.

1 is a schematic block diagram illustrating a secure computing system in accordance with one embodiment of the present invention;
2 is a schematic block diagram illustrating details of the secure computing system of FIG. 1 in accordance with one embodiment of the present invention; FIG.
Figure 3 illustrates a secure state-machine in accordance with one embodiment of the present invention;
4 is a simplified flow diagram illustrating a method for authenticating at a secure computing device in accordance with one embodiment of the present invention.

summary

A secure computing system that receives data (also referred to as a message) from an external source often needs to verify the integrity and authenticity of the data before it is used internally. The embodiments of the invention presented below use digital signatures for data authentication. The digital signature is typically stored in the data or in real time on the sender side (e.g., a memory device) and sent to the recipient (e.g., a secure computing device) along with the data for authentication, -string). The recipient computes the signature of the received data and compares the computed signature with the sender's original signature. If these signatures match, the recipient can assume that the data is authentic and has not been altered by any unauthorized party.

In many cases, creating and verifying signatures is based on data messages and secret keys. The algorithm that generates the signature is generally designed so that the unauthorized person does not know the secret key and does not generate a valid signature. Additionally, arbitrary changes to the data message (i.e., data integrity failure) will cause signature verification to fail on the recipient side.

Various methods of generating and verifying signatures using secret keys are known in the art. For example, a sender can create a signature using a private key, while a recipient uses a public key to verify a signature. As another example, the sender and the recipient may share a common key that remains secret between them. Methods for exchanging keys between a recipient and a sender are known in the art. After verifying the signature corresponding to the specific data (assuming that the secret of the key has not been leaked), the secure computing device can securely process the received data. For example, if the data includes computer program instructions, the computing device may securely execute the authenticated program without risking exposing the security information.

In terms of security, unauthorized program commands and other data items that affect processing within a computing device may be categorized into two categories for embodiments of the present invention. Processing an unauthenticated data item in the first category does not expose any security information, so the data item in this category is thus referred to as a neutral command or data item. On the other hand, processing the unauthenticated data item of the second category may expose the secret or security information directly or indirectly. The data items of this second category are also referred to herein as output instructions.

The embodiments of the invention described herein provide an improved method and system for authenticating at a secure computing device. In an exemplary embodiment, at a computing device, a processing core receives program instructions to be executed from an external device, such as a memory, via an input bridge. This command is signed with a digital signature. A portion of this command (i.e., an output command) may cause the processing core to output information via the output bridge. The terms "input bridge" and "output bridge" are used herein to broadly refer to any and all connections in which a computing device can send and receive signals, respectively. In the following description and claims, the term "signal" refers to any channel that carries or carries information to or from the device, whether through a physical signal connection or not. Examples of non-physical signal channels include signals that can be picked up in a side-channel attack, such as a voltage pattern across a power line, changes in electromagnetic radiation, and security information that can be exposed to an attacker performing a conditional reset operation .

The command received via the input bridge is authenticated by dedicated authentication logic within the computing device. Authentication may be performed in parallel with execution by at least some of the processing cores of the program. If the processing core encounters an unauthenticated output instruction, the authentication logic inhibits the output bridge and delays the actual output of the signal until the current output instruction and all preceding instructions are authenticated. Thus, performance is maximized by avoiding delays in unnecessary execution while waiting for authentication while preventing unintended exposures of confidential information.

In one embodiment, the external device includes a non-secure memory device. And stores the signature corresponding to the block of memory data using the selected shared portion of memory capacity. The computing device receives data and each signature or signatures from the memory device and authenticates the signed block. The received data may be stored in the cache before or in parallel with the execution by the processing core, and re-fetching data from the external device occurs during a cache miss event. Instead of operating in a single block fetch-authentication cycle, the computing device operates in a mode in which a number of signatures are computed, stored and verified when fetching multiple data blocks. This mode of operation improves the efficiency of the computing device.

In another embodiment, the external device includes a secure memory device having a signature engine. A secure external device may share a secret key with the computing device, create and maintain a data signature, and send it to the computing device. The data signatures may be generated by computing a message digest via one or more (e.g., block-based) data items and / or address and / or control signals conveyed via the device interface. The secret key may be used as a seed to generate a pseudo-random sequence to be mixed with the message digest. Alternatively, the message digest may be encrypted with an appropriate secret key to generate a signature.

