KR102660863B1 - 구성 설정들의 안전한 서명 - Google Patents

구성 설정들의 안전한 서명 Download PDF

Info

Publication number
KR102660863B1
KR102660863B1 KR1020227044779A KR20227044779A KR102660863B1 KR 102660863 B1 KR102660863 B1 KR 102660863B1 KR 1020227044779 A KR1020227044779 A KR 1020227044779A KR 20227044779 A KR20227044779 A KR 20227044779A KR 102660863 B1 KR102660863 B1 KR 102660863B1
Authority
KR
South Korea
Prior art keywords
computing device
configuration settings
certificate
public key
bootloader
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
KR1020227044779A
Other languages
English (en)
Korean (ko)
Other versions
KR20230016195A (ko
Inventor
제노 에스. 코바
니콜라이 슐레
토마스 피. 멘쉬
웨이드 벤슨
제롤드 브이. 하욱
조쉬 피. 드 체사레
오스틴 쥐. 제닝스
존 제이. 동
로버트 씨. 그레이엄
자크 포티어
Original Assignee
애플 인크.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 애플 인크. filed Critical 애플 인크.
Publication of KR20230016195A publication Critical patent/KR20230016195A/ko
Application granted granted Critical
Publication of KR102660863B1 publication Critical patent/KR102660863B1/ko
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4406Loading of operating system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)
KR1020227044779A 2020-06-22 2021-06-18 구성 설정들의 안전한 서명 Active KR102660863B1 (ko)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US202063042050P 2020-06-22 2020-06-22
US63/042,050 2020-06-22
US17/092,030 2020-11-06
US17/092,030 US11822664B2 (en) 2020-06-22 2020-11-06 Securely signing configuration settings
PCT/US2021/038039 WO2021262545A1 (en) 2020-06-22 2021-06-18 Securely signing configuration settings

Publications (2)

Publication Number Publication Date
KR20230016195A KR20230016195A (ko) 2023-02-01
KR102660863B1 true KR102660863B1 (ko) 2024-04-29

Family

ID=79023572

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020227044779A Active KR102660863B1 (ko) 2020-06-22 2021-06-18 구성 설정들의 안전한 서명

Country Status (6)

Country Link
US (1) US11822664B2 (enExample)
EP (1) EP4168913B1 (enExample)
JP (1) JP7406013B2 (enExample)
KR (1) KR102660863B1 (enExample)
CN (1) CN115943610B (enExample)
WO (1) WO2021262545A1 (enExample)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11641363B2 (en) * 2019-01-14 2023-05-02 Qatar Foundation For Education, Science And Community Development Methods and systems for verifying the authenticity of a remote service
US11809876B2 (en) * 2021-04-29 2023-11-07 Dell Products L.P. Trusted platform module protection for non-volatile memory express (NVMe) recovery
US20230015697A1 (en) * 2021-07-13 2023-01-19 Citrix Systems, Inc. Application programming interface (api) authorization
US11748485B2 (en) * 2021-07-29 2023-09-05 Dell Products L.P. System and method for booting using HSM integrated chain of trust certificates
US12088696B2 (en) * 2021-10-27 2024-09-10 Salesforce, Inc. Protecting application private keys with remote and local security controllers and local MPC key generation
US20240265152A1 (en) * 2023-02-08 2024-08-08 Stmicroelectronics International N.V. Embedded secure circuit
US12574419B2 (en) 2024-01-29 2026-03-10 Dell Products L.P. Management of location-based security policies using out of band methods
US12490095B2 (en) 2024-01-29 2025-12-02 Dell Products L.P. Obtaining location data for data processing systems using out-of-band components
US12481493B2 (en) 2024-01-29 2025-11-25 Dell Products L.P. Managing out of band software updates
US12309022B1 (en) * 2024-01-29 2025-05-20 Dell Products L.P. Recovery of data processing systems using out-of-band methods
US12530470B2 (en) 2024-01-29 2026-01-20 Dell Products L.P. Policy implementation for data processing systems based on location data using out-of-band components
US12574411B2 (en) 2024-01-29 2026-03-10 Dell Products L.P. Transport layer security management using a management controller
CN119293832B (zh) * 2024-12-13 2025-04-01 湖北长江万润半导体技术有限公司 一种用于eMMC存储设备的数据加密方法与装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040193873A1 (en) 1999-12-10 2004-09-30 Paul England Client-side boot domains and boot rules
US20170373843A1 (en) 2015-06-05 2017-12-28 Apple Inc. Secure circuit for encryption key generation
US20180365427A1 (en) 2017-06-16 2018-12-20 International Business Machines Corporation Securing operating system configuration using hardware

