WO2013026086A1 - Virtual zeroisation system and method - Google Patents
Virtual zeroisation system and method Download PDFInfo
- Publication number
- WO2013026086A1 WO2013026086A1 PCT/AU2012/000966 AU2012000966W WO2013026086A1 WO 2013026086 A1 WO2013026086 A1 WO 2013026086A1 AU 2012000966 W AU2012000966 W AU 2012000966W WO 2013026086 A1 WO2013026086 A1 WO 2013026086A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- key
- key material
- storage device
- encrypted
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
- G06F3/0623—Securing storage systems in relation to content
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0662—Virtualisation aspects
- G06F3/0664—Virtualisation aspects at device level, e.g. emulation of a storage device or system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/0671—In-line storage system
- G06F3/0673—Single storage device
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/12—Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2143—Clearing memory, e.g. to prevent the data from being stolen
Definitions
- This invention is in the field of information security, and more particularly relates to data encryption, data access control, encryption key storage, encryption key management, secure data storage, and data zeroisation.
- Zeroisation is the cryptographic operation of erasing from the memory of a device sensitive material such as electronically stored data, cryptographic keys, or other information to prevent disclosure of that information to a later user of the device.
- Zeroisation is generally accomplished by deleting or writing over the contents to prevent recovery of the original data.
- the memory can be overwritten with a meaningless value such as all zeros.
- automatic zeroisation may be initiated if tampering is detected. Such circumstances can place unusual demands on the hardware designer, e.g. the need for the device to perform zeroisation even in the absence of connection of the device to a power supply.
- a system for protecting data includes a data source which provides data to be encrypted, a key management system which provides key material, and a virtual zeroisation device which receives the data and the key material.
- the virtual zeroisation device includes an encryption unit for encrypting the data using the key material and a storage device for storing the key material and the encrypted data.
- the key material is first stored in the storage device.
- the encryption unit then encrypts the data using selected key material from the storage device. Once the data is encrypted, it is stored in the storage device to overwrite all of the selected key material.
- the key material is a one-time pad, for example, as generated by a quantum random number generator.
- a virtual zeroisation device includes an encryption unit adapted to be coupled to an external unit for receiving data to be encrypted and to receive key material for encrypting the data to provide encrypted data.
- the key material preferably a one-time pad, is stored in a storage device coupled to the encryption unit.
- the encryption unit encrypts the data using selected key material from the storage device, and then stores the encrypted data in the storage device to overwrite all of the selected key material.
- a method of securely protecting data includes the steps of storing one-time pad key material in a storage device, using the one-time pad key material to encrypt data to be protected, and then writing the encrypted data into the storage device in place of all of the one-time pad key material used to encrypt the data.
- Figure 1 illustrates a typical circumstance in which protection of data during operations is required
- Figure 2 is a block diagram of a preferred implementation of a virtual zeroisation device
- Figure 3 illustrates operation of the virtual zeroisation device shown in Figure 2;
- Figure 4 illustrates use of the virtual zeroisation device in conjunction with the circumstance of Figure 1;
- Figure 5 illustrates an example of how the virtual zeroisation device protects its stored data even if the device is in possession of an adversary.
- Figure 1 illustrates a typical data collection circumstance in which security of the data is important, and in which, the data is vulnerable to compromise.
- an aircraft 20 flying a military mission collects data in a storage device 25, e.g. a solid state memory, a hard disk, or other device.
- This data may consist of video information, military target information, or similar information which is desired to remain secure.
- the aircraft flies its mission, the data is collected and stored in device 25.
- FIG. 1 illustrates a preferred implementation of our virtual zeroisation device, and the system within which it operates. As illustrated in the figure, the system includes a data source 100, a key management system 200, and a data consumer 300.
- the data source 100 consists of a sensor, camera, or other data collecting device mounted on the airplane, and if the data is being stored as it is collected, the storage device itself can become the data source.
- the data consumer can read the encrypted data from the storage device, or receive the encrypted data using any one of a number of mechanisms, including network communications, file transfer from an intermediate device, etc.
- the data storage device may be, but does not have to be, physically connected to the data consumer.
- the data consumer obtains key material from the key manager which it uses to decrypt, and then process, the data saved on the storage device.
- the virtual zeroisation device 400 is selectively connected to each of the data source 100, data consumer 300, and a key management system 200.
- the virtual zeroisation device 400 is not usually connected to all of these other components at the same time. Typically the connections made are preferably sequential.
- the virtual zeroisation device 400 is connected to key management system 200 enabling key material to be stored on device 400.
- the device 400 can then be connected to data source to collect the data and save the data as encrypted data on the virtual zeroisation device 400.
- the virtual zeroisation device 400 is optionally connected to the data consumer 300 enabling the data to be decrypted and analysed.
- the encrypted data may be read from the virtual zeroisation device 400 and transferred to the data consumer where the data is decrypted and analysed.
- the data consumer 300 is connected to the key management system 200 to get the key material for decryption.
- the connections among the various devices need not be direct physical connections; the connections may be made using any desired transmission medium.
- Each of the data source 100, data consumer 300, key management system 200, and virtual zeroisation device 400 communicates with each other through well-known appropriate well known interfaces and buffers. These are illustrated in the drawing as small rectangles where the connectors to each block are depicted.
- the key management system 200 provides encryption key material to both the data consumer 300 and the virtual zeroisation storage device 400 - although not necessarily at the same time. While this key material can be provided in different formats, e.g. as a one-time pad, or as a fixed length symmetric, or asymmetric wrapping key, in the preferred embodiment, we use "one-time pad" key material.
- a one-time pad is a type of encryption which is impossible to defeat if used correctly.
- One-time pads are said to be "information-theoretically secure" in that the encrypted message, that is the cipher text , provides no information about the original message to a cryptanalyst. Properly created and used one-time pads are secure even against adversaries with infinite computational power.
- each bit or character from the plain text is encrypted by a modular addition e.g. an exclusive OR, with a bit or character from the secret random key (one-time pad) of the same length as the plaintext, thereby providing cipher text.
- a modular addition e.g. an exclusive OR
- the secret random key one-time pad
- Claude Shannon proved, using information theory considerations, that the one-time pad has a property of "perfect secrecy," that is, the cipher text gives absolutely no additional information about the plain text.
- the key management system 200 can be any type of device which provides encryption keys for use in encrypting data from the data source as will be described further below.
- the key management system provides keys in the form of a one-time pad which are used to encrypt and decrypt the data from the data source 100.
- This one-time pad key information can be provided using various techniques, however, in the preferred embodiment we employ quantum technology to generate truly random key material.
- One suitable approach for accomplishing this is to use the techniques described in our copending, commonly assigned patent application serial number PCT/AU2012/000390, filed April 16, 2012, and entitled "QKD Key Management System.” The contents of this application are incorporated by reference herein, as well as being included as an appendix.
- the virtual zeroisation storage device 400 can be understood as including a virtual zeroisation control function 402 and a storage device 410.
- the storage device 410 can consist of any type of memory or storage device, e.g. a hard disk drive, a flash memory, etc.
- the virtual zeroisation control function 402 includes an external input/output interface 404, an encryption unit 406, an internal input/output interface 408, and various communication channels among these units and interfaces.
- the virtual zeroisation device 400 is initially configured by being loaded with the one-time pad key from the key management system 200.
- the key management system 200 has a s key management system interface (illustrated as a small rectangle) through which the encryption key material, i.e. one-time pad, is transmitted to both the virtual zeroisation device 400 through the virtual zeroisation storage device interface and to the data consumer 300 via the data consumer interface.
- the external input/output function 404 passes one-time pad key material from the key management system 200 to the internal input/output function 408 via the bypass channel 418.
- the one-time pad key is stored in the storage device 410.
- the data source 100 e.g. a camera on the aircraft 20
- the virtual zeroisation storage device 400 receives the plain text data from the data source 1,00, passes it over plain text channel 414 to encryption unit 406.
- the internal input/output interface 408 passes one-time pad key material read from the storage device 410 via the storage channel 420 and the key input channel 422 to the encryption unit 406.
- the encryption unit encrypts the plain text data and stores it in storage device 410 as cipher text.
- the virtual zeroisation 402 operation causes key material read from the storage device 410 to be permanently erased from the storage device 410, thereby assuring that the key material can only be read once from the storage device 410, and is not recoverable from the virtual zeroisation storage device 400 after being read.
- the onetime pad key is not a persistent key. Unlike a persistent key, for example, a public key of a private-public key pair, it is unnecessary to preserve the one-time pad key for use in subsequent encryption operations. As the encryption process proceeds, the one-time pad key material is consumed, and need not be preserved. Writing the encrypted data back into the storage device over the one-time pad key enhances the security of the overall system by destroying the one-time pad key material essentially contemporaneously with its use for encryption.
- data from the virtual zeroisation device 400 is provided to the data consumer.
- the internal input/output function 408 passes cipher text read from the storage device 410 via the storage channel 420 to the external input/output 404 via the bypass channel 418. From there it is provided to the data consumer 300 where it is decrypted using the one-time pad key material previously provided to the data consumer 300. Note that the one-time pad key material does not need to be provided to the data consumer at the same time as it is provided to the storage device.
- the key management system can store the key material until the data consumer is ready to use it.
- data saved on the storage device is encrypted using an information theoretic cipher - the one-time pad - and that the key material used for the encryption cannot be recovered from the device. Further, because used key material is not recoverable, and because all stored data is information- theoretically securely encrypted, manually initiated zeroisation is not required. In addition, any unused key material remaining in the virtual zeroisation device 400 after use is of no value to an adversary - that key material never having been used. Thus, even if access to the device has been, or will be, compromised, anti-tamper functionality is not required.
- the invention also overcomes other disadvantages of prior art approaches. In many applications, practical problems prevent the use of one-time pads. To be maximally effective, the one-time pad requires perfect randomness. While the system described here can be implemented with key material having less than perfect randomness, the quantum key management system described in our co-pending patent application referenced above generates completely random keys.
- FIG. 3 illustrates the method of operation of the virtual zeroisation device 400 for storage and recovery of collected data.
- the virtual zeroisation storage device 400 is loaded with one-time key material from the key management system 200.
- Figure 3b illustrates that data collected by the data source 100 is written to the virtual zeroisation storage device 400. As the data is saved to the virtual zeroisation storage device 400, it is encrypted with the one-time pad key material. As the process of encryption continues, the key material used is erased from the virtual zeroisation storage device 400.
- Figure 3c illustrates that the data consumer 300 reads the collected data, as cipher text, from the virtual zeroisation storage device 400.
- the data consumer 300 uses the key material from the key management system 200, enabling the data consumer 300 to decrypt the cipher text and access the originally collected data.