Alternative scheduling for sending data signatures to the computing device may be performed exclusively (i.e., as soon as the signature is created), periodically, on demand, or any other scheduling method, such as combining multiple scheduling methods to operate in parallel . The computing device receives the data and each signature from the memory device and uses the signature to authenticate the data. Similar to embodiments that use non-secure external memory devices, the received data may be stored in the cache before or in parallel with the execution by the processing core, and re-fetching data from the external device may be stored in the cache Occurs when a miss event occurs.

System Description

1 is a schematic block diagram illustrating a secure computing system 20 in accordance with one embodiment of the present invention. In the example of FIG. 1, secure computing device 24 communicates with secure external device 26 and non-secured external device 28. Each device 26 and 28 includes a respective memory 32A or 32B that stores data in a basic unit (alternatively referred to as a data block) referred to as a data item. The digital signatures calculated over the data items in the device 28 are stored in the memory 32B. The secure device 26 may similarly store the calculated signature (not shown in FIG. 1) across the data item in the memory 32A. Alternatively or additionally, the device 26 may generate a signature on the fly through a signal, such as data, address and / or control signals, communicated to the computing device 24, as described below. have.

In the following description and claims, the term "data item" refers to data stored in a memory device (e.g., device 26 or 28) and / or data stored in a secure memory device May refer to data, addresses, and / or control signals that are communicated between devices (e.g., device 24). The stored data items may include, for example, program instructions or data words. Additionally or alternatively stored data items may comprise a group of program instructions and / or data words.

The computing device 24 may process data items transmitted by the device 26 or 28 via each interface 36A or 36B. The device 24 receives the command via the input bridge 44 and executes each program.

In some embodiments, each external device 26 or 28 stores one or more data items and one or more digital signatures in each memory 36A or 36B. In some embodiments, the signatures at the external devices 26 and 28 are pre-computed and stored. Signatures can be computed over the entire set of data items or a subset thereof. For example, the signature may be computed to sign a group of data items containing subroutines of the computer program. Additionally or alternatively, the signature may be computed over a block of multiple data items of appropriate size. In some embodiments, all data items are signed using a single key. However, in an alternative embodiment, a subset of data items may be signed using a different key.

The key to calculate the signature can be a non-volatile memory (NVM), a one time programmable (OTP) NVM, an electric fuse burning, or a physical unpredictable function (Also referred to as a PUF, a function that can not be physically replicated), at computing device 24 and / or in secure external device 26 by various means known in the art Programmed or stored. In addition, the secure external device 26 can be configured to securely communicate with the secure computing device (e. G., The secure computing device) by programming each of the devices 24 and 26 with each appropriate shared key 42 in a secure environment or by applying a key exchange method known in the art 24). ≪ / RTI >

The device 26 may be coupled to a signature engine 40 that may generate signatures (on the fly) over program instructions, data, control signals, and / or address signals that pass through the interface 36A while communicating with the secure device 24. [ ). Alternatively or additionally, the signature engine 40 computes one or more signatures over the data items stored in the memory 32A. The signature generated by the engine 40 may be stored locally in the memory 32A and transmitted to the computing device 24 upon request or using any other suitable scheduling method.

In some embodiments, some or all of the data items stored in the external devices 26 and 28 are encrypted. In such an embodiment, the signature engine 40 may further comprise an encrypting cipher, and the device 24 may further comprise a decrypting cipher. The decryptor has a key (described below) that is appropriate for decrypting the encrypted data item before execution by the processing core 48.

The input bridge 44 functions as a bidirectional communication interface with the external devices 26 and 28 and communicates the receiving data item to the processing core 48. [ The processing core 48 generally coordinates the internal and I / O activity of the core, including the main CPU of the security system 20, possibly additional processors, and a bus master.

At the device 24, the signature engine 56 calculates the signature across the received data item (and / or other data, address, and / or control signal) to verify the authenticity of the data item. If the verification fails, the device 24 takes appropriate measures to prevent leakage or exposure of confidential information. The structure and function of the computing device 24 is described in detail below with reference to FIG.

