WO2015127772A1 - 密钥保护方法和装置 - Google Patents

密钥保护方法和装置 Download PDF

Info

Publication number
WO2015127772A1
WO2015127772A1 PCT/CN2014/085236 CN2014085236W WO2015127772A1 WO 2015127772 A1 WO2015127772 A1 WO 2015127772A1 CN 2014085236 W CN2014085236 W CN 2014085236W WO 2015127772 A1 WO2015127772 A1 WO 2015127772A1
Authority
WO
WIPO (PCT)
Prior art keywords
core
memory
key
cache
module
Prior art date
Application number
PCT/CN2014/085236
Other languages
English (en)
French (fr)
Inventor
林璟锵
管乐
王琼霄
汪婧
荆继武
Original Assignee
中国科学院数据与通信保护研究教育中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院数据与通信保护研究教育中心 filed Critical 中国科学院数据与通信保护研究教育中心
Priority to US14/909,849 priority Critical patent/US10313111B2/en
Priority to EP14884251.1A priority patent/EP3113406B1/en
Publication of WO2015127772A1 publication Critical patent/WO2015127772A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • G06F12/0806Multiuser, multiprocessor or multiprocessing cache systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/466Transaction processing
    • G06F9/467Transactional memory
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/40Specific encoding of data in memory or cache
    • G06F2212/402Encrypted data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/60Details of cache memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/62Details of cache specific to multiprocessor cache arrangements
    • G06F2212/621Coherency control relating to peripheral accessing, e.g. from DMA or I/O device

Definitions

  • the present invention relates to the field of computer security, and in particular, to a key protection method and apparatus.
  • privacy data can be protected by cryptographic methods.
  • keys are presented in pairs, containing a secret private key and a public key that is private to the key owner.
  • the premise of implementing private data protection through public key cryptography is to ensure the confidentiality of private key information.
  • the CPU's on-chip cache is used to store keys and intermediate process variables. This scheme takes advantage of the cache's write back mode, which causes the newly written memory to be emptied before being synchronized to RAM, leaving only the result of the calculation. At the same time, in order to eliminate the influence of the shared cache memory, it is necessary to set the core of the cache shared core shared cache to the no-fill mode when performing the cryptographic calculation. In this mode, the memory of the cache memory is not hit. Access operations will not cause a cache replacement.
  • the scheme can only support one core for cryptographic operations at the same time, and when one core performs cryptographic operations, other cores are set to no-fill mode, resulting in The processor is inefficient.
  • the existing settings if the operating system A vulnerability exists in which a malicious process can still directly read a key that exists in memory through a vulnerability, thereby causing the protection mechanism to fail.
  • the present invention provides a key protection method and apparatus, which can simultaneously resist system attacks and physical attacks against memory to ensure the security of the public key cryptography algorithm in a computer system environment, and improve The efficiency of the processor.
  • the present invention provides a key protection method, including:
  • Step A setting a symmetric master key in each core of the multi-core processor
  • Step B using any one of the cores as an operation core, decrypting the plaintext private key according to the symmetric master key, and performing the public key cryptographic operation with the private key, and the private key plaintext and the intermediate data variables used in the operation process are stored in The cache occupied by the operation core;
  • Step C clearing the plain key of the private key in the cache occupied by the operation core and the intermediate data variable used in the operation process;
  • step B the execution of step B or step C,
  • Abandoning the operation core is currently executed when the other cores of the multi-core processor attempt to access the same memory address with the operation core and there is at least one write operation, or when the cache memory space is insufficient, and a cache replacement occurs. For all operations, re-execute steps B and C.
  • step B and step C all memory accesses in the execution of the step B and the step C are dynamically recorded
  • step B and step C is designated as a transaction area by a transactional memory (Transactional Memory) mechanism
  • the multi-core processor dynamically records all memory accesses during the execution of the step B and the step C, and when the multi-core processing Other cores attempt to access the same memory address simultaneously with the operation core, and at least one write operation, or the cache space occupied by the operation core is not enough.
  • the cache replacement occurs, all operations currently performed by the operation core are discarded, and Perform steps B and C.
  • step B and step C is designated as a transaction area by Intel Intel TSX (Transactional Synchronization Extension Instruction Set), and the multi-core processor dynamically records all the memory in the process of step B and step C. Accessing, and when the other cores of the multi-core processor attempt to access the same memory address simultaneously with the operation core, and at least one write operation, or the cache space occupied by the operation core is insufficient, the memory core is discarded when the cache replacement occurs. Repeat steps B and C for all operations that have been performed so far.