- Figure 4 illustrates use of the virtual zeroisation device to protect data in the circumstances illustrated originally in Figure 1.
- the virtual zeroisation storage device 410 is first filled with one-time pad key material using the control unit within the virtual zeroisation device 400.
- data is collected on the mission, and is written to the storage device 410.
- this data is received, it is encrypted using the onetime pad material.
- the encrypted data in the storage device is decrypted by the data consumer 300, enabling appropriate analysis, e.g. by the data processing system.
- the mobile asset i.e. storage device 410
- the adversary can try to read the collected data in its cipher text form.
- the data is useless without the key material.
- the cipher text is protected by the information-theoretically secure one-time pad cipher, and because the key material used for the encryption cannot be recovered from the storage device, the collected data remains secure.
- the remaining unused key material which the adversary reads from the virtual zeroisation storage device 410 has not been used for any encryption, and therefore that key material is of no value to the adversary.
- any unused key material remaining on the device is of no value to an adversary, it is not necessary to equip the device with anti-tamper functionality.
- Figure 5 illustrates the method by which protection of the data on the storage device 410 is protected from an adversary.
- the virtual zeroisation storage ⁇ device 400 is loaded with one-time key material from the key management system 200.
- Figure 5c assumes the adversary 500 has control of the virtual zeroisation device 400, and reads the collected data (as cipher text), and the unused key material from the virtual zeroisation storage device 410. Because the cipher text is protected by the information-theoretic secure one-time pad cipher, and because the key material used for the encryption cannot be recovered from the virtual zeroisation storage device 400, the collected data remains secure. The remaining unused key material read from the virtual zeroisation storage device 400 has not been used for encryption, and therefore provides no value to the attacker 500.
- This invention is in the field of information security, and relates in particular to cryptographic key generation, quantum key distribution, distributed key management, and redundant storage.
- the present invention provides a cryptographic key management system incorporating key generation, information theoretic secure key distribution, and redundant storage.
- the system provides efficient management and delivery of key material for a one-time pad cipher, as well as other conventional ciphers.
- the first system includes a random number generator, preferably operating in the quantum region, which provides bits representing random number.
- a quantum key distributor is coupled to the random number generator for receiving the bits representing random numbers and transmitting them to a second system.
- a quantum channel connects the quantum key distributor to the second node to enable APPENDIX transfer of the bits representing random numbers to the second node.
- the quantum channel operates in the quantum regime of light, allowing it to enable detection of interference with the quantum channel, e.g. by a third party attempting to compromise the information.
- a key storage in the first node stores encryption keys generated from the random numbers, and a key management system is coupled to the key storage for interfacing the first system with a system invoking the first system.
- the invention also enables a method of transmitting data securely between a first communications device coupled to a first encryption system and connected by a potentially unsecure channel to a second communications device which in turn is coupled to a second encryption system.
- the method includes steps of receiving data at the first communications device and obtaining a first key identifier and associated first key material from a key manager in the first encryption system. Then a step is.performed of using the first key material to encrypt the data received at the first communications device to provide encrypted data. The encrypted data and the first key identifier are transmitted over the potentially unsecure channel to the second communications device.
- the first key identifier is extracted from the transmitted data. Then using the first key identifier, corresponding first key material is retrieved from the second encryption system. Using the first key material, the encrypted data is decrypted. Because the first encryption system communicates with the second encryption system over a quantum channel connecting a first quantum key distributor in the first encryption system with a second quantum key distributor in the second node, the transfer of bits representing the retrieved random number may be sent to the second node in a secure manner.
- the quantum channel operating in the quantum regime of light to enables detection of interference with the quantum channel.
- FIG. 1 is a block diagram of the quantum key distribution key management system
- Figure 2 is a more detailed block diagram of the key storage blocks shown in Figure i ;
- FIG. 3 is a block diagram of the key management blocks
- Figure 4 illustrates a technique for encrypting and authenticating data between two networks connected over an untrusted connection
- Figure 5 illustrates a technique for protecting data using a quantum key distribution system.
- FIG. 1 is a functional block diagram of a preferred embodiment of a quantum key distribution and key management system.
- the QKD key management system 100 consists of two nodes 102 and 112 which are coupled to server interfaces 120 and 126, respectively.
- the two nodes 102 and 112 are connected by communication channels - a quantum channel 140, a classical channel 138, a key management channel 136, and a key storage channel 150.
- the quantum channel 140 is a channel through which quantum states of light encoded with random bits are transmitted from node to node.
- the quantum channel is a conduit that facilitates the transport of light between the nodes. It may, for example, be an optical dark fibre link or a free- space connection.
- the classical channel 138 is a conventional communication channel, for example, as might be found in an Ethernet based local area network, a Wi-Fi link, a
- the key management channel 136 is also a conventional communication channel like that of channel 138, but one over which key management information is provided. Messages exchanged over the classical channel 138 and the key management channel 136 are protected by a Message Authentication Code (MAC) to ensure the integrity of messages between two nodes 102 and 112. These codes are also used to authenticate the identity of the sending node.
- MAC Message Authentication Code
- a communications channel 150 is also provided between the key storage in node 102 and node 112. Messages over this channel are also authenticated using MACs.
- Node 102 includes a random bit generator (RBG) 110.
- the random bit source provides random bits for use as key material.
- Node 1 12 also includes a source of random bits 109. In some implementations of the invention, this source is used to generate key material.
- random bit generator 110 provides cryptographically strong random bits - knowledge of the current state of the RBG is insufficient to retrieve previously generated outputs, and observation of RBG outputs is insufficient to predict future outputs. Examples of a sufficiently secure random bit source are described in "A generator for unique quantum random APPENDIX numbers based on vacuum states," C. Gabriel, C. Wittmann, D. Sych, R. Dong, W. Mauerer, U. L. Andersen, C.
- Quantum key distribution (QKD) blocks 108 and 118 provide for quantum key distribution. Each block provides a quantum channel interface 128 and 132, and a classical channel interface 130 and 134.
- the quantum channel interface 128 on the transmitting node 102 is implemented as an electro-optical modulator that converts an electrical signal into an optical signal.
- the quantum channel interface 132 on the receiving node 112 is implemented as a photo- detector that converts an optical signal into an electrical signal.
- the classical channel interfaces 130 and 134 are system calls that relay data through the operating system's network stack onto network interface cards (NICs).
- Quantum key distribution 108 receives a stream of random bits from the random bit source 1 10.
- bits are encoded onto quadrature observables of the quantum states of light, and then transmitted to QKD node 1 18 over the optical quantum channel 140.
- the receiving QKD node 118 makes measurements of the quadrature observables of the received quantum states of light using homodyne detectors.
- the quantum channel 140 is characterised by analysing a subset of the data transmitted from QKD node 108 and received by QKD node 118.
- This subset consists of elements randomly selected using input from the random bit generator 109 - addressing information transmitted from node 118 to node 108 over the classical channel 138 enables node 108 to select an identical subset.
- This characterisation results in estimates of channel parameters: the attenuation of the signal, the variance of the signal and the noise added to the signal by its passage through the channel.
- Other parameters are pre-computed for a given set of hardware: the optical insertion loss at the receiving QKD node 118, the dark noise on the photodetectors at the receiving QKD node 1 18.
- Operational messages relating to these manipulations are transmitted over the classical channel 138. Messages on this channel are authenticated and integrity protected using message authentication codes. The messages may also be encrypted.
- the QKD nodes 108 and 118 produce information-theoretically secure key material which is transferred to the key storage facilities 106 and 116 in each node.
- Each key storage block 106 and 116 shown in Figure 1 provide storage for key material obtained from the respective QKD function blocks 108 and 1 18.
- Figure 2 is a functional block diagram illustrating these components in more detail.
- Each key storage block contains a database 202 and 222 which stores key material 204 and 224, and descriptive metadata 206 and 226 in a persistent manner.
- Key material arrives in the key storage block 106 and 1 16 from the QKD block 108 and 1 18. It is received by controlling software 200 arid 220.
- the software components in each node coordinate their activities over a communications channel 150.
- the communications protocol ensures that the key material 204 and 224, and metadata 206 and 226, remain synchronised.
- the descriptive metadata 206 and 226 provides information about the volume and location of the stored key material..
- Key material is extracted from the key store when required by the key management blocks 104 and 114. Extraction requires the exchange of metadata over the communications channel 150 to keep both nodes synchronised. For an additional layer of data integrity assurance, the nodes exchange hashes of the extracted key material. Equality of these values reduces the probability of asymmetric data corruption.
- the key management blocks 104 and 114 shown in Figure 1 provide external clients with an interface to the key storage 106 and 116.
- Figure 3 is a functional block diagram illualruling the key management blocks 104 and 114 in more detail.
- Each key management block 104 and 114 controls two sets of keys: a first set 361 and 371 is used to protect and process, respectively, communications from block 104 to block 114, while the second set 381 and 351 is used to protect and process, respectively communications from block 114 to block 104.
- each set of keys resides in a discrete region of system memory.
- Each key management block contains a function 350 and 370 that retrieves fixed-size chunks of key material from the key storage 106 and 116.
- the key material is placed into a pool of available processing keys 352 and 372.
- Messages exchanged over the key management channel 136 cause corresponding keys to be placed in the protecting key pools 362 and 382.
- the causal relationship enforces the condition that every key available for protection is also available for processing.
- the client When external client software running on one node desires to protect (e.g: encrypt) a message to the peer node, the client requests a key identifier be assigned to it.
- the key management logic 104 and 1 14 assigns the first key identifier from the pool of available processing keys 362 and 372 and transmits the assignment to the peer node over the
- the sending node moves the assigned key to a pool of issued protection keys 363 and 373, while the receiving node moves the assigned key into a pool of issued processing keys 353 and 383.
- the sending client requests enough key material to protect its message from the chunk of key material associated with that identifier.
- the key management logic 104 and 114 removes the consumed key material from the material associated with the key identifier. The key is then moved into the pool of used protecting keys 364 and 374.
- External client software desiring to process e.g: decrypt
- a message must be in possession of a key identifier.
- the client passes this key identifier to the key management logic 104 and»l 14.
- the key management block searches for a matching key in the pool of issued processing keys 353 and 383 and the pool of available processing keys 352 and 382.
- the requested volume of key material is returned to the client and the key is passed into the pool of used decryption keys 354 and 384. These pools are monitored by the software 360 and 380 responsible for key reuse as discussed next.
- the system of our invention provides several advantages over prior art systems. For example, key material is jointly generated on both nodes and does not require subsequent replication. The distribution of raw key material and its transformation into secure key material is done in an information theoretically secure manner. The system efficiently manages and distributes key material for use with one-time pad ciphers as well as with conventional cipher algorithms.