In some embodiments, before computing the signature by the signature engine 56 or 40, the data to be signed is padded with a length that matches the appropriate input size specified in the signature calculation scheme in use.

2 is a schematic block diagram illustrating details of a secure computing system 20 in accordance with one embodiment of the present invention. In FIG. 2, the secure computing device 24 communicates with an external device represented as a module, referred to as a security system input 30. The security system input 30 may include, for example, the external device 26 or 28 of FIG. 1, a memory device, or any other appropriate source of data items and each signature. In the following detailed description, the terms "security system input" and "external device" may be used interchangeably.

The device 24 generates control and addressing signals routed through the input bridge 44 to access data stored in the memory of the external device. Processing core 48 generates control and addressing signals routed through input bridge 44 to read data items, such as program instructions, from external devices. The input bridge 44 receives the data item and forwards it to the processing core 48 for execution. In some embodiments, the data items are cached in the local cache memory 50 before (or in parallel with) the delivery to the processing core.

The received data items are also input to the authentication control logic 52 and to the signature engine 56. The logic 52 and the engine 56 may operate concurrently with the core 48 and asynchronously with the core. The authentication logic 52 additionally reads the original signature of the data item stored or generated in the external device by generating an appropriate control and addressing signal routed through the input bridge 44 to the external device. Alternatively, these signatures can be conveyed automatically to the input bridge 44 by the input 30 along with the data. Using the received data items and each key, engine 56 computes the signature of the data item and sends this signature to authentication logic 52 for verification. The authentication logic 52 verifies the authenticity and integrity of the received data item by looking for a match between the signature calculated by the engine 56 and the original signature. In some embodiments, the signature engine 56 computes a plurality of signatures (e.g., the signatures of a plurality of data items in a data block) and stores the signatures in the signature buffer 58. In this embodiment, the authentication logic 52 can identify all pending pending signatures in the buffer before inputting the subsequent data item (or block) at the input bridge 44. Alternative methods of identifying signatures are described further below.

Output bridge 60 connects processing core 48 to a security system output 64, also referred to as an output channel. The security system output 64 may include any address space in which write or read operations by the processing core 48 may expose security information directly or indirectly and any arbitrary address space that may receive signals from the output bridge 60. [ And other types of receivers. The device 24 may statically configure an address space corresponding to the security system output 64. Additionally or alternatively, the address space, or a portion thereof, can be dynamically changed in accordance with variations in the state and configuration of the security system 20. [

In the following description and claims, a data item or program instruction that is capable of generating a signal (which may be received or sensed by output 64) to an output bridge 60 at run time is referred to as an output instruction. In some embodiments, the processing core 48 signals the OUT REQUEST signal to the authentication logic 52 when executing the output command. Incidentally, when enabled, the response of the output bridge 60 to the output command is referred to as outputting a signal. Examples of output commands that may expose security information at runtime to the security system output 64 include,

비휘발성 메모리(NVM)에 및/또는 한번 프로그래밍가능한(OTP) 메모리에 기록하는 것.

Writing to non-volatile memory (NVM) and / or once-programmable (OTP) memory.

시스템 내 다른 칩, 메모리 디바이스, 또는 일반 목적 I/O(GPIO)와 같은 외부 디바이스에 신호를 기록하는 것.

Writing signals to other chips in a system, memory devices, or external devices such as general purpose I / O (GPIO).

로크-비트(lock-bit), 테스트 모드, 클록 구성, 및 리셋 레지스터(register)에 액세스하는 것.

Access to lock-bit, test mode, clock configuration, and reset register.

보안 가속기 모듈(즉, 전력 분석 또는 EMI(electro-magnetic interference) 분석과 같은 측면 채널 공격 기술을 사용하여 공격자에 비밀 정보 및 키를 노출시킬 수 있는 컴퓨팅 AES, SHA1, SHA256, RSA, 또는 ECC 값과 같은 보안 기능을 수행하는 모듈)의 제어 및/또는 구성 레지스터(register)에 액세스하는 것을 포함한다.