  • Intel Intel TSX Transactional Synchronization Extension Instruction Set
  • a start instruction (such as xbegin) in the RTM mechanism enters the transaction area, and specifies that the start of step B occurs for the other core of the multi-core processor to attempt to access the same memory address simultaneously with the operation core, and at least one write operation
  • the fallback entry of the time, or specify the start of step B is insufficient for the cache space occupied by the operation core, the rollback entry when the cache replacement occurs; after executing step C, exit by the end instruction (such as xend)
  • the transaction area such as xbegin
  • step of setting each core of the multi-core processor to include the symmetric master key in the step A includes:
  • a prompting interface is popped up, and the password input by the user on the prompting interface is received;
  • the operating system uses a key generation algorithm to convert the password into a symmetric master key
  • the symmetric master key is copied to a designated register of each core of the multi-core processor for storage.
  • the specified register of the multi-core processor for storing the symmetric master key includes a debug register and a performance monitor counter (PMC).
  • PMC performance monitor counter
  • the public key cryptographic operation includes a private key plaintext acquisition operation and a private key calculation operation operation;
  • the private key plaintext acquisition operation includes the operation core reading the private key encrypted by the symmetric master key from the hard disk and copying it into the memory; the operation core utilizing the pair in the register specified in the multi-core processor The master key decrypts the private key encrypted by the symmetric master key to obtain the private key plaintext, and stores the private key plaintext in the cache occupied by the operation core;
  • the private key computing operation operation includes a digital signature and/or decryption step, wherein the digital signature and/or decryption operation is performed using the private key plaintext, and the intermediate data variables and calculation results generated in the calculation process are stored in the running core occupation Cache memory.
  • the private key plaintext acquisition operation decrypts the private key encrypted by the symmetric master key by using the SSE register by calling the AES-NI instruction, and copies the private key plaintext into the cache.
  • step C the step of clearing the data in the SSE register and the general purpose register is further included in step C.
  • step B the step of disabling the operating system process scheduling and shielding the local interrupt is further included; after the step C is performed, the step of restoring the operating system process scheduling and the local interrupt is further included.
  • the operating system process scheduling is disabled by clearing the IF bit of the EFLAGS register of the multi-core processor, and the local interrupt is masked; the operating system process scheduling and local interrupt are restored by setting the IF bit of the EFLAGS register of the multi-core processor.
  • the method further includes the step of reserving the memory area accessed by step B and step C for each of the multi-core processors.
  • the present invention also provides a key protection device that implements the above method.
  • the key protection method provided by the present invention can resist physical attacks and system attacks, and dynamically decrypts the private key plaintext of the asymmetric algorithm by setting a symmetric master key of each core of the multi-core processor, and passes the Intel TSX.
  • the extended instruction ensures that the private key and the intermediate variables used in the calculation process only exist in the cache occupied by the core, which can prevent the attacker from stealing the private key information directly from the physical memory, thereby ensuring the public key cryptography algorithm.
  • FIG. 1 is a flow chart showing an exemplary key protection method of the present invention
  • FIG. 2 is a schematic flow chart of another exemplary key protection method of the present invention.
  • FIG. 3 is a schematic flow chart of actions when setting a transaction area and a memory access conflict in the present invention
  • FIG. 4 is a flow chart showing an exemplary symmetric master key and public key cryptographic operation in each core of the present invention
  • FIG. 5 is a schematic flow chart of an exemplary private key plaintext acquisition operation according to the present invention.
  • FIG. 6 is a flow chart showing an exemplary private key calculation operation operation of the present invention.
  • FIG. 7 is a schematic flow chart of an exemplary clear key and intermediate data variables in an empty cache memory according to the present invention.
  • Figure 8 is a block diagram showing the structure of an exemplary key protection device of the present invention.
  • FIG. 9 is a structural block diagram of a setting module in a key protection device according to an example of the present invention.
  • Figure 10 is a block diagram showing the structure of another exemplary key protector of the present invention.
  • the present invention is implemented based on the following considerations:
  • the current operating system has some protection for sensitive memory. However, if an attacker exploits some vulnerabilities to bypass these protections, it can directly access sensitive memory areas, and sensitive data will be leaked.
  • the invention dynamically monitors the sensitive data area through the hardware mechanism, so that any direct access to it can only obtain the non-sensitive ciphertext version before the sensitive data is written, which greatly improves the difficulty of attacking the memory system.
  • an additional software protection mechanism needs to be set.
  • the malicious process can invalidate the protection mechanism through the vulnerability; and the number of cores that can perform cryptographic operations is affected by the cache hierarchy.
  • the scheme can only support one core for cryptographic operations at the same time, and because of the additional protection mechanism, such as setting other cores to no-fill by software.
  • the additional protection mechanism such as setting other cores to no-fill by software.
  • mode for multi-core processors, other cores cannot perform other cryptographic operations at the same time, which affects the overall CPU processing speed.
  • Another object of the present invention is to prevent cold start attacks and to avoid a reduction in CPU processing speed in a manner that implements the use of an on-chip cache memory of the CPU to store keys and intermediate process variables.