- a first example concerns protecting data in transit between physically disparate nodes.
- the other example is of protecting data resident within a single node.
- Key data managed by the invention can be used to encrypt and authenticate data between two networks connected over an untrusted connection.
- Figure 4 illustrates how the invention provides this facility between two networks. Traffic from the first network 451 is routed into the red (secure) port 406 of a link encryptor 402. This port is implemented using an Ethernet card which is bridged to an Ethernet-level virtual network device 455.
- Traffic arriving on the virtual device 455 is read by software 454 running inside the link encryptor 402.
- This software 454 obtains a key identifier and associated key material from the key manager in node 102.
- the key material is used to encrypt the traffic, using either onetime pad or a traditional cipher algorithm.
- the ciphertext and the associated key identifier may be augmented with a message digest or other form of message authentication.
- the key identifier and any authentication information are transmitted from the link encryptor's (insecure) black port 410, which is connected to an untrusted network - the second network 441.
- the message is received by the (insecure) black port 414 of the peer link encryptor 404.
- Software 444 within the link encryptor 404 verifies the message against any included authentication tokens. It then extracts the key identifier and retrieves the indicated key material from the key management component 112. The key material is used to decrypt the enciphered traffic, producing plaintext.
- This text is injected into an Ethernet-level virtual network interface 445 which is bridged to the (secure) red port 408 of link encryptor 404. This results in the traffic from the first network arriving on the second network 441.
- the above method is bidirectional. Traffic from the second network 441 enters link encryptor 404 over the red port 408 and is bridged to a virtual Ethernet device 445.
- the traffic is encrypted using a key acquired from the QKD node 112.
- the enciphered traffic and a key identifier are transmitted from the black port 414 of link encryptor 404 over an untrusted network.
- the ciphertext arrives on the black port 410 of link encryptor 402 and is bridged through a virtual Ethernet device 454 to software.
- the software extracts the key identifier and retrieves the appropriate key material from the QKD node 102. This key material is used to decrypt the ciphertext and the resulting plaintext is then transmitted out of the red port 406 to the trusted network 451.
- Figure 5 illustrates a second example of how our system can be used to protect data residing in a storage medium such as a hard disk drive, disk array, tape drive, storage area network or similar facility.
- Data stored in the data storage system 502 is secured using cryptographic cipher algorithms.
- the necessary key material is extracted from a quantum key distribution node 112 and stored in a separate storage system 512.
- the quantum key management system uses a second QKD node 102 and an administrative link 520 to replicate the key material within a secondary storage system 528 which can be used for archival, redundancy, escrow or recovery purposes.
- the replication process is information-theoretical ly secure.
- the replication provides robust protection for the stored data. Because the cryptographic material necessary to access the data is stored in an external system 512, compromise of the system 502 does not necessarily compromise the protected data.
- failure of system 512 does not render the protected data inaccessible because the cryptographic key material needed to retrieve the data may instead be sourced from the APPENDIX secondary system 528.
- the role of the key management system in this implementation is Twofold. First, it assures that the key material replication at node 528 is secure. Second it assures that the key material was created using the high quality entropy provided by the random bit generator within that node. A hypothetical eavesdropper cannot compromise the system by attacking the links 520, 138 and 140 because sensitive material is not transmitted across these links. In addition, the random bit generator within the node protects the system against predictive attacks that exploit inadequate entropy. Vulnerability to such attacks is a known problem in security systems.
- the data storage system 502 supports a data client interface 504 and a key management client interface 508, both of which facilitate communication over a classical network.
- the primary key storage system 512 supports a key server interface 510, a QKD client interface 14 and an administrative interface 518, all of which enable communication over a classical network.
- the secondary key storage system 528 also supports a key server interface 530, a QKD client interface 526 and an administrative interface 522, each of which connects the system to a classical network
- the data storage system is connected to a secondary key storage system 528 by the secondary key server interface 530.
- Different operational modes utilise this interface in different ways.
- the secondary key server interface 530 can be closed to outside connections unless the primary key storage system 512 fails, in which case an administrator may open this interface to enable communication between the data storage system 502 and the key replication facility 528.
- the system could be configured to automatically failover to the secondary key storage system 528 in the event that the primary key storage system 512 fails.
- Key management client interface 508 connects to the key server interface 510 via a trusted communication channel 506. In event of the failure of the primary key storage system 512, it may instead connect to the key server interface 530 via a trusted communication channel 512. Note that depending on the mode of operation channel 512 may be established only as required.
- the key storage system 512 uses the quantum key di stribution client interface 514 to connect to the server interface 126 of a QKD node 112 via a trusted communication channel 516.
- the secondary key storage system 528 uses its QKD client interface 526 to connect to the server interface 120 of a peer QKD node 102 via a trusted communication channel 524.
- the two key APPENDIX storage nodes exchange administrative information using interfaces 518 and 522 to a potentially untrusted channel 520. ⁇
- the client provides both database requests and identity authentication to system 502.
- the storage system 502 uses the key management client interface 508 to request a key identifier and associated key material from the primary key storage system 512.
- system 512 uses the QKD client interface 514 to obtain a key identifier and associated key material from the QKD node 102, via channel 516 and server interface 126.
- System 512 stores this key material, its key identifier, and the client identity. It then uses the administrative channel 520 to inform the secondary key storage system of the chosen key identifier/client identity.
- the secondary system 528 will then request the key material corresponding to this identifier from QKD node 102 via channel 524 and server interface 120. It also stores the relevant key material, key identifier and client identity.
- the data storage system 502 stores the data and protects it.
- the protection uses the key material obtained from the QKD node to perform one or more cryptographic operations such as encryption, message authentication, message digest, or digital signature.
- the key identifier is stored alongside the protected data, but the key material is not.
- future access to the data requires using the key management client 508 and the stored key identifier to re-obtain the necessary key material to access the protected data.
- the data system 502 When requesting data, the data system 502 provides the required key identifier to the key storage 512, along with the identity of the client making the request.
- the key storage 512 will look up the key identifier/client combination, ensure that the client has the permissions required to access this key material and then send the key material to system 502. This will enable 502 to access the cryptographically protected data and fulfil the client request.
- the QKD key management system 100 ensures that key material requested from each QKD node 102 and 112 is consistent, replicated, and synchronised.
- the key stores 512 and 528 store identical key material and either may service requests for a particular key identifier.
- a system for providing secure distribution and coordinated access of random bits between a first node and a second node, the first node comprising:
- a quantum channel connecting the first node to the second node;
- a quantum key distributor connected to the quantum channel for distributing the generated random bits to the second node;
- a key storage system for storing the random bits that have been distributed between the two nodes, together with metadata indicative of the generated random bits distributed
- a key management system coupled to the key storage system, allowing external systems to access the random bits while keeping the two nodes synchronised.
- quantum channel comprises an optical quantum channel.
- a system as in claim 1 further including a classical channel coupling the first node to the second node.
- the system of claim 1 further including a key management channel coupled to the quantum key distributor for sending key management information to the second node.
- the key storage includes storage for encryption keys which have been generated using the bits representing random numbers.
- the key storage further includes storage for storing encryption keys after they have been used.
- the first node also communicates with the second node over a quantum channel connecting a first quantum key distributor in the first node with a second quantum key distributor in the second node to enable transfer of quantum states of light representing random bits to the second node, the quantum channel operating in the quantum regime of light to thereby enable detection of interference with the quantum channel.
- a system for securely moving data from one location to another exchanges key material between the locations.
- the system enables cryptosystems to use key material distributed over a quantum channel.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Human Computer Interaction (AREA)
- Software Systems (AREA)
- Electromagnetism (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
A system for protecting data includes a virtual zeroisation device which receives data to be encrypted and key material for encrypting the data. The key material is stored in a storage device. As the encryption unit encrypts the data using the key material, the encrypted data is stored in the storage device and overwrites the key material.
Description
Virtual Zeroisation System and Method
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001 ] This patent application claims priority from U.S. Provisional Application Serial No. 61/525,624, filed August 19, 2012, entitled "Virtual Zeroisation," the contents of which are incorporated by reference herein.
BACKGROUND OF THE INVENTION ;
[0002] This invention is in the field of information security, and more particularly relates to data encryption, data access control, encryption key storage, encryption key management, secure data storage, and data zeroisation.
[0003] Zeroisation is the cryptographic operation of erasing from the memory of a device sensitive material such as electronically stored data, cryptographic keys, or other information to prevent disclosure of that information to a later user of the device. Zeroisation is generally accomplished by deleting or writing over the contents to prevent recovery of the original data. For example, the memory can be overwritten with a meaningless value such as all zeros. In tamper resistant hardware, automatic zeroisation may be initiated if tampering is detected. Such circumstances can place unusual demands on the hardware designer, e.g. the need for the device to perform zeroisation even in the absence of connection of the device to a power supply.
[0004] Also related to zeroisation are prior art techniques for protection of data. These include storage devices which use ciphers with fixed length keys to encrypt stored data. Such storage devices can be loaded with keys, either persistently, or dynamically. The keys themselves are reused for encryption and decryption operations on the device. Unfortunately, in the event of loss, theft, or compromise of the device, it is sometimes possible for an unauthorized party to recover the key.
[0005] Devices used in high security environments often employ some form of manually initiated zeroisation functionality, usually initiated by pressing a button, which erase the key material from the device when circumstances require it. Unfortunately this leaves the device
vulnerable to human error, and may allow the stored confidential data to be accessed by an adversary.
SUMMARY OF THE INVENTION
[0006] We have developed a device and method of operation which protects confidential data on mobile data collection devices, even if those devices fall into an adversary's possession, and even if the devices have not been zeroised when they come into the possession of an adversary. Thus our technique avoids the need for manually initiated zeroisation, as well as any need for zeroisation in the event of a power failure.
[0007] We refer to the technique described here as virtual zeroisation. As data is collected by a mobile asset, our system virtuall zeroises that information as it is written to a data storage device using an information-theoretically secure cipher. The system uses one-time key material with the cipher, and erases the key material as it used, obviating the need for anti-tampering devices, as well as any form of manual or automatic initiated zeroisation functionality.
[0008] In a preferred embodiment a system for protecting data includes a data source which provides data to be encrypted, a key management system which provides key material, and a virtual zeroisation device which receives the data and the key material. The virtual zeroisation device includes an encryption unit for encrypting the data using the key material and a storage device for storing the key material and the encrypted data. In operation the key material is first stored in the storage device. The encryption unit then encrypts the data using selected key material from the storage device. Once the data is encrypted, it is stored in the storage device to overwrite all of the selected key material. Preferably the key material is a one-time pad, for example, as generated by a quantum random number generator.