SHA1, SHA256, RSA, or ECC values that can expose confidential information and keys to an attacker using side-channel attack techniques such as security accelerator modules (ie, power analysis or electro-magnetic interference (E.g., a module that performs the same security functions) and / or a configuration register.

The input bridge 44 functions as an arbitrator between the authentication control logic 52 and the processing core 48. By default, the processing core 48 takes a higher priority and fetches data items from the external device 30. However, upon request (e.g., when in the authentication state, as shown in FIG. 3 below), the authentication logic 52 activates the STALL CORE INPUT signal at the input bridge 44, Or stall the fetching of a block of data items and read the signatures stored or generated externally in response to the input bridge 44. [ In some embodiments, the input of subsequent data blocks is prohibited until all data items in a previously fetched data block are authenticated. Additionally, the authorization logic 52 may inhibit access to the secure output 64 by stalling the output bridge 60 and activating the STALL OUTPUT signal. The use of this "STALL" function to prevent the functioning of the device 24, and specifically the exposure of security data, is further described below with reference to FIG.

While the signature verification technique described above compares the signature computed by the signature engine 56 with the signature received via the input bridge 44, the signature verification in an alternative embodiment is based on comparing the hash message digest can do. The algorithm for calculating signatures sometimes uses hashing and encryption functions.

In an exemplary embodiment, in which the computing device 24 communicates with the secure device 26, the signature corresponding to the particular data includes a message digest computed over this data using a hash function. The message digest may be computed over one or more data items and / or data, addresses, and / or control signals conveyed via interface 36A. The message digest may be calculated in the course of the process and kept up-to-date by the devices 24 and 26. The secure external device 26 may schedule the message digest signature and transmit it exclusively, periodically, or on demand to the secure computing device 24 upon request by the secure computing device 24. Upon receiving the updated message digest, the authentication control logic 52 compares the message digest computed by the device 26 with the message digest computed internally by the signature engine 56 over the received data, The authenticity of the data can be verified. The secret key 42 shared between the devices 24 and 26 may be used as a seed to generate a pseudo-random sequence to be mixed with the message digest data.

In an alternative embodiment, instead of blending a message digest with a sequence dependent on a secret key, the encryption algorithm encrypts the message digest using the secret key to generate a signature. The recipient (e. G., Secure computing device 24) receives the data and signature, decrypts the signature using each key to recover the original unencrypted message digest, and sends the message digest itself over the received message . If the original and recalculated message digests match, then the data can be assumed to be real. Examples of hash and cryptographic functions include, for example, Secure Hash Algorithm (SHA) SHA-1, and Advanced Encryption Algorithm (AES).

The configurations of computing device 24 and external devices 26 and 28 in Figures 1 and 2 are purely exemplary configurations selected to clarify concepts. In alternative embodiments, any other suitable configuration may be used. The different elements of computing device 24 and external devices 26 and 28 may be implemented using any suitable hardware, such as in an ASIC circuit (Application-Specific Integrated Circuit) or FPGA (Field-Programmable Gate Array). In some embodiments, some elements of the computing device and external device may be implemented using software, or using a combination of hardware and software elements. For example, in the present embodiment, the signature engine 56 and the authentication logic 52 may be implemented as dedicated hardware modules. As another example, signature computation and encryption / decryption functions may be implemented in hardware within signature engines 56 and 40, software that may be executed by processing core 48, or a combination of hardware and software.

In general, the processing core 48 in the computing device 24 includes at least one general purpose computer processor programmed with software to perform the functions described herein. The software may be downloaded to the computing device in electronic form, for example over a network, or the software may alternatively or additionally be provided to non-transitory tangible media such as magnetic, optical, or electronic memory and / / RTI >

3 is a diagram illustrating a secure state machine in accordance with one embodiment of the present invention. Some security aspects and modes of operation of the device 24 are derived from the limited transition rule among the three states and states of the state-machine. In the secure state 80, concurrently executed data items or commands, and all previously executed data items received via the input bridge 44, have already been confirmed as authentic by the authentication logic 52. The security state 80 is the only state (among the three states) in which the device 24 is allowed to access the security system output 64. While in state 80, device 24 is allowed to receive data items via input bridge 44. Upon receiving the data item, the state-machine transitions to the non-secure state 84.