  • Transactional Memory Transactional Memory
  • Transactional Memory is the technology proposed in the current technology to solve the inter-thread synchronization. It allows a thread to independently complete the modification of shared memory. It completely ignores that there may be other threads, but the thread records the pair in the log. Every read and write action of shared content, if it really finds other concurrent operations on shared memory, the thread will give up all previous operations and fall back to the state at the beginning of the transaction.
  • the core of Intel TSX technology is transactional memory.
  • the program can record all the memory accesses of the code by specifying a code segment as the transactional region. If a memory access conflict is found, abort will occur: all operations before giving up. Restore the state of the CPU to the state before entering the transaction area, then, for Restricted Transactional Memory (RTM), it will jump directly to the specified code area, or for Hardware Lock Elision (HLE), it will be true Re-execute after locking. If no memory access violations are found, all updates to memory and registers are committed atomically.
  • RTM Restricted Transactional Memory
  • HLE Hardware Lock Elision
  • the access of the other core to the segment memory can only read its old data access conflict, which means that the external thread reads a memory address that was previously written in the transaction area, or before the external thread writes one. The memory address read or written in the transaction area. If a memory access violation is found, the transaction abort occurs.
  • transactional memory The basis for the implementation of transactional memory is the CPU's cache coherency protocol. All memory accesses in the transaction area will only occur in the cache of the operation core. If other cores access the memory address recorded in the transaction area, or the operation core cache must synchronize the data in the cache to the memory due to insufficient space, Found by the cache coherency protocol, and generated abort according to the policy.
  • the invention utilizes the transaction area of the above Intel TSX technology to realize that sensitive data stored in the cache memory, such as private key plaintext, is not synchronized to the memory, and because the TSX guarantees the atomicity of the memory submission, the system layer malware attack can be prevented. .
  • the present invention provides a key protection method that is performed by a multi-core processor, as shown in FIG.
  • Step A setting a symmetric master key in each core of the multi-core processor
  • Step B using any one of the cores as an operation core, decrypting the plaintext private key according to the symmetric master key to perform a public key cryptographic operation, and the private key plaintext and the intermediate data variables used in the operation process are stored in the cache occupied by the operation core. in;
  • Step C clearing the plain key of the private key in the cache occupied by the operation core and the intermediate data variable used in the operation process;
  • step B or step C when other cores of the multi-core processor attempt to access the same memory address (ie, the address of the cache memory occupied by the core) with the operation core, and at least one write operation, or when the high speed The buffer memory space is not enough.
  • the cache replacement occurs, all operations that have been performed by the operation core are discarded, and step B is re-executed. And step C.
  • storing the private key plaintext and intermediate variables in the cache storage can prevent physical attacks such as cold start attacks.
  • the operation core is aborted, that is, before the operation core is abandoned. All operations and re-execute the actions that have been performed. In this way, it is not necessary to set other cores to the no fill mode, so that multiple cores can perform cryptographic operations at the same time, thereby improving the working efficiency of the multi-core processor and effectively preventing system attacks.
  • the multi-core processor can dynamically record all memory accesses during the execution of step B and step C, and determine whether other core threads and operation cores of the multi-core processor are simultaneously based on all memory accesses recorded. Access to the same memory address and at least one write operation; or determine if the cache space is sufficient based on all memory accesses recorded.
  • the present invention provides a key protection method, which can effectively resist physical attacks and system attacks, as shown in FIG. 2 and FIG. 3, including:
  • Step A Set each core of the multi-core processor to include a symmetric master key (ie, set a symmetric master key in each core of the multi-core processor);
  • Step B performing a public key cryptographic operation using any one of the cores as an operation core, and storing the intermediate data variables used in the private key plaintext and the operation process in a cache memory occupied by the operation core;
  • Step C clearing the plain key of the private key in the cache occupied by the operation core and the intermediate data variable used in the operation process;
  • the multi-core processor dynamically records all memory accesses during the execution of the step B and the step C;
  • the operation core abandons all operations of step B and step C that have been performed (ie, the operation core discards all operations that have been performed currently), and re-executes steps B and C until the execution of steps B and C is completed, and the transaction area is committed to commit memory. .
  • the RSA public key cryptographic operation is taken as an example.
  • the processor is a 4-core intel i74770S, and the RSA algorithm used can be implemented by the Chinese residual theorem acceleration, the Montgomery modular acceleration, and the sliding window; wherein the sliding window size used is 32, which is used in the RSA calculation.
  • the maximum memory reached is 4708 bytes;
  • step A is performed to set each core of the multi-core processor to include a symmetric master key, including:
  • step A1 a prompt interface is displayed when the operating system starts, and the user inputs a password; the operating system converts the password into a symmetric master key by using a key generation algorithm;
  • Step A2 The symmetric master key is copied to the specified register in the multi-core processor for use in the public key cryptographic operation, wherein a debug register or a performance monitor counter (PMC, Performance Monitor Counter) can be selected.