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4612399B2 (ja) 2004-11-11 2011-01-12 日本電信電話株式会社 共同利用パソコンシステムの環境復元方法および共同利用パソコン
US7587595B2 (en) 2005-05-13 2009-09-08 Intel Corporation Method and apparatus for providing software-based security coprocessors
JP5305473B2 (ja) 2010-11-26 2013-10-02 Necインフロンティア株式会社 エラーコード出力装置及びエラーコード出力方法
US9158924B2 (en) 2011-05-25 2015-10-13 Panasonic Intellectual Property Management Co., Ltd. Information processing apparatus and information processing method
US9547778B1 (en) 2014-09-26 2017-01-17 Apple Inc. Secure public key acceleration
US10536271B1 (en) 2016-01-10 2020-01-14 Apple Inc. Silicon key attestation
EP3291504B1 (en) 2016-08-30 2020-03-11 Wacom Co., Ltd. Authentication and secure transmission of data between signature devices and host computers using transport layer security
US10992482B2 (en) * 2017-01-12 2021-04-27 Google Llc Verified boot and key rotation
JP2018117185A (ja) 2017-01-16 2018-07-26 キヤノン株式会社 情報処理装置、情報処理方法
US10417429B2 (en) 2017-06-02 2019-09-17 Apple Inc. Method and apparatus for boot variable protection
US11263326B2 (en) 2017-06-02 2022-03-01 Apple Inc. Method and apparatus for secure system boot
CN111149106B (zh) * 2017-08-11 2022-09-02 华为技术有限公司 使用多个设备证书进行密钥认证的设备和方法
US10057243B1 (en) 2017-11-30 2018-08-21 Mocana Corporation System and method for securing data transport between a non-IP endpoint device that is connected to a gateway device and a connected service

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040193873A1 (en) 1999-12-10 2004-09-30 Paul England Client-side boot domains and boot rules
US20170373843A1 (en) 2015-06-05 2017-12-28 Apple Inc. Secure circuit for encryption key generation
US20180365427A1 (en) 2017-06-16 2018-12-20 International Business Machines Corporation Securing operating system configuration using hardware

Also Published As

Publication number Publication date
WO2021262545A1 (en) 2021-12-30
US20210397716A1 (en) 2021-12-23
US11822664B2 (en) 2023-11-21
CN115943610B (zh) 2024-02-13
EP4168913B1 (en) 2024-02-28
CN115943610A (zh) 2023-04-07
JP7406013B2 (ja) 2023-12-26
JP2023530730A (ja) 2023-07-19
EP4168913A1 (en) 2023-04-26
KR20230016195A (ko) 2023-02-01

Similar Documents

Publication Publication Date Title
KR102660863B1 (ko) 구성 설정들의 안전한 서명
US20240078343A1 (en) Application Integrity Attestation
CN112262547B (zh) 具有安全单元以提供根信任服务的数据处理加速器
CN112262546B (zh) 用于数据处理加速器的密钥分配和交换的方法和系统
CN112236972B (zh) 用于导出会话密钥以确保主机系统和数据处理加速器之间的信息交换信道的方法和系统
JP5657811B2 (ja) ハードウェアベースセキュリティエンジンを用いるセキュアソフトウェアライセンシング及びプロビジョニング
US7986786B2 (en) Methods and systems for utilizing cryptographic functions of a cryptographic co-processor
CN112292678B (zh) 用于验证将要由主机系统的数据处理加速器执行的内核对象的方法与系统
TWI745629B (zh) 電腦系統以及初始化電腦系統的方法
JP2017033537A (ja) 外部不揮発性メモリに間接アクセスするセキュリティデバイス
CN112352220B (zh) 保护由数据处理加速器处理的数据的方法和系统
CN112262545B (zh) 主机系统与数据处理加速器之间的证明协议
CN112334902B (zh) 建立主机系统与数据处理加速器之间的安全信息交换信道的方法
CN112236772B (zh) 用于管理数据处理加速器的内存的方法和系统
CN112352242B (zh) 具有本地时间单元以生成时间戳的数据处理加速器
CN106156632A (zh) 安全装置及在其内提供安全服务至主机的方法、安全设备
US12008087B2 (en) Secure reduced power mode
US20250119273A1 (en) Device Managed Cryptographic Keys
US20250094602A1 (en) Silicon Key Exchange

Legal Events

Date Code Title Description
PA0105 International application

Patent event date: 20221220

Patent event code: PA01051R01D

Comment text: International Patent Application

PA0201 Request for examination
PG1501 Laying open of application
A302 Request for accelerated examination
PA0302 Request for accelerated examination

Patent event date: 20230801

Patent event code: PA03022R01D

Comment text: Request for Accelerated Examination

E902 Notification of reason for refusal
PE0902 Notice of grounds for rejection

Comment text: Notification of reason for refusal

Patent event date: 20231115

Patent event code: PE09021S01D

E701 Decision to grant or registration of patent right
PE0701 Decision of registration

Patent event code: PE07011S01D

Comment text: Decision to Grant Registration

Patent event date: 20240416

GRNT Written decision to grant
PR0701 Registration of establishment

Comment text: Registration of Establishment

Patent event date: 20240422

Patent event code: PR07011E01D

PR1002 Payment of registration fee

Payment date: 20240423

End annual number: 3

Start annual number: 1

PG1601 Publication of registration