While in the non-secure state 84, the authenticity of at least a portion of any newly received data item has not yet been ascertained, so that the device 24 is not allowed to access the secure system output 64. When the processing core 48 encounters an output command, the actual access to the output channel is delayed (i.e., the output of the signal by the output bridge 60 is delayed) until the output command is authenticated. However, while in the non-secure state 84, the processing core 48 may continue to process the neutral data item that does not request access to the security system output 64, even if the neutral data item has not yet been authenticated.

Transitioning from the non-secure state 84 to the authentication state 88 occurs when the authentication logic 52 receives the AUTHENTICATION REQUEST signal. While in the authentication state 88, the authentication logic 52 stalls receiving the data item at the input bridge 44 and takes the input bridge and reads the original signature from the external device 30. [ The authentication logic 52 compares the original signature with the signature computed by the signature engine 56 to authenticate the data. As described above, the authentication logic 52 may asynchronously authenticate the data item while the processing core 48 is executing the (possibly other) data item.

Multiple triggers may generate an AUTHENTICATION REQUEST signal to transition the state machine to the authentication state 88. [ Some exemplary triggers are given below:

처리 코어(48)가 보안 시스템 출력(64)에 액세스를 하려고 시도하고 디바이스가 보안 상태(80)에 있지 않을 때 OUT REQUEST 신호를 작동시키는 것.

The processing core 48 attempts to access the security system output 64 and activates the OUT REQUEST signal when the device is not in the secure state 80. [

 To operate the OUT REQUEST signal periodically, or to operate after a predefined timeout since the last visited authentication state (88).

검증을 위해 계류 중인 시그너처에 할당된 메모리 공간이 가득 차 있을 때. 다수의 계류 중인 시그너처를 검증하는 비보안 메모리를 갖는 예시적인 실시예는 아래에 더 설명된다.

When the memory space allocated to the pending signatures is full for verification. An exemplary embodiment with a non-secure memory verifying a number of pending signatures is further described below.

입력 브리지(44)가 전달 데이터 항목으로 차 있지 않아서, 인증 로직(52)이 입력 브리지를 통해 보안 입력 시스템 입력(30)에 저장된 시그너처를 검색할 수 있을 때.

When the input bridge 44 is not filled with the forwarded data item so that the authentication logic 52 can retrieve the signature stored in the secure input system input 30 via the input bridge.

When the data item is found to be true in state 88, the state-machine transitions back to secure state 80. Otherwise, the authentication is unsuccessful and the authentication logic 52 generates an alarm signal.

The device 24 can take several actions in response to the alarm signal to maintain a high security level. Exemplary operations that device 24 may take in response to an alarm signal include,

보안 환경을 리셋하는 것.

Resetting the security environment.

비밀 키와 같은 보안 데이터를 소거하는 것.

Clearing security data such as secret keys.

디바이스(24)가 데이터 항목의 처리/인증과 같은 모든 동작을 수행하는 것을 영구적으로 종료시켜, 입력 및 출력 브리지를 추가적으로 스톨시키는 것.

To permanently terminate the device 24 from performing all operations, such as processing / authentication of data items, and further stowing the input and output bridges.

응답 레벨은 인증 실패 이벤트의 수에 종속할 수 있다. 예를 들어, 보안 디바이스(24)는 인증 실패 이벤트의 미리 한정된 수를 인식한 후에 동작을 재시작하고, 추가적인 인증 실패가 발생하는 경우, 예를 들어, 모든 동작을 종료하거나 보안 정보를 삭제하는 것에 의해 보다 공격적으로 응답할 수 있다.

The response level may depend on the number of authentication failure events. For example, the secure device 24 may restart the operation after recognizing a predefined number of authentication failure events, and if an additional authentication failure occurs, e.g., by terminating all operations or deleting the security information You can respond more aggressively.

Now, an illustrative embodiment of the security system 20 is described, wherein the external device includes a non-secure memory device 28, such as a conventional non-volatile storage device. In this example, the memory device stores data items including computer program instructions (and possibly related data) that are executed by the secure computing device 24. [ The device 28 may allocate any suitable share portion of the storage capacity to store the signature. For example, 75% of storage capacity can be used for user data and 25% can be used for storing signatures. Signatures can be computed across blocks of data items (outside the memory device). For example, each 256-bit memory block may be signed with a 64-bit signature.