  • PMC Performance Monitor Counter
  • step B is performed: using any one of the cores as the operation core to perform the public key cryptographic operation, and the private key plaintext and the intermediate data variables used in the operation process are stored in the cache occupied by the operation core; wherein, the public key cryptographic operation Including private key plaintext acquisition operation and private key calculation operation operation;
  • step B1 the operation core reads the private key encrypted by the symmetric master key from the hard disk and copies it into the memory; the operation core utilizes the symmetric main in the register specified in the multi-core processor. Key decryption obtains the private key plaintext with the private key encrypted by the symmetric master key, and stores the private key plaintext in the cache occupied by the operation core.
  • step B2 the symmetric master key in the debug register or the performance monitoring counter PMC can be written into the cache memory by calling the AES-NI command. Decrypt the private key encrypted with the symmetric master key using the SSE register and copy the private key plaintext into the cache;
  • step 1 the operation core performs digital signature and/or decryption operation using the private key plaintext
  • step 2 stores the intermediate data variable generated in the calculation process at the high speed occupied by the operation core. Buffer memory;
  • step 3 storing the calculation result in a cache occupied by the running core;
  • step C is performed: referring to FIG. 7, clearing the plain key of the private key in the cache occupied by the operation core and the intermediate data variable used in the operation process, leaving only the operation result;
  • the multi-core processor dynamically records all memory accesses in the execution of the step B and the step C;
  • Step B and Step C re-execute steps B and C.
  • the code corresponding to step B and step C may be designated as a transaction area by using a Transactional Memory mechanism, such as an Intel TSX mechanism.
  • a Transactional Memory mechanism such as an Intel TSX mechanism.
  • the multi-core processor dynamically records all memory accesses of the code in the transaction area; In other words, all the memory accesses when performing step B and step C are recorded; specifically, the RTM of the Intel TSX mechanism can be used to implement memory access conflicts when all the core threads of the multi-core processor and the multi-core processor dynamically record. Or, when the operation core occupies insufficient cache memory and synchronizes the data to the memory, the operation core discards all operations of step B and step C that have been performed, and performs step B and step C again.
  • the operation core abandons the operation and jumps to the specified code area when a memory access conflict occurs or the cache memory space is insufficient, all memory write operations in the cryptographic operation can only occur in the cache memory. This prevents data stored in the cache from being synchronized to the memory, thereby preventing cold start attacks from the root cause; and when other cores read the key, it will cause re-execution without obtaining key information.
  • the cache is not used by processes that restrict other cores of the multi-core processor, and each core that can support the multi-core processor can perform different cryptographic operations, thereby improving the efficiency of the multi-core processor.
  • the step of prohibiting the operating system process scheduling and shielding the local interrupt may be further included; After the data in the cache occupied by the operation core is exited from the transaction area, the steps of restoring the operating system process scheduling and local interrupts are also included.
  • the IF bit of the EFLAGS register of the multi-core processor can be used to disable the operating system process scheduling and mask the local interrupt; and the operating system process scheduling and local interrupt can be restored by setting the IF bit of the EFLAGS register of the multi-core processor.
  • the code (that is, the code corresponding to the private key plaintext acquisition operation and the private key calculation operation operation) is recorded. If a memory access of another non-computing core is found to conflict with the memory access of the transaction area record, abort occurs.
  • the operation core relinquishes the previous operation, restores the state of the operation core to the state before entering the transaction area, and then directly jumps to the specified code area (in the case of using RTM), thereby making it possible to enter the transaction area.
  • the method further includes clearing the SSE register and The steps for data in a general purpose register.
  • the data in the cache occupied by the operation core can be cleared by the memset function, and the SSE register and the general-purpose register are cleared by the XOR instruction.
  • the above transaction area code frequently occurs abort. Therefore, in the present embodiment, preferably, before step B is performed, that is, before entering the transaction area.
  • the method further includes the step of reserving the memory area accessed by step B and step C for each core in the multi-core processor, by which each core of the multi-core processor is accessed in a fixed memory area, Therefore, the memory access of other cores is prevented from colliding with the memory accessed by the operation core transaction area, so that the private key plaintext acquisition operation and the private key calculation operation are successfully performed.
  • the key protection method provided by the present invention dynamically decrypts the asymmetric private key of the plaintext by setting a symmetric master key of each core of the multi-core processor, and uses Intel's TSX extension instruction.
  • the hardware guarantees the private key and the intermediate variables used in the calculation process only exist in the cache occupied by the core, which can prevent the attacker from stealing the private key information directly from the physical memory or reading the private key information through the malware.
  • the public key cryptography algorithm realizes the security in the computer system environment, and utilizes the mechanism of the Intel TSX, so that other cores of the multi-core processor can also perform cryptographic operations, thereby improving the operation efficiency.
  • the key protection apparatus 800 includes a setting module 801, an arithmetic module 802, and an abandonment execution module 803.