[0009] In another preferred embodiment, a virtual zeroisation device includes an encryption unit adapted to be coupled to an external unit for receiving data to be encrypted and to receive key material for encrypting the data to provide encrypted data. The key material, preferably a one-time pad, is stored in a storage device coupled to the encryption unit. In operation the encryption unit encrypts the data using selected key material from the storage device, and then stores the encrypted data in the storage device to overwrite all of the selected key material.
[0010] A method of securely protecting data according to another embodiment of the invention includes the steps of storing one-time pad key material in a storage device, using the one-time pad key material to encrypt data to be protected, and then writing the encrypted data into the storage device in place of all of the one-time pad key material used to encrypt the data.
BRIEF DESCRIPTION OF THE DRAWINGS
[001 1] Figure 1 illustrates a typical circumstance in which protection of data during operations is required;
[0012] Figure 2 is a block diagram of a preferred implementation of a virtual zeroisation device;
[0013] Figure 3 illustrates operation of the virtual zeroisation device shown in Figure 2;
[0014] Figure 4 illustrates use of the virtual zeroisation device in conjunction with the circumstance of Figure 1; and
[0015] Figure 5 illustrates an example of how the virtual zeroisation device protects its stored data even if the device is in possession of an adversary.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0016] Figure 1 illustrates a typical data collection circumstance in which security of the data is important, and in which, the data is vulnerable to compromise. As shown, an aircraft 20 flying a military mission collects data in a storage device 25, e.g. a solid state memory, a hard disk, or other device. This data may consist of video information, military target information, or similar information which is desired to remain secure. As the aircraft flies its mission, the data is collected and stored in device 25.
[0017] As the aircraft flies it may transmit the data back to a base station, or the encrypted data may be stored on the aircraft as it performs its mission. If the data is stored on the aircraft, once the aircraft lands, the device can be removed from the aircraft and provided for analysis by an appropriate individual. As illustrated by the diagram, there are numerous opportunities for the data to be compromised. In particular, if the device 25 comes into possession of an adversary the data will not necessarily be protected, even if stored in encrypted form on the device 25.
[0018] Figure 2 illustrates a preferred implementation of our virtual zeroisation device, and the system within which it operates. As illustrated in the figure, the system includes a data source 100, a key management system 200, and a data consumer 300. With regard to the application described in Figure 1 , the data source 100 consists of a sensor, camera, or other data collecting device mounted on the airplane, and if the data is being stored as it is collected, the storage device itself can become the data source. The data consumer can read the encrypted data from the storage device, or receive the encrypted data using any one of a number of mechanisms, including network communications, file transfer from an intermediate device, etc. The data storage device may be, but does not have to be, physically connected to the data consumer. The data consumer obtains key material from the key manager which it uses to decrypt, and then process, the data saved on the storage device.
[0019] The virtual zeroisation device 400 is selectively connected to each of the data source 100, data consumer 300, and a key management system 200. The virtual zeroisation device 400 is not usually connected to all of these other components at the same time. Typically the connections made are preferably sequential. Usually the virtual zeroisation device 400 is connected to key management system 200 enabling key material to be stored on device 400. The device 400 can then be connected to data source to collect the data and save the data as encrypted data on the virtual zeroisation device 400. Once all of the desired data is encrypted and stored, the virtual zeroisation device 400 is optionally connected to the data consumer 300 enabling the data to be decrypted and analysed. Alternatively the encrypted data may be read from the virtual zeroisation device 400 and transferred to the data consumer where the data is decrypted and analysed. In either approach, the data consumer 300 is connected to the key management system 200 to get the key material for decryption. As mentioned above, the connections among the various devices need not be direct physical connections; the connections may be made using any desired transmission medium.
[0020] Each of the data source 100, data consumer 300, key management system 200, and virtual zeroisation device 400 communicates with each other through well-known appropriate well known interfaces and buffers. These are illustrated in the drawing as small rectangles where the connectors to each block are depicted.
[0021 ] The key management system 200 provides encryption key material to both the data consumer 300 and the virtual zeroisation storage device 400 - although not necessarily at the
same time. While this key material can be provided in different formats, e.g. as a one-time pad, or as a fixed length symmetric, or asymmetric wrapping key, in the preferred embodiment, we use "one-time pad" key material.
[0022] A one-time pad is a type of encryption which is impossible to defeat if used correctly. One-time pads are said to be "information-theoretically secure" in that the encrypted message, that is the cipher text , provides no information about the original message to a cryptanalyst. Properly created and used one-time pads are secure even against adversaries with infinite computational power.
[0023] in a one-time pad each bit or character from the plain text is encrypted by a modular addition e.g. an exclusive OR, with a bit or character from the secret random key (one-time pad) of the same length as the plaintext, thereby providing cipher text. Claude Shannon proved, using information theory considerations, that the one-time pad has a property of "perfect secrecy," that is, the cipher text gives absolutely no additional information about the plain text.
[0024] The key management system 200 can be any type of device which provides encryption keys for use in encrypting data from the data source as will be described further below. In a preferred embodiment, however, the key management system provides keys in the form of a one-time pad which are used to encrypt and decrypt the data from the data source 100. This one-time pad key information can be provided using various techniques, however, in the preferred embodiment we employ quantum technology to generate truly random key material. One suitable approach for accomplishing this is to use the techniques described in our copending, commonly assigned patent application serial number PCT/AU2012/000390, filed April 16, 2012, and entitled "QKD Key Management System." The contents of this application are incorporated by reference herein, as well as being included as an appendix.
[0025] In Figure 2, the virtual zeroisation storage device 400 can be understood as including a virtual zeroisation control function 402 and a storage device 410. The storage device 410 can consist of any type of memory or storage device, e.g. a hard disk drive, a flash memory, etc. The virtual zeroisation control function 402 includes an external input/output interface 404, an encryption unit 406, an internal input/output interface 408, and various communication channels among these units and interfaces.
[0026] The virtual zeroisation device 400 is initially configured by being loaded with the one-time pad key from the key management system 200. The key management system 200 has a s
key management system interface (illustrated as a small rectangle) through which the encryption key material, i.e. one-time pad, is transmitted to both the virtual zeroisation device 400 through the virtual zeroisation storage device interface and to the data consumer 300 via the data consumer interface. The external input/output function 404 passes one-time pad key material from the key management system 200 to the internal input/output function 408 via the bypass channel 418. In the virtual zeroisation device 400, the one-time pad key is stored in the storage device 410.
[0027] When the virtual zeroisation device is placed in operation, the data source 100 (e.g. a camera on the aircraft 20) transmits its "plain text" data through the data source interface to the virtual zeroisation storage device 400 via the virtual zeroisation storage device interface. The virtual zeroisation storage device 400 receives the plain text data from the data source 1,00, passes it over plain text channel 414 to encryption unit 406. The internal input/output interface 408 passes one-time pad key material read from the storage device 410 via the storage channel 420 and the key input channel 422 to the encryption unit 406. Using the one-time pad key material, the encryption unit encrypts the plain text data and stores it in storage device 410 as cipher text. As the cipher text is stored in the storage device 410 it writes over the one-time pad key, thereby erasing it from the storage device 410. Thus the virtual zeroisation 402 operation causes key material read from the storage device 410 to be permanently erased from the storage device 410, thereby assuring that the key material can only be read once from the storage device 410, and is not recoverable from the virtual zeroisation storage device 400 after being read.
[0028] In addition to its enhanced security, among the particular advantages of the use of a one-time pad key in implementing the preferred embodiment of this invention is that the onetime pad key is not a persistent key. Unlike a persistent key, for example, a public key of a private-public key pair, it is unnecessary to preserve the one-time pad key for use in subsequent encryption operations. As the encryption process proceeds, the one-time pad key material is consumed, and need not be preserved. Writing the encrypted data back into the storage device over the one-time pad key enhances the security of the overall system by destroying the one-time pad key material essentially contemporaneously with its use for encryption.
[0029] Upon return from the mission, receipt of the data via transmission, or otherwise recovery of the virtual zeroisation device 400, data from the virtual zeroisation device 400 is provided to the data consumer. The internal input/output function 408 passes cipher text read
from the storage device 410 via the storage channel 420 to the external input/output 404 via the bypass channel 418. From there it is provided to the data consumer 300 where it is decrypted using the one-time pad key material previously provided to the data consumer 300. Note that the one-time pad key material does not need to be provided to the data consumer at the same time as it is provided to the storage device. The key management system can store the key material until the data consumer is ready to use it.
[0030] Among the advantages of the invention are that, in the preferred implementation, data saved on the storage device is encrypted using an information theoretic cipher - the one-time pad - and that the key material used for the encryption cannot be recovered from the device. Further, because used key material is not recoverable, and because all stored data is information- theoretically securely encrypted, manually initiated zeroisation is not required. In addition, any unused key material remaining in the virtual zeroisation device 400 after use is of no value to an adversary - that key material never having been used. Thus, even if access to the device has been, or will be, compromised, anti-tamper functionality is not required.
[0031] The invention also overcomes other disadvantages of prior art approaches. In many applications, practical problems prevent the use of one-time pads. To be maximally effective, the one-time pad requires perfect randomness. While the system described here can be implemented with key material having less than perfect randomness, the quantum key management system described in our co-pending patent application referenced above generates completely random keys.
[0032] A second issue regarding one-time pads is the need to use, and therefore, distribute the same key material to the encryption system (here the virtual zeroisation device) and to the decryption system (here the data consumer). This requires secure communication of the key material between the two systems, an aspect that our co-pending patent application referenced above, provides. In addition the system here provides assurance that almost instantaneously with its use, the key material stored in the encryption system does not become available to the adversary. Our system denies an adversary access to the key material on the virtual zeroisation device by erasing the one time-pad from the virtual zeroisation device 400 as the key material is used.
[0033] Figure 3 illustrates the method of operation of the virtual zeroisation device 400 for storage and recovery of collected data. In Figure 3a, the virtual zeroisation storage device 400 is loaded with one-time key material from the key management system 200.
[0034] Figure 3b illustrates that data collected by the data source 100 is written to the virtual zeroisation storage device 400. As the data is saved to the virtual zeroisation storage device 400, it is encrypted with the one-time pad key material. As the process of encryption continues, the key material used is erased from the virtual zeroisation storage device 400.
[0035] Figure 3c illustrates that the data consumer 300 reads the collected data, as cipher text, from the virtual zeroisation storage device 400.
t
[0036] In Figure 3d, the data consumer 300 uses the key material from the key management system 200, enabling the data consumer 300 to decrypt the cipher text and access the originally collected data.