In this example, it is assumed that the secure device 24 has a cache memory 50 having a cache line size of 256 bits. The data items read via the input bridge 44 are stored in the cache before or in parallel with the transfer for processing by the processing core 48. [ At the cache miss event, the computing device 24 fetches the new data item into the cache. Executing program instructions by the processing core 48 and computing the signature by the signature engine 56 for each 256-bit block may be performed concurrently. The device 24 may store a plurality of the calculated signatures in the signature buffer 58 to perform a number of data fetches before actually performing the authenticity verification. At the AUTHENTICATION REQUEST, the processing core 48 is stopped and the authentication logic 52 reads each original signature from the external memory 28 and compares the original signature with the computed signature. After all pending computed signatures have been verified, processing core 48 resumes execution.

The configuration of the above-described embodiment is an exemplary configuration, and any other suitable configuration of the input and memory elements may alternatively be used. For example, different data block sizes and signature sizes may be applied. As another example, any suitable signature buffer size may be used. In the exemplary embodiment, a 32-bit signature is computed over a 128-bit data block. The data block may be cached in a cache memory having 128-bit cache lines, and up to five non-identified signatures may be stored in the 160-bit signature buffer.

The configuration of the state-machine described with reference to Figure 3 is an exemplary configuration that the inventor has found suitable for implementation. In alternative embodiments, any other suitable number of states and any appropriate transition rule between these states may be used.

4 is a schematic flow diagram illustrating a method of authentication that may be implemented in secure computing device 24 in accordance with one embodiment of the present invention. The method begins with the device 24 receiving a computer program instruction for execution by the processing core 48 in the code receiving step 100. [ Upon receiving an instruction via the input bridge 44, the device 24 transitions to the non-secure state 84. The device 24 checks whether the authentication request is pending at the request check step 104. [ If authentication is not required at step 104, processing core 48 executes the received program command at execution step 108. [ Otherwise, the device 24 proceeds to the authentication step 116 (described below).

While the execution of the command is being performed, the device 24 checks whether the processing core 48 is simultaneously executing a command requesting access to the neutral command or the security system output 64 in the command check step 112 . Device 24 is looped back to step 104 as long as processing core 48 is executing a neutral command. Otherwise, the processing core 48 may be seen as attempting to access the security system output 64 by executing an unauthenticated output command. The device 24 thus proceeds to the authentication step 116, where the device 24 transitions to the authentication state 88. [ In this state, the authentication control logic 52 stops execution of the processing core 48, inhibits the output bridge 60 by activating the STALL OUTPUT signal, and transmits the calculated signature as described above to the original signature The authentication confirmation is performed by comparing.

In the authentication verification step 120, the device 24 checks whether signature matching has been found in step 116. [ If the signatures match, the device 24 transitions from the secure state transition step 124 to the secure state 80, and the processing core 48 resumes execution. While in security state 80, device 24 is allowed to fetch program instructions from external memory and securely access security system output 64. [ If authentication fails at step 120, the authentication logic 52 generates an alarm signal at an alert step 132 and loops back to step 100 to fetch additional program instructions. The device 24 may respond to the alarm signal in a number of ways, as described above.

The device 24 checks whether the execution of all the fetched instructions is completed in the execution check step 128. [ If execution is complete, the device 24 loops back to step 100 to fetch the subsequent program instructions. Otherwise, the device 24 loops back to step 104 to check whether the authentication request is pending.

The method of FIG. 4 is illustrated and described herein by way of example, and alternative methods of achieving the objectives of the method are within the scope of the present invention. For example, instead of stopping the processing core at step 116, the core may continue to execute the neutral command and / or delay the actual access to the security system output 64 until the output command is authenticated.

While the embodiments described herein primarily deal with the authentication of data read from memory, the methods and systems described herein may be used in other applications that prevent computing devices from outputting sensitive information without permission.