  • the setting module 801 is configured to perform step A: setting a symmetric master key in each core of the multi-core processor.
  • the operation module 802 is configured to execute step B: using any one of the cores as an operation core, performing a public key cryptographic operation according to the symmetric master cipher set by the setting module 801, and storing the intermediate data variables used in the private key plaintext and the operation process in the operation core Used in the cache memory; also used to perform step C: clearing the private key plaintext stored in the cache occupied by the operation core and intermediate data variables;
  • the abandonment execution module 803 is used in the process of the operation module 802 for performing step B or step C, when other core threads of the multi-core processor attempt to access the same memory address with the operation core, and have at least one write operation, or when caching The memory space is insufficient.
  • the arithmetic module 802 discards all operations that have been performed currently, and causes the arithmetic module 802 to re-execute steps B and C.
  • the key protection device 800 can implement the steps involved in the method embodiments of FIGS. 1 to 7, and thus will not be described in detail in order to avoid redundancy.
  • the multi-core processor 800 further includes a recording module 804 for dynamically recording all memory accesses during the execution of step B and step C when the computing module 802 performs steps B and C; the computing module 802 further And determining, according to all memory accesses recorded by the recording module 804, whether the other core threads of the multi-core processor and the operation core access the same memory address at the same time and have at least one write operation; or determining, according to all memory accesses recorded by the recording module 804 Whether the cache space is sufficient.
  • a recording module 804 for dynamically recording all memory accesses during the execution of step B and step C when the computing module 802 performs steps B and C
  • the computing module 802 further And determining, according to all memory accesses recorded by the recording module 804, whether the other core threads of the multi-core processor and the operation core access the same memory address at the same time and have at least one write operation; or determining, according to all memory accesses recorded by the recording module 804 Whether the cache space is sufficient.
  • the abandonment execution module 803 is specifically configured to implement, by a transaction memory mechanism (for example, IntelTSX), when other core threads of the multi-core processor attempt to access the same memory address simultaneously with the operation core, and at least one write operation, or when the cache space is Not enough, when a cache replacement occurs, the arithmetic module 802 discards all operations that have been performed so far, and causes the arithmetic module 802 to re-execute step B and step C.
  • a transaction memory mechanism for example, IntelTSX
  • the abandonment execution module 803 is specifically configured to: enter a transaction area by using a start instruction (such as xbegin) in the RTM mechanism of the Intel TSX, and specify the operation module 802 to perform the start of step B for the occurrence of the multi-core processor and other core thread attempts and The operation core simultaneously accesses the same memory address, and has at least one fallback entry at the time of the write operation, or the execution operation module 802 performs the start of step B.
  • the cache space occupied by the operation core is insufficient, and the rollback occurs when the cache replacement occurs. Entrance;
  • the operation module 802 executes the step C, the transaction area is exited by an end instruction (such as the xend instruction).
  • the operation core abandons the operation and jumps to the designated code area when a memory access conflict occurs or the cache memory space is insufficient, all memory write operations in the cryptographic operation process can only occur in the cache memory. This prevents data stored in the cache from being synchronized to the memory, thereby preventing cold start attacks from the root cause; and when other cores read the key, it will cause re-execution without obtaining key information.
  • the cache is not used by processes that restrict other cores of the multi-core processor, and each core that can support the multi-core processor can perform different cryptographic operations, thereby improving the efficiency of the multi-core processor.
  • the setting module 801 includes an ejecting unit 901, a receiving unit 902, a converting unit 903, and a copying unit 904.
  • the pop-up unit 901 is used to pop up a prompt interface when the operating system starts.
  • the receiving unit 902 is configured to receive a password input by the user on the prompt interface popped up by the pop-up unit 901.
  • the converting unit 903 is configured to convert the password received by the receiving unit 902 into a symmetric master key by using an operating system using a key generation algorithm.
  • the copy unit 904 is configured to copy the symmetric master key converted by the conversion unit 903 into a register specified in the multi-core processor for storage.
  • the setting module 801 can also be used to disable the operating system process scheduling and mask the local interrupt before the operation module 802 performs step B; after the operation module 802 performs step C, the operating system process scheduling and local operation are resumed. The steps to interrupt. In this way, the success rate of the public key cryptographic operation can be further increased.
  • the setting module 801 is further configured to: disable the operating system process scheduling by clearing the IF bit of the EFLAGS register of the multi-core processor, and shield the local interrupt; and restore the operating system process by setting the IF bit of the EFLAGS register of the multi-core processor. Scheduling and local interrupts.
  • the transaction area code frequently occurs abort, and the setting module 801 can also be used for Each core reservation arithmetic module 802 in the multi-core processor performs the memory regions accessed by steps B and C.
  • each core of the multi-core processor is accessed in a fixed memory area, thereby preventing the memory access of other cores from colliding with the memory accessed by the operation core transaction area, so that the private key is obtained in plain text and privately. The key calculation operation is performed smoothly.