[0037] Figure 4 illustrates use of the virtual zeroisation device to protect data in the circumstances illustrated originally in Figure 1. As described above, the virtual zeroisation storage device 410 is first filled with one-time pad key material using the control unit within the virtual zeroisation device 400. As the aircraft flight progresses, data is collected on the mission, and is written to the storage device 410. As this data is received, it is encrypted using the onetime pad material. Upon return of the mission (or transmission of the data by other means, the encrypted data in the storage device is decrypted by the data consumer 300, enabling appropriate analysis, e.g. by the data processing system.
[0038] If the mobile asset, i.e. storage device 410, is compromised during the mission, for example by coming under the control of an adversary, the adversary can try to read the collected data in its cipher text form. The data, however, is useless without the key material. Because the cipher text is protected by the information-theoretically secure one-time pad cipher, and because the key material used for the encryption cannot be recovered from the storage device, the collected data remains secure. The remaining unused key material which the adversary reads from the virtual zeroisation storage device 410 has not been used for any encryption, and therefore that key material is of no value to the adversary.
[0039] Among the advantages of the virtual zeroisation storage device over conventional storage devices, whether or not they used fixed length classical encryption, are that data saved on
the storage device is encrypted using an information theoretic cipher - the one time pad, and that the key material used for the encryption operation cannot itself be recovered from the device. A third advantage is that because the used key material is not recoverable and because all data is stored in an encrypted form, manually initiated zeroisation of the device is not necessary.
Furthermore, because any unused key material remaining on the device is of no value to an adversary, it is not necessary to equip the device with anti-tamper functionality.
[0040] Figure 5 illustrates the method by which protection of the data on the storage device 410 is protected from an adversary. As shown in In Figure 5a, the virtual zeroisation storage ^ device 400 is loaded with one-time key material from the key management system 200.
[0041] In Figure 5b, data collected by the data source 100 is written to the virtual zeroisation device 400. As plain text data is saved to the storage device within the virtual zeroisation device, it is encrypted with the one-time pad cipher. The key material used for encryption is erased from the storage device 10 as the cipher text data is stored in its place.
[0042] Figure 5c assumes the adversary 500 has control of the virtual zeroisation device 400, and reads the collected data (as cipher text), and the unused key material from the virtual zeroisation storage device 410. Because the cipher text is protected by the information-theoretic secure one-time pad cipher, and because the key material used for the encryption cannot be recovered from the virtual zeroisation storage device 400, the collected data remains secure. The remaining unused key material read from the virtual zeroisation storage device 400 has not been used for encryption, and therefore provides no value to the attacker 500.
[0043] The preceding has been an explanation of a preferred embodiment of a virtual zeroisation device and method for protecting data in an information-theoretically secure manner. While a preferred embodiment of the system and method have been described, it will be understood that the scope invention is defined by the appended claims.
APPENDIX
QKD Key Management System
CROSS-REFERENCE TO RELATED APPLICATION
[0001] This application claims priority to U.S. Provisional Application 61/475,875, filed April 15, 201 1, the contents of which are incorporated by reference.
BACKGROUND OF THE INVENTION
[0002] This invention is in the field of information security, and relates in particular to cryptographic key generation, quantum key distribution, distributed key management, and redundant storage.
[0003] Conventional key management systems first generate or import key material on one node before replicating the key material to a redundant or backup node. These systems use database or file backup or replication to move key material between nodes. These systems rely on computational security to protect key material transferred between nodes, and are unable to efficiently manage key material for use with the one-time pad cipher.
BRIEF SUMMARY OF THE INVENTION
[0004] The present invention provides a cryptographic key management system incorporating key generation, information theoretic secure key distribution, and redundant storage. The system provides efficient management and delivery of key material for a one-time pad cipher, as well as other conventional ciphers.
[0005] In a preferred embodiment we provide a system for secure transfer of data for creation of encryption keys from a first system to a second system. The first system includes a random number generator, preferably operating in the quantum region, which provides bits representing random number. A quantum key distributor is coupled to the random number generator for receiving the bits representing random numbers and transmitting them to a second system. A quantum channel connects the quantum key distributor to the second node to enable
APPENDIX transfer of the bits representing random numbers to the second node. The quantum channel operates in the quantum regime of light, allowing it to enable detection of interference with the quantum channel, e.g. by a third party attempting to compromise the information. A key storage in the first node stores encryption keys generated from the random numbers, and a key management system is coupled to the key storage for interfacing the first system with a system invoking the first system.
[0006] The invention also enables a method of transmitting data securely between a first communications device coupled to a first encryption system and connected by a potentially unsecure channel to a second communications device which in turn is coupled to a second encryption system. Preferably the method includes steps of receiving data at the first communications device and obtaining a first key identifier and associated first key material from a key manager in the first encryption system. Then a step is.performed of using the first key material to encrypt the data received at the first communications device to provide encrypted data. The encrypted data and the first key identifier are transmitted over the potentially unsecure channel to the second communications device. 3
[0007] At the second communications device, the first key identifier is extracted from the transmitted data. Then using the first key identifier, corresponding first key material is retrieved from the second encryption system. Using the first key material, the encrypted data is decrypted. Because the first encryption system communicates with the second encryption system over a quantum channel connecting a first quantum key distributor in the first encryption system with a second quantum key distributor in the second node, the transfer of bits representing the retrieved random number may be sent to the second node in a secure manner. The quantum channel operating in the quantum regime of light to enables detection of interference with the quantum channel.
BRIEF DESCRIPTION OF THE DRAWINGS
[0008] Figure 1 is a block diagram of the quantum key distribution key management system;
[0009] Figure 2 is a more detailed block diagram of the key storage blocks shown in Figure i ;
[0010] Figure 3 is a block diagram of the key management blocks;
APPENDIX
[0011] Figure 4 illustrates a technique for encrypting and authenticating data between two networks connected over an untrusted connection; and
[0012] Figure 5 illustrates a technique for protecting data using a quantum key distribution system.
DETAILED DESCRIPTION OF THE INVENTION
[0013] Figure 1 is a functional block diagram of a preferred embodiment of a quantum key distribution and key management system. The QKD key management system 100 consists of two nodes 102 and 112 which are coupled to server interfaces 120 and 126, respectively. The two nodes 102 and 112 are connected by communication channels - a quantum channel 140, a classical channel 138, a key management channel 136, and a key storage channel 150. The quantum channel 140 is a channel through which quantum states of light encoded with random bits are transmitted from node to node. The quantum channel is a conduit that facilitates the transport of light between the nodes. It may, for example, be an optical dark fibre link or a free- space connection. The classical channel 138 is a conventional communication channel, for example, as might be found in an Ethernet based local area network, a Wi-Fi link, a
FibreChannel link, or similar communications channel. The key management channel 136 is also a conventional communication channel like that of channel 138, but one over which key management information is provided. Messages exchanged over the classical channel 138 and the key management channel 136 are protected by a Message Authentication Code (MAC) to ensure the integrity of messages between two nodes 102 and 112. These codes are also used to authenticate the identity of the sending node. A communications channel 150 is also provided between the key storage in node 102 and node 112. Messages over this channel are also authenticated using MACs.
[0014] Node 102 includes a random bit generator (RBG) 110. The random bit source provides random bits for use as key material. Node 1 12 also includes a source of random bits 109. In some implementations of the invention, this source is used to generate key material. In the prefened embodiment, random bit generator 110 provides cryptographically strong random bits - knowledge of the current state of the RBG is insufficient to retrieve previously generated outputs, and observation of RBG outputs is insufficient to predict future outputs. Examples of a sufficiently secure random bit source are described in "A generator for unique quantum random
APPENDIX numbers based on vacuum states," C. Gabriel, C. Wittmann, D. Sych, R. Dong, W. Mauerer, U. L. Andersen, C. Marquardt and G. Leuchs, Nature Photonics, vol. 4, no. 10, pp. 711-715, 2010; and in "Real time demonstration of high bitrate quantum random number generation with coherent laser light," T. Symul, S. M. Assad and P. K. Lam. Appl. Phys. Lett. 98, 231103, 201 1. The contents of each of these documents is incorporated by reference herein.
[0015] Quantum key distribution (QKD) blocks 108 and 118 provide for quantum key distribution. Each block provides a quantum channel interface 128 and 132, and a classical channel interface 130 and 134. The quantum channel interface 128 on the transmitting node 102 is implemented as an electro-optical modulator that converts an electrical signal into an optical signal. The quantum channel interface 132 on the receiving node 112 is implemented as a photo- detector that converts an optical signal into an electrical signal. The classical channel interfaces 130 and 134 are system calls that relay data through the operating system's network stack onto network interface cards (NICs). Quantum key distribution 108 receives a stream of random bits from the random bit source 1 10. These bits are encoded onto quadrature observables of the quantum states of light, and then transmitted to QKD node 1 18 over the optical quantum channel 140. The receiving QKD node 118 makes measurements of the quadrature observables of the received quantum states of light using homodyne detectors.
[0016] The quantum channel 140 is characterised by analysing a subset of the data transmitted from QKD node 108 and received by QKD node 118. This subset consists of elements randomly selected using input from the random bit generator 109 - addressing information transmitted from node 118 to node 108 over the classical channel 138 enables node 108 to select an identical subset. This characterisation results in estimates of channel parameters: the attenuation of the signal, the variance of the signal and the noise added to the signal by its passage through the channel. Other parameters are pre-computed for a given set of hardware: the optical insertion loss at the receiving QKD node 118, the dark noise on the photodetectors at the receiving QKD node 1 18. These parameters are used to compute an upper bound on the information available to any eavesdropper. This bound is used together with the mutual information between the two QKD nodes 108,118 and the efficiency of the error correction algorithm (a precomputed value) in order to derive the informational advantage of the QKD nodes 108, 1 18 over possible eavesdroppers. This bound is used to drive a series of manipulations (post-selection, error correction and privacy amplification) of the shared key that results in a subset of the key about which no eavesdropper has information.
APPENDIX
[0017] Operational messages relating to these manipulations (as well as to the earlier characterisation step) are transmitted over the classical channel 138. Messages on this channel are authenticated and integrity protected using message authentication codes. The messages may also be encrypted. The QKD nodes 108 and 118 produce information-theoretically secure key material which is transferred to the key storage facilities 106 and 116 in each node.