It is understood that the above-described embodiments are mentioned by way of example and the present invention is not limited to what has been specifically described and shown herein. Rather, the scope of the present invention is not limited to the combinations and subcombinations of the various features described herein, and to the various modifications not otherwise known in the art, which may occur to those of ordinary skill in the art upon reading the above description And changes. Documents merged by reference in this patent application are not to be construed as limiting the present invention, except where the terms confined to these merged documents conflict with the definitions explicitly or implicitly made herein. It is considered to be included in the application in its entirety.

Claims (19)

As a computing device,
An input bridge coupled to receive a sequence of data items for use by the device executing the program;
Output bridge;
A processing core coupled to receive the data item from the input bridge and execute the program to output a signal in the output bridge in response to a given data item in the sequence; And
And authentication logic coupled to receive and authenticate the data item while the processing core is executing the program and to inhibit output of the signal by the output bridge until the given data item is authenticated. 2. The method of claim 1, wherein the data item comprises a program instruction, the given data item comprises an output instruction, and the processing core is adapted to execute the program by executing the program instruction comprising the output instruction Lt; / RTI > 2. The computing device of claim 1, wherein the authentication logic is configured to authenticate the data item asynchronously to executing the program by the processing core. 2. The method of claim 1, wherein the authentication logic is configured to authenticate the given data item after the given data item is used by the processing core to execute the program, And to delay the output of the signal by the bridge. 2. The method of claim 1, wherein the authentication logic is configured to calculate one or more digital signatures of the data item and to compare the calculated signature with each original signature received by the device via the input bridge Lt; / RTI > 6. The computing device of claim 5, wherein the authentication logic is configured to generate an alarm signal when at least one of the computed signatures does not match each of the original signatures. 6. The method of claim 5, wherein the input bridge is configured to receive the data item by receiving first and second blocks of data items, and receiving the second block is configured to receive the data item using the authentication logic, Wherein all of the data items in the block are authentic. As a secure computing method,
Receiving at the computing device via the input bridge a sequence of data items for use in executing a program by a processing core of a computing device;
Executing the program by the processing core to output a signal from the device in response to a given data item in the sequence; And
Authenticating the data item using the authentication logic while the processing core is executing the program, and prohibiting output of the signal until the given data item is authenticated. 9. The method of claim 8, wherein the data item comprises a program instruction, the given data item comprises an output instruction, and the executing the program comprises executing the program instruction comprising the output instruction. Secure computing method. 9. The security computing method of claim 8, wherein authenticating the data item comprises authenticating the data item asynchronously with executing the program by the processing core. 9. The method of claim 8, wherein authenticating the data item further comprises: authenticating the given data item after the given data item is used by the processing core to execute the program; and upon authentication of the given data item And delaying the output of the signal until a predetermined time elapses. 9. The method of claim 8, wherein authenticating the data item comprises calculating one or more digital signatures of the data item, and comparing the calculated signature with each original signature received by the device via the input bridge Lt; / RTI > 13. The method of claim 12, wherein authenticating the data item comprises generating an alarm signal when at least one of the computed signatures does not match each of the original signatures. 13. The method of claim 12, wherein receiving the sequence of data items comprises receiving first and second blocks of data items, and receiving the second block comprises receiving the sequence of data items And only after all data items have been authenticated. As a computing system,
An external device configured to provide a sequence of data items; And
A computing device,
The computing device includes:
An input bridge coupled to receive from the external device a sequence of data items for use by the computing device executing the program;
Output bridge;
A processing core coupled to receive the data item from the input bridge and execute the program to output a signal in the output bridge in response to a given data item in the sequence; And
And authentication logic coupled to receive and authenticate the data item while the processing core is executing the program and to inhibit output of the signal by the output bridge until the given data item is authenticated. . 16. The computing system of claim 15, wherein the external device comprises a memory device configured to store the data item and authentication information, the computing device further comprising a signature engine configured to generate at least a portion of the authentication information. . 16. The computing system of claim 15, wherein the external device comprises a secure memory device configured to generate at least a portion of the authentication information. 18. The method of claim 17, wherein the secure memory device is configured to generate authentication information in-progress with respect to at least a portion of the data item delivered to the computing device by the secure memory device, To authenticate the data item. 18. The computing system of claim 17, wherein the secure memory device comprises a non-volatile memory.

Images