  • FIG. 10 is an example key protection device.
  • the key protection device 1000 includes a multi-core processor 1001, a memory 1002, and the multi-core processor 1001 may also be referred to as a CPU (Central Processing Unit).
  • the memory 1002 may include read only memory and random access memory, and provides instructions and data to the multi-core processor 1001. A portion of the memory 1002 may also include non-volatile random access memory (NVRAM).
  • the processor 1001 and the memory 1002 are coupled together by a bus system 1010, which includes a power bus, a control bus, and a status signal bus in addition to the data bus. However, for clarity of description, various buses are labeled as the bus system 1010 in the figure.
  • the method disclosed in the above example can apply the above-described key protection device 1000.
  • the multi-core processor 1001 may be an integrated circuit chip with signal processing capability.
  • each step of the foregoing method may be completed by an integrated logic circuit of hardware in the multi-core processor 1001 or an instruction in a form of software.
  • the multi-core processing 1001 supports the Intel TSX extension, and is connected to a cache memory 1003, and sensitive information in the calculation process exists in the device 1003.
  • the system needs to pop up the user interface and enter a password when the system starts up. These operations are performed by the keyboard 1005 and the display 1006 connected to the bridge device 1004.
  • the bridge device can be a high-speed north bridge for connecting to a graphic display card or a south bridge for connecting peripherals, such as a keyboard.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Memory System Of A Hierarchy Structure (AREA)

Abstract

本发明提供了一种密钥保护方法,通过设置多核处理器的每个核一个对称主密钥,动态地解密出非对称算法的私钥明文,并通过Intel的TSX(Transactional Synchronization Extensions)扩展指令,从硬件层面上保证私钥以及计算过程中使用的中间变量只存在于该核占用的高速缓冲存储器中,可以防止攻击者直接从物理内存中窃取私钥信息,从而保障公钥密码算法在计算机系统环境下实现的安全性;并且,即使操作系统被攻破,攻击者可以直接读取密钥的内存空间,由于Intel的TSX机制保证了内存操作的原子性,攻击者不能获取明文私钥;在这种解决方案中,在抵抗物理攻击和系统攻击的同时,多核处理器的其他核也可以同时进行密码运算,提高了运算效率。

Description

密钥保护方法和装置 技术领域
本发明涉及计算机安全领域,特别涉及一种密钥保护方法和装置。
发明背景
在计算机系统中,隐私数据可以通过密码学的方法进行保护。在公钥密码算法中,密钥是成对出现的,包含一个秘密的私钥和一个公开的公钥,私钥由密钥拥有者独享。而通过公钥密码算法实现隐私数据保护的前提是需要保证私钥信息的机密性。