[0018] Our implementation of quantum key distribution builds on published theoretical and experimental work. See, e.g., "No-switching quantum key distribution using broadband modulated coherent light," A. M. Lance, T. Symul, V. Sharma, C. Weedbrook, T. C. Ralph and P. K. Lam, Phys. Rev. Lett. 95, 180503, 2005; "Experimental demonstration of post- selection-based continuous-variable quantum key distribution in the presence of Gaussian noise," T. Symul, D. A. Alton, S. M. Assad, A. M. Lance, C. Weedbrook, T. C. Ralph and P. K. Lam, Phys. Rev. 76 A (R), 030303, 2007; and "Quantum Cryptography Without Switching," C. Weedbrook, A. M. Lance, W. P. Bowen, T. Symul, T. C. Ralph and P. . Lam, Phys. Rev. Lett. 93, 170504 , 2004. The contents of each of these documents is incorporated by reference herein.
[0019] The key storage blocks 106 and 116 shown in Figure 1 provide storage for key material obtained from the respective QKD function blocks 108 and 1 18. Figure 2 is a functional block diagram illustrating these components in more detail. Each key storage block contains a database 202 and 222 which stores key material 204 and 224, and descriptive metadata 206 and 226 in a persistent manner. Key material arrives in the key storage block 106 and 1 16 from the QKD block 108 and 1 18. It is received by controlling software 200 arid 220. The software components in each node coordinate their activities over a communications channel 150. The communications protocol ensures that the key material 204 and 224, and metadata 206 and 226, remain synchronised. The descriptive metadata 206 and 226 provides information about the volume and location of the stored key material..
[0020] Key material is extracted from the key store when required by the key management blocks 104 and 114. Extraction requires the exchange of metadata over the communications channel 150 to keep both nodes synchronised. For an additional layer of data integrity assurance, the nodes exchange hashes of the extracted key material. Equality of these values reduces the probability of asymmetric data corruption.
APPENDIX
[0021] The key management blocks 104 and 114 shown in Figure 1 provide external clients with an interface to the key storage 106 and 116. Figure 3 is a functional block diagram illualruling the key management blocks 104 and 114 in more detail. Each key management block 104 and 114 controls two sets of keys: a first set 361 and 371 is used to protect and process, respectively, communications from block 104 to block 114, while the second set 381 and 351 is used to protect and process, respectively communications from block 114 to block 104. Preferably each set of keys resides in a discrete region of system memory.
[0022] Each key management block contains a function 350 and 370 that retrieves fixed-size chunks of key material from the key storage 106 and 116. The key material is placed into a pool of available processing keys 352 and 372. Messages exchanged over the key management channel 136 cause corresponding keys to be placed in the protecting key pools 362 and 382. The causal relationship enforces the condition that every key available for protection is also available for processing.
[0023] When external client software running on one node desires to protect (e.g: encrypt) a message to the peer node, the client requests a key identifier be assigned to it. The key management logic 104 and 1 14 assigns the first key identifier from the pool of available processing keys 362 and 372 and transmits the assignment to the peer node over the
communications channel 136. The sending node moves the assigned key to a pool of issued protection keys 363 and 373, while the receiving node moves the assigned key into a pool of issued processing keys 353 and 383. Upon each key entering a pool of issued keys 353, 363, 373 and 383, it is associated with an expiry time. Should the key not be removed from the pool before its expiry time is reached, the key is recycled as described below.
[0024] Once it has a key identifier, the sending client requests enough key material to protect its message from the chunk of key material associated with that identifier. The key management logic 104 and 114 removes the consumed key material from the material associated with the key identifier. The key is then moved into the pool of used protecting keys 364 and 374.
[0025] External client software desiring to process (e.g: decrypt) a message must be in possession of a key identifier. The client passes this key identifier to the key management logic 104 and»l 14. The key management block searches for a matching key in the pool of issued processing keys 353 and 383 and the pool of available processing keys 352 and 382.
APPENDIX
Synchronisation of the key generation process guarantees that the key is present in one of the two pools.
[0026] Once a matching key is found, the requested volume of key material is returned to the client and the key is passed into the pool of used decryption keys 354 and 384. These pools are monitored by the software 360 and 380 responsible for key reuse as discussed next.
[0027] of used keys to be reused. Such reuse prevents the waste of any unused portions of a chunk of key material. Given a fixed rate of key generation, this parsimony allows the system to support higher key request rates. Keys for reuse are drawn from the pools of used keys 354, 364, 374 and 384 and from issued keys 353, 363, 373 and 383 which have expired. Reuse is performed by replacing the consumed portion of the key with material drawn from the key storage 106 and 1 16. The key is then processed in the same manner as newly generated keys, that is, as described above.
[0028]■ The system of our invention provides several advantages over prior art systems. For example, key material is jointly generated on both nodes and does not require subsequent replication. The distribution of raw key material and its transformation into secure key material is done in an information theoretically secure manner. The system efficiently manages and distributes key material for use with one-time pad ciphers as well as with conventional cipher algorithms.
[0029] Next we describe two examples of use of the invention. A first example concerns protecting data in transit between physically disparate nodes. The other example is of protecting data resident within a single node.
[0030] Key data managed by the invention can be used to encrypt and authenticate data between two networks connected over an untrusted connection. Figure 4 illustrates how the invention provides this facility between two networks. Traffic from the first network 451 is routed into the red (secure) port 406 of a link encryptor 402. This port is implemented using an Ethernet card which is bridged to an Ethernet-level virtual network device 455.
[0031] Traffic arriving on the virtual device 455 is read by software 454 running inside the link encryptor 402. This software 454 obtains a key identifier and associated key material from the key manager in node 102. The key material is used to encrypt the traffic, using either onetime pad or a traditional cipher algorithm. The ciphertext and the associated key identifier may be augmented with a message digest or other form of message authentication. The ciphertext,
16
APPENDIX the key identifier and any authentication information are transmitted from the link encryptor's (insecure) black port 410, which is connected to an untrusted network - the second network 441.
[0032] The message is received by the (insecure) black port 414 of the peer link encryptor 404. Software 444 within the link encryptor 404 verifies the message against any included authentication tokens. It then extracts the key identifier and retrieves the indicated key material from the key management component 112. The key material is used to decrypt the enciphered traffic, producing plaintext. This text is injected into an Ethernet-level virtual network interface 445 which is bridged to the (secure) red port 408 of link encryptor 404. This results in the traffic from the first network arriving on the second network 441.
[0033] The above method is bidirectional. Traffic from the second network 441 enters link encryptor 404 over the red port 408 and is bridged to a virtual Ethernet device 445. The traffic is encrypted using a key acquired from the QKD node 112. The enciphered traffic and a key identifier are transmitted from the black port 414 of link encryptor 404 over an untrusted network. The ciphertext arrives on the black port 410 of link encryptor 402 and is bridged through a virtual Ethernet device 454 to software. The software extracts the key identifier and retrieves the appropriate key material from the QKD node 102. This key material is used to decrypt the ciphertext and the resulting plaintext is then transmitted out of the red port 406 to the trusted network 451.
[0034] Figure 5 illustrates a second example of how our system can be used to protect data residing in a storage medium such as a hard disk drive, disk array, tape drive, storage area network or similar facility. Data stored in the data storage system 502 is secured using cryptographic cipher algorithms. The necessary key material is extracted from a quantum key distribution node 112 and stored in a separate storage system 512. The quantum key management system uses a second QKD node 102 and an administrative link 520 to replicate the key material within a secondary storage system 528 which can be used for archival, redundancy, escrow or recovery purposes. The replication process is information-theoretical ly secure.
[0035] The replication provides robust protection for the stored data. Because the cryptographic material necessary to access the data is stored in an external system 512, compromise of the system 502 does not necessarily compromise the protected data.
Furthermore, failure of system 512 does not render the protected data inaccessible because the cryptographic key material needed to retrieve the data may instead be sourced from the
APPENDIX secondary system 528. The role of the key management system in this implementation is Twofold. First, it assures that the key material replication at node 528 is secure. Second it assures that the key material was created using the high quality entropy provided by the random bit generator within that node. A hypothetical eavesdropper cannot compromise the system by attacking the links 520, 138 and 140 because sensitive material is not transmitted across these links. In addition, the random bit generator within the node protects the system against predictive attacks that exploit inadequate entropy. Vulnerability to such attacks is a known problem in security systems.
[0036] The data storage system 502 supports a data client interface 504 and a key management client interface 508, both of which facilitate communication over a classical network. The primary key storage system 512 supports a key server interface 510, a QKD client interface 14 and an administrative interface 518, all of which enable communication over a classical network. The secondary key storage system 528 also supports a key server interface 530, a QKD client interface 526 and an administrative interface 522, each of which connects the system to a classical network
[0037] The data storage system is connected to a secondary key storage system 528 by the secondary key server interface 530. Different operational modes utilise this interface in different ways. For example, the secondary key server interface 530 can be closed to outside connections unless the primary key storage system 512 fails, in which case an administrator may open this interface to enable communication between the data storage system 502 and the key replication facility 528. Alternatively, the system could be configured to automatically failover to the secondary key storage system 528 in the event that the primary key storage system 512 fails.
[0038] Key management client interface 508 connects to the key server interface 510 via a trusted communication channel 506. In event of the failure of the primary key storage system 512, it may instead connect to the key server interface 530 via a trusted communication channel 512. Note that depending on the mode of operation channel 512 may be established only as required.
[0039] The key storage system 512 uses the quantum key di stribution client interface 514 to connect to the server interface 126 of a QKD node 112 via a trusted communication channel 516. The secondary key storage system 528 uses its QKD client interface 526 to connect to the server interface 120 of a peer QKD node 102 via a trusted communication channel 524. The two key
APPENDIX storage nodes exchange administrative information using interfaces 518 and 522 to a potentially untrusted channel 520. λ
[0040] Data enters and leaves the data storage system 502 through a client interface 504. The client provides both database requests and identity authentication to system 502. When storing data, the storage system 502 uses the key management client interface 508 to request a key identifier and associated key material from the primary key storage system 512. In turn, system 512 uses the QKD client interface 514 to obtain a key identifier and associated key material from the QKD node 102, via channel 516 and server interface 126. System 512 stores this key material, its key identifier, and the client identity. It then uses the administrative channel 520 to inform the secondary key storage system of the chosen key identifier/client identity. The secondary system 528 will then request the key material corresponding to this identifier from QKD node 102 via channel 524 and server interface 120. It also stores the relevant key material, key identifier and client identity.
[0041] Internally, the data storage system 502 stores the data and protects it. The protection uses the key material obtained from the QKD node to perform one or more cryptographic operations such as encryption, message authentication, message digest, or digital signature. The key identifier is stored alongside the protected data, but the key material is not. Thus, future access to the data requires using the key management client 508 and the stored key identifier to re-obtain the necessary key material to access the protected data.