一般情况下,在计算机系统中,私钥是放在内存中进行存储和运算的,但是系统攻击和物理攻击对计算机系统的密钥安全带来严重的威胁。系统攻击从操作系统层面,利用系统的软件漏洞,可以直接通过内存访问指令获取密钥;物理攻击则,如冷启动攻击(Cold boot attack),可以在对目标计算机有物理接触的情况下,获取整个RAM的映像。为了防止冷启动攻击,一般的做法是利用CPU里的资源来存储密钥,而不使用RAM。这些方案包括两类,一类方案利用了寄存器,但由于寄存器空间受限,所以只能支持对称密码算法和简单的长度受限的非对称密码算法;另一类方案适用于多核环境下,使用CPU的片上高速缓冲存储器(cache)来存储密钥和中间过程变量。该方案利用了高速缓冲存储器的写回模式(write back mode),使新写入的内存在同步到RAM之前就被清空,而仅仅保留计算结果。同时,为了消除共享高速缓冲存储器的影响,在进行密码计算时,需要把和密码计算核共享高速缓冲存储器的核全部置为no-fill模式,在这种模式下,没命中高速缓冲存储器的内存访问操作将不会引起高速缓冲存储器的替换。可以看出,在共享L3高速缓冲存储器的多核处理器的情况下,该方案只能同时支持一个核进行密码运算,而且当一个核进行密码运算时,其它核被设置为no-fill模式,导致处理器的工作效率低下。另外,针对现有的此种设置,若操作系统 存在漏洞,恶意进程仍可以通过漏洞直接读取存在内存的密钥,从而导致保护机制失效。
发明内容
针对现有技术中的问题,本发明提供了一种密钥保护方法和装置,可以同时抵抗针对内存的系统攻击和物理攻击,以保障公钥密码算法在计算机系统环境下实现安全性,并提高处理器的工作效率。
为实现上述目的,本发明提供了一种密钥保护方法,包括:
步骤A:在多核处理器的每个核内设置对称主密钥;
步骤B:利用其中任意一个核作为运算核,根据所述对称主密钥解密出明文私钥,并用此私钥执行公钥密码运算,且私钥明文以及运算过程中使用的中间数据变量存储于运算核占用的高速缓冲存储器中;
步骤C:清空所述运算核占用的高速缓冲存储器中的私钥明文以及运算过程中使用的中间数据变量;
其中,在执行步骤B或步骤C过程中,
当所述多核处理器其他核试图和所述运算核访问同一内存地址,且至少有一个写操作时,或者当所述高速缓冲存储器空间不够,发生高速缓冲存储器替换时,放弃运算核当前已执行的所有操作,重新执行步骤B和步骤C。
进一步,当执行步骤B和步骤C时,动态记录所述步骤B和步骤C执行过程中的所有内存访问;
根据记录的所有内存访问确定所述多核处理器其他核和所述运算核是否同时访问同一内存地址并至少有一个写操作;或者根据记录的所有内存访问确定所述高速缓冲存储器空间是否足够。
进一步,通过事务内存(Transactional Memory)机制将步骤B和步骤C对应的代码指定为事务区实现多核处理器动态记录所述步骤B和步骤C执行过程中的所有内存访问,以及当所述多核处理器其他核试图和运算核同时访问同一内存地址,且至少有一个写操作时,或者运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时,放弃运算核当前已执行的所有操作,重新执行步骤B和步骤C。
进一步,通过英特尔Intel TSX(Transactional Synchronization Extensions,事务性同步扩展指令集)将步骤B和步骤C对应的代码指定为事务区实现多核处理器动态记录所述步骤B和步骤C执行过程中的所有内存访问,以及当所述多核处理器其他核试图和运算核同时访问同一内存地址,且至少有一个写操作时,或者运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时,放弃运算核当前已执行的所有操作,重新执行步骤B和步骤C。
进一步,通过Intel TSX的RTM(Restricted Transactional Memory,限制事务内存)机制实现当所述多核处理器其他核试图和运算核同时访问同一内存地址,且至少有一个写操作时,或者运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时,放弃运算核当前已执行的所有操作,重新执行步骤B和步骤C。
进一步,通过RTM机制中的开始指令(如xbegin)进入所述事务区,并指定步骤B的开始为发生所述多核处理器其他核试图和运算核同时访问同一内存地址,且至少有一个写操作时的回退入口,或者指定步骤B的开始为运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时的回退入口;当执行完步骤C后,通过结束指令(如xend)退出所述事务区。
进一步,所述步骤A中设置多核处理器的每个核使其包含对称主密钥的步骤包括:
操作系统启动时弹出提示界面,接收用户在所述提示界面输入的口令;
操作系统采用密钥生成算法把口令转化为对称主密钥;
将对称主密钥复制到多核处理器的每个核的指定的寄存器中存储。
进一步,所述多核处理器的用于存储对称主密钥的指定的寄存器包括debug寄存器和性能监控计数器(PMC,Performance Monitor Counter)。
进一步,所述公钥密码运算包括私钥明文获取运算和私钥计算操作运算;
所述私钥明文获取运算包括运算核从硬盘中读取以对称主密钥加密的私钥,并复制到内存;运算核利用多核处理器中指定的寄存器中的对 称主密钥解密以对称主密钥加密的私钥获得私钥明文,并将私钥明文存储于运算核占用的高速缓冲存储器;
所述私钥计算操作运算包括数字签名和/或解密步骤,其中,利用私钥明文进行数字签名和/或解密运算,并将计算过程中产生的中间数据变量和计算结果存储于运行核占用的高速缓冲存储器。
进一步,所述私钥明文获取运算通过调用AES-NI指令,使用SSE寄存器解密以对称主密钥加密的私钥,并把私钥明文复制到高速缓冲存储器中。
进一步,在步骤C中还包括清除SSE寄存器和通用寄存器中数据的步骤。