[0042] When requesting data, the data system 502 provides the required key identifier to the key storage 512, along with the identity of the client making the request. The key storage 512 will look up the key identifier/client combination, ensure that the client has the permissions required to access this key material and then send the key material to system 502. This will enable 502 to access the cryptographically protected data and fulfil the client request. The QKD key management system 100 ensures that key material requested from each QKD node 102 and 112 is consistent, replicated, and synchronised. Thus, the key stores 512 and 528 store identical key material and either may service requests for a particular key identifier.
[0043] The preceding has been a description of preferred embodiments of the invention. It should be appreciated that various implementation details have been provided to enable a better understanding of the invention whose scope is set forth in the appended claims.
APPENDIX
We claim:
1. A system for providing secure distribution and coordinated access of random bits between a first node and a second node, the first node comprising:
a non-deterministic random bit generator for generating cryptographically strong random bits;
a quantum channel connecting the first node to the second node; a quantum key distributor connected to the quantum channel for distributing the generated random bits to the second node;
a key storage system for storing the random bits that have been distributed between the two nodes, together with metadata indicative of the generated random bits distributed; and
a key management system coupled to the key storage system, allowing external systems to access the random bits while keeping the two nodes synchronised.
2. A system as in claim 1 wherein the quantum channel conveys a stream of quantum states representing the random bits from the first node to the second node.
3. A system as in claim 1 wherein the random bits are encoded onto quadrature observables of the quantum states of light and then transmitted to the second node over the quantum channel.
4. A system as in claim 3 wherein the quantum channel comprises an optical quantum channel.
5. A system as in claim 2 wherein the stream of quantum states is interpreted by the second node as the generated random bits.
6. A system as in claim 1 further including a classical channel coupling the first node to the second node.
APPENDIX
7. A system as in claim 6 wherein the classical channel provides authenticated communication between the first node and the second node.
8. A system as in claim 7 wherein the classical channel enables recovery of synchronised random bits from noise in the quantum channel.
9. A system as in claim 8 wherein the classical channel further maintains synchronisation between the key management system in the fist node and a corresponding key management system in the second node.
10. The system of claim 1 further including a key management channel coupled to the quantum key distributor for sending key management information to the second node.
11. The system of claim 10 wherein the key storage includes storage for encryption keys which have been generated using the bits representing random numbers.
12. The system of claim 11 wherein the key storage further includes storage for storing encryption keys after they have been used.
13. A method of transmitting data securely between a first communications device coupled to a first node and connected by a potentially unsecure channel to a second communications device which is coupled to a second node, the method comprising:
■ receiving data at the first communications device;
obtaining a first key identifier and associated first key material from a key manager in the first node;
' using the first key material encrypting the data received at the first communications device to provide encrypted data;
sending the encrypted data and the first key identifier over the potentially unsecure channel to the second communications device;
at the second communications device, extracting the first key identifier;
using the first key identifier, retrieving corresponding first key material from the second node;
APPENDIX decrypting the encrypted data using the first key material; and
wherein the first node also communicates with the second node over a quantum channel connecting a first quantum key distributor in the first node with a second quantum key distributor in the second node to enable transfer of quantum states of light representing random bits to the second node, the quantum channel operating in the quantum regime of light to thereby enable detection of interference with the quantum channel.
APPENDIX
ABSTRACT OF THE DISCLOSURE
A system for securely moving data from one location to another exchanges key material between the locations. The system enables cryptosystems to use key material distributed over a quantum channel.
00966
APPENDIX
1of5
Claims
1. A system comprising:
a data source for providing data to be encrypted;
a key management system for providing key material to encrypt the data to be encrypted; a virtual zeroisation device adapted to receive the data to be encrypted from the data source and to receive the key material, the virtual zeroisation device including:
an encryption unit adapted to be coupled to the data source for encrypting the data to be encrypted using the key material;
a storage device adapted to be coupled to the encryption unit and to the key management system; and wherein:
the key material is stored in the storage device, and
the encryption unit encrypts the data to be encrypted to thereby create encrypted data by using selected key material from the storage device; and
the encrypted data is stored in the storage device and overwrites the selected key material.
2. A system as in claim 1 wherein the key material comprises a one-time pad.
3. A system as in claim 1 further comprising:
a data consumer unit adapted to be coupled to the key management system and adapted to be coupled to at least the storage device; wherein:
the key material from the key management system is provided to the data consumer, the key .material provided to the data consumer corresponding to the key material stored in the storage device to thereby provide corresponding key material; and
the corresponding key material is used by the data consumer to decrypt the encrypted data stored in the storage device.
4. A system as in claim 3 wherein the key material comprises a one-time pad.
5. A system as in claim 1 wherein a virtual zeroisation device further comprises:
an external input/output unit coupled to the encryption unit and adapted to be coupled to the data source;
an internal input/output unit coupled to the encryption unit and adapted to be coupled to the storage device;
a bypass channel coupled between the external input/output unit and the internal input/output unit; and
wherein the key material is provided by the key management system to the external input/output unit, and then using the bypass channel to the internal input/output unit for storage in the storage device.
6. A system as in claim 5 wherein when the encryption unit operates to encrypt the data to be encrypted and the key material is provided from the key management system through the internal input/output unit to the encryption unit.
7. A system as in claim 6 wherein the encrypted data is provided from the encryption unit to the internal input/output unit for storage in the storage device.
I 8. A virtual zeroisation device comprising:
an encryption unit adapted to be coupled to an external unit for receiving data to be encrypted, for receiving key material for encrypting the data to be encrypted, and for providing encrypted data;
a storage device coupled to the encryption unit for storing the key material and the encrypted data; and wherein:
the encryption unit encrypts the data to be encrypted using selected key material from the storage device to thereby provide encrypted data; and
the encrypted data is stored in the storage device and overwrites the selected key material.
9. A virtual zeroisation device as in claim 8 wherein the key material comprises a one-time pad.
10. A virtual zeroisation device as in claim 8 wherein:
the key material is also provided to another unit, and
the encrypted data stored in the storage device is provided to the another unit where it is decrypted using the key material.
11. A virtual zeroisation device as in claim 8 further comprising:
an external input/output unit coupled to the encryption unit;
an internal input/output unit coupled between the encryption unit and the storage device; a bypass channel coupled between the external input/output unit and the internal input/output unit; and
wherein the key material is provided to the external input output unit, and then using the bypass channel to the internal input/output unit for storage in the storage device.
12. A virtual zeroisation device as in claim 1 1 wherein when the encryption unit operates to encrypt the data to be encrypted, and the key material is provided from the storage device through the internal input/output unit to the encryption unit.
13. A virtual zeroisation device as in claim 12 wherein the encrypted data is provided from the encryption unit to the internal input/output unit for storage in the storage device.
14. A method of securely protecting data comprising:
storing one-time pad key material in a storage device;
using the one-time pad key material to encrypt data to be protected to thereby create encrypted data; and
writing the encrypted data into the storage device in place of all of the one-time pad key material used to encrypt the data to be protected.
15. A method as in claim 14 wherein the storage device comprises a memory device.
1 . A method as in claim 14 wherein the one-time pad key material comprises a series of random bits generated by a quantum generator.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP12826082.5A EP2745212B1 (en) | 2011-08-19 | 2012-08-16 | Virtual zeroisation system and method |
US14/239,652 US10102383B2 (en) | 2011-08-19 | 2012-08-16 | Permanently erasing mechanism for encryption information |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201161525624P | 2011-08-19 | 2011-08-19 | |
US61/525,624 | 2011-08-19 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013026086A1 true WO2013026086A1 (en) | 2013-02-28 |
Family
ID=47745761
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/AU2012/000966 WO2013026086A1 (en) | 2011-08-19 | 2012-08-16 | Virtual zeroisation system and method |
Country Status (3)
Country | Link |
---|---|
US (1) | US10102383B2 (en) |
EP (1) | EP2745212B1 (en) |
WO (1) | WO2013026086A1 (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170237558A1 (en) * | 2016-02-15 | 2017-08-17 | Alibaba Group Holding Limited | System and method for quantum key distribution |
US10003457B2 (en) | 2015-04-24 | 2018-06-19 | 7Tunnels, Inc. | Random cipher pad cryptography |
US10103880B2 (en) | 2016-10-14 | 2018-10-16 | Alibaba Group Holding Limited | Method and system for quantum key distribution based on trusted computing |
US10154014B2 (en) | 2015-08-21 | 2018-12-11 | Alibaba Group Holding Limited | Method and system for efficient encryption, transmission, and decryption of video data |
US10164778B2 (en) | 2016-12-15 | 2018-12-25 | Alibaba Group Holding Limited | Method and system for distributing attestation key and certificate in trusted computing |
US10326591B2 (en) | 2016-02-15 | 2019-06-18 | Alibaba Group Holding Limited | Efficient quantum key management |
US10439806B2 (en) | 2016-05-19 | 2019-10-08 | Alibaba Group Holding Limited | Method and system for secure data transmission |
US10491383B2 (en) | 2016-05-11 | 2019-11-26 | Alibaba Group Holding Limited | Method and system for detecting eavesdropping during data transmission |
US10574446B2 (en) | 2016-10-14 | 2020-02-25 | Alibaba Group Holding Limited | Method and system for secure data storage and retrieval |
US10693635B2 (en) | 2016-05-06 | 2020-06-23 | Alibaba Group Holding Limited | System and method for encryption and decryption based on quantum key distribution |
US10841800B2 (en) | 2017-04-19 | 2020-11-17 | Alibaba Group Holding Limited | System and method for wireless screen projection |
US10855452B2 (en) | 2016-10-14 | 2020-12-01 | Alibaba Group Holding Limited | Method and system for data security based on quantum communication and trusted computing |
US10951614B2 (en) | 2017-03-30 | 2021-03-16 | Alibaba Group Holding Limited | Method and system for network security |
US10985913B2 (en) | 2017-03-28 | 2021-04-20 | Alibaba Group Holding Limited | Method and system for protecting data keys in trusted computing |
US11258610B2 (en) | 2018-10-12 | 2022-02-22 | Advanced New Technologies Co., Ltd. | Method and mobile terminal of sharing security application in mobile terminal |
US11429519B2 (en) | 2019-12-23 | 2022-08-30 | Alibaba Group Holding Limited | System and method for facilitating reduction of latency and mitigation of write amplification in a multi-tenancy storage drive |
Families Citing this family (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA2903830C (en) | 2013-03-05 | 2021-08-24 | Fasetto, Llc | System and method for cubic graphical user interfaces |
US9886229B2 (en) | 2013-07-18 | 2018-02-06 | Fasetto, L.L.C. | System and method for multi-angle videos |
US10095873B2 (en) | 2013-09-30 | 2018-10-09 | Fasetto, Inc. | Paperless application |
US9584402B2 (en) | 2014-01-27 | 2017-02-28 | Fasetto, Llc | Systems and methods for peer to peer communication |
CN106797337B (en) | 2014-07-10 | 2021-06-22 | 法斯埃托股份有限公司 | System and method for message editing |
US10437288B2 (en) | 2014-10-06 | 2019-10-08 | Fasetto, Inc. | Portable storage device with modular power and housing system |
CN107006063B (en) | 2014-10-06 | 2021-08-24 | 法斯埃托股份有限公司 | System and method for portable storage device |
CN107852421B (en) | 2015-03-11 | 2021-02-05 | 法斯埃托股份有限公司 | System and method for WEB API communication |
CN106161402B (en) * | 2015-04-22 | 2019-07-16 | 阿里巴巴集团控股有限公司 | Encryption equipment key injected system, method and device based on cloud environment |
US10075291B1 (en) | 2015-05-27 | 2018-09-11 | Citigroup Technology, Inc. | Data deduplication and compression evaluation methods and systems |
US9887834B1 (en) | 2015-05-27 | 2018-02-06 | Citigroup Technology, Inc. | Data deduplication and compression evaluation methods and systems |
WO2017096245A1 (en) | 2015-12-03 | 2017-06-08 | Fasetto, Llc | Systems and methods for memory card emulation |
MX2019005965A (en) | 2016-11-23 | 2019-10-24 | Fasetto Inc | Systems and methods for streaming media. |
CA3054681A1 (en) | 2017-02-03 | 2018-08-09 | Fasetto, Inc. | Systems and methods for data storage in keyed devices |
US11341251B2 (en) * | 2017-04-19 | 2022-05-24 | Quintessencelabs Pty Ltd. | Encryption enabling storage systems |
WO2019079628A1 (en) | 2017-10-19 | 2019-04-25 | Fasetto, Inc. | Portable electronic device connection systems |
JP2021505938A (en) | 2017-12-01 | 2021-02-18 | ファセット・インコーポレーテッド | Systems and methods to improve data encryption |
CN112292708B (en) | 2018-04-17 | 2022-06-17 | 法斯埃托股份有限公司 | Presentation system and method with real-time feedback |
EP3871362A1 (en) | 2018-12-06 | 2021-09-01 | Schneider Electric Systems USA, Inc. | One-time pad encryption for industrial wireless instruments |
DE102020002423A1 (en) | 2020-01-20 | 2021-07-22 | HENSOLDT Cyber GmbH | Device and method for data storage |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005076515A1 (en) * | 2004-02-05 | 2005-08-18 | Research In Motion Limited | On-chip storage, creation, and manipulation of an encryption key |
US20090196417A1 (en) * | 2008-02-01 | 2009-08-06 | Seagate Technology Llc | Secure disposal of storage data |
WO2009141669A1 (en) * | 2008-05-23 | 2009-11-26 | Exacttrak Limited | Secure storage device |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7831050B2 (en) * | 2003-12-04 | 2010-11-09 | Geraldo Alexandre Barbosa | Fast multi-photon key distribution scheme secured by quantum noise |
US20060177065A1 (en) * | 2005-02-09 | 2006-08-10 | Wal-Mart Stores, Inc. | System and methods for encrypting data utilizing one-time pad key |
WO2007109373A2 (en) * | 2006-03-22 | 2007-09-27 | Vadium Technology, Inc. | Recording over the key in otp encryption |
EP2122900A4 (en) * | 2007-01-22 | 2014-07-23 | Spyrus Inc | Portable data encryption device with configurable security functionality and method for file encryption |
US8103883B2 (en) * | 2008-12-31 | 2012-01-24 | Intel Corporation | Method and apparatus for enforcing use of danbury key management services for software applied full volume encryption |
US8578473B2 (en) * | 2009-03-25 | 2013-11-05 | Lsi Corporation | Systems and methods for information security using one-time pad |
US9253167B2 (en) * | 2011-04-19 | 2016-02-02 | Apriva, Llc | Device and system for facilitating communication and networking within a secure mobile environment |
-
2012
- 2012-08-16 US US14/239,652 patent/US10102383B2/en active Active
- 2012-08-16 EP EP12826082.5A patent/EP2745212B1/en active Active
- 2012-08-16 WO PCT/AU2012/000966 patent/WO2013026086A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005076515A1 (en) * | 2004-02-05 | 2005-08-18 | Research In Motion Limited | On-chip storage, creation, and manipulation of an encryption key |
US20090196417A1 (en) * | 2008-02-01 | 2009-08-06 | Seagate Technology Llc | Secure disposal of storage data |
WO2009141669A1 (en) * | 2008-05-23 | 2009-11-26 | Exacttrak Limited | Secure storage device |
Non-Patent Citations (1)
Title |
---|
See also references of EP2745212A4 * |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10003457B2 (en) | 2015-04-24 | 2018-06-19 | 7Tunnels, Inc. | Random cipher pad cryptography |
US10637649B2 (en) | 2015-04-24 | 2020-04-28 | 7Tunnels, Inc. | Random cipher pad cryptography |
US11245515B2 (en) | 2015-04-24 | 2022-02-08 | 7Tunnels Inc. | Random cipher pad cryptography |
US10154014B2 (en) | 2015-08-21 | 2018-12-11 | Alibaba Group Holding Limited | Method and system for efficient encryption, transmission, and decryption of video data |
TWI706659B (en) * | 2016-02-15 | 2020-10-01 | 香港商阿里巴巴集團服務有限公司 | Quantum key distribution method and device |
WO2017142634A1 (en) * | 2016-02-15 | 2017-08-24 | Alibaba Group Holding Limited | System and method for quantum key distribution |
US10313115B2 (en) | 2016-02-15 | 2019-06-04 | Alibaba Group Holding Limited | System and method for quantum key distribution |
US10326591B2 (en) | 2016-02-15 | 2019-06-18 | Alibaba Group Holding Limited | Efficient quantum key management |
EP3417569A4 (en) * | 2016-02-15 | 2019-08-21 | Alibaba Group Holding Limited | System and method for quantum key distribution |
US20170237558A1 (en) * | 2016-02-15 | 2017-08-17 | Alibaba Group Holding Limited | System and method for quantum key distribution |
US11658814B2 (en) | 2016-05-06 | 2023-05-23 | Alibaba Group Holding Limited | System and method for encryption and decryption based on quantum key distribution |
US10693635B2 (en) | 2016-05-06 | 2020-06-23 | Alibaba Group Holding Limited | System and method for encryption and decryption based on quantum key distribution |
US10491383B2 (en) | 2016-05-11 | 2019-11-26 | Alibaba Group Holding Limited | Method and system for detecting eavesdropping during data transmission |
US10439806B2 (en) | 2016-05-19 | 2019-10-08 | Alibaba Group Holding Limited | Method and system for secure data transmission |
US10574446B2 (en) | 2016-10-14 | 2020-02-25 | Alibaba Group Holding Limited | Method and system for secure data storage and retrieval |
US10855452B2 (en) | 2016-10-14 | 2020-12-01 | Alibaba Group Holding Limited | Method and system for data security based on quantum communication and trusted computing |
TWI738835B (en) * | 2016-10-14 | 2021-09-11 | 香港商阿里巴巴集團服務有限公司 | Data security guarantee system, method and device |
US10103880B2 (en) | 2016-10-14 | 2018-10-16 | Alibaba Group Holding Limited | Method and system for quantum key distribution based on trusted computing |
US10484185B2 (en) | 2016-12-15 | 2019-11-19 | Alibaba Group Holding Limited | Method and system for distributing attestation key and certificate in trusted computing |
US10164778B2 (en) | 2016-12-15 | 2018-12-25 | Alibaba Group Holding Limited | Method and system for distributing attestation key and certificate in trusted computing |
US10985913B2 (en) | 2017-03-28 | 2021-04-20 | Alibaba Group Holding Limited | Method and system for protecting data keys in trusted computing |
US10951614B2 (en) | 2017-03-30 | 2021-03-16 | Alibaba Group Holding Limited | Method and system for network security |
US10841800B2 (en) | 2017-04-19 | 2020-11-17 | Alibaba Group Holding Limited | System and method for wireless screen projection |
US11258610B2 (en) | 2018-10-12 | 2022-02-22 | Advanced New Technologies Co., Ltd. | Method and mobile terminal of sharing security application in mobile terminal |
US11429519B2 (en) | 2019-12-23 | 2022-08-30 | Alibaba Group Holding Limited | System and method for facilitating reduction of latency and mitigation of write amplification in a multi-tenancy storage drive |
Also Published As
Publication number | Publication date |
---|---|
US20140337640A1 (en) | 2014-11-13 |
EP2745212B1 (en) | 2020-12-30 |
EP2745212A4 (en) | 2015-01-21 |
EP2745212A1 (en) | 2014-06-25 |
US10102383B2 (en) | 2018-10-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2013026086A1 (en) | Virtual zeroisation system and method | |
US9698979B2 (en) | QKD key management system | |
CN110247765B (en) | Quantum secret data chain communication system | |
CN1820482B (en) | Method for generating and managing a local area network | |
US9191200B1 (en) | System and method for changing the security level of a communications terminal during operation | |
CN105184935B (en) | It is a kind of can wechat share the blue-tooth intelligence lock system of password | |
CN105100076A (en) | Cloud data security system based on USB Key | |
US7817802B2 (en) | Cryptographic key management in a communication network | |
CN105681031B (en) | A kind of storage encryption gateway key management system and method | |
US20130251152A1 (en) | Key transport protocol | |
CN106330868A (en) | Encrypted storage key management system and method of high-speed network | |
JP2015111872A (en) | Key management system for digital cinema | |
JP2009103774A (en) | Secret sharing system | |
CN101605137A (en) | Safe distribution file system | |
CN111970114B (en) | File encryption method, system, server and storage medium | |
CN110362984B (en) | Method and device for operating service system by multiple devices | |
CN102986161A (en) | Method for the cryptographic protection of an application | |
KR102285885B1 (en) | Symmetric quantum encryption key based encryption device for wireless data communication | |
CA2446364C (en) | Secure group secret distribution | |
CN101197822B (en) | System for preventing information leakage and method based on the same | |
US11784812B1 (en) | Device, system, and method to facilitate secure data transmission, storage and key management | |
CN111541652B (en) | System for improving security of secret information keeping and transmission | |
CN101325486B (en) | Method and apparatus for transferring field permission cryptographic key | |
CN114173303B (en) | Vehicle-ground session key generation method and system for CTCS-3 level train control system | |
CN115412236A (en) | Method for key management and password calculation, encryption method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12826082 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14239652 Country of ref document: US |