进一步,在执行步骤B之前,还包括禁止操作系统进程调度,并屏蔽本地中断的步骤;在执行步骤C之后,还包括恢复操作系统进程调度和本地中断的步骤。
进一步,通过清除多核处理器的EFLAGS寄存器的IF位实现禁止操作系统进程调度,并屏蔽本地中断;通过设置多核处理器的EFLAGS寄存器的IF位实现恢复操作系统进程调度和本地中断。
进一步,在执行步骤B之前,还包括为所述多核处理器中的每个核预留步骤B和步骤C所访问内存区域的步骤。
本发明还提供了一种实现上述方法的密钥保护装置。
采用本发明提供的密钥保护方法,能够抵抗物理攻击和系统攻击,通过设置多核处理器的每个核一个对称主密钥,动态的解密出非对称算法的私钥明文,并通过Intel的TSX扩展指令,从硬件层面上保证私钥以及计算过程中使用的中间变量只存在于该核占用的高速缓冲存储器中,可以防止攻击者直接从物理内存中窃取私钥信息,从而保障公钥密码算法在计算机系统环境下实现的安全性;并且,即使操作系统被攻破,攻击者可以直接读取密钥的内存空间,由于Intel的TSX机制保证了内存提交的原子性,攻击者不能获取私钥明文;进一步,在这种解决方案中,多核处理器的其他核也可以进行密码运算,提高了运算效率。
附图简要说明
图1是本发明一个示例性的密钥保护方法的流程示意图;
图2是本发明另一个示例性的的密钥保护方法的流程示意图;
图3为本发明中设置事务区及内存访问冲突时动作的流程示意图;
图4是本发明一个示例性的在每个核内设置对称主密钥及公钥密码运算的流程示意图;
图5是本发明一个示例性的私钥明文获取运算的流程示意图;
图6是本发明一个示例性的私钥计算操作运算的流程示意图;
图7为本发明一个示例性的清空高速缓冲存储器中的私钥明文及中间数据变量的流程示意图;
图8是本发明一个示例性的密钥保护装置的结构框图;
图9是本发明示例的密钥保护装置中设置模块的结构框图;
图10是本发明另一个示例性的密钥保护装置的结构框图。
实施本发明的方式
为了使本发明的目的、技术方案及优点更加清楚明白,以下参照附图并举实施例,对本发明作进一步详细说明。
本发明是基于以下考虑实现的:
对内存存在各种系统层面的攻击,目前的操作系统对敏感内存有一定的保护,但是,如果攻击者利用一些漏洞绕过这些保护,就可以直接访问敏感的内存区域,敏感数据就会泄露。本发明通过硬件机制,动态监控敏感数据区,使得任何对其直接的访问都只能获取写入敏感数据前的非敏感密文版本,大大提高了对内存系统攻击的难度。
而冷启动作为一种物理攻击,针对的是物理的内存模块,而片上的高速缓冲存储器通常在中央处理器(CPU)中集成,因此,现有技术中已提出的利用CPU的片上高速缓冲存储器存储密钥和中间过程变量的密钥保护过程是十分有效的。在计算机存储系统的层次结构中,高速缓冲存储器是介于CPU和主存储器之间的高速小容量存储器。CPU核以及它们占用的cache可以构成一个相对独立的环境。比起CPU寄存器, cache的存储容量要大得多,足够存放公钥密码算法的密钥,并且可以提供各种安全增强和运算加速的算法,已有文献用此方法可以实现4096位的支持CRT的RSA运算。
但是,为了实现上述过程,就需要设置附加的软件保护机制,而当操作系统存在漏洞,恶意进程可通过漏洞导致保护机制失效;并且,同时可以进行密码运算的核的数量受到cache层次结构的影响,如现代CPU架构有一个共享的高速缓冲存储器(如L3高速缓冲寄存器),该方案只能同时支持一个核进行密码运算,且由于附加的保护机制,如通过软件将其他核设置为no-fill模式,对于多核处理器而言,其他核不能同时进行其他的密码运算,进而影响了整体CPU的处理速度。本发明的另一个目的即在于在实现利用CPU的片上高速缓冲存储器存储密钥和中间过程变量的方式实现防止冷启动攻击,并且避免CPU处理速度的降低。
为了提高CPU的效率就需要采用任务并行的方式,而采用任务并行时必须考虑线程间同步的问题。Transactional Memory(事务内存)正是现行技术中为了解决线程间同步而提出的技术,其允许一个线程独立完成对共享内存的修改,完全忽略可能会有其它的线程存在,但是线程在日志中记录对共享内容的每一个读写动作,如果真的发现其他并发的对共享内存的操作,该线程就会放弃之前的所有操作,回退到事务开始时的状态。
Transactional Memory技术的代表之一为Intel TSX(Transactional Synchronization Extensions,事务性同步扩展指令集),在Intel的第四代酷睿Haswell架构中首次引入,实现了硬件的事务内存(Transactional Memory)。其编程接口可以用来提高多线程应用程序对现代CPU多核的利用率。
在传统的多线程编程中,对于潜在的数据共享,一般是通过锁机制实现的,结果不管两个线程是否会真的同时操作同一个数据变量,这些操作都被串行起来。细粒度的锁对性能影响小,但是容易出错,编程困难;粗粒度的锁则容易实现,但是无法充分利用多线程的优势,导致效率下降。
Intel TSX技术的核是事务内存,程序通过指定一段代码段作为事务区(transactional region),可以记录该段代码所有的内存访问,如果发现内存访问冲突,就会发生abort:放弃之前的所有操作,把CPU的状态恢复到进入事务区之前的状态,然后,对于Restricted Transactional Memory(RTM)而言,就会直接转跳到指定的代码区,或者对于Hardware Lock Elision(HLE)而言,就会真正加锁后重新执行。如果没有发现内存访问冲突,则原子地提交所有对内存和寄存器的更新。这样,在更新完成之前,其他核对该段内存的访问只能读取其旧的数据访问冲突是指外部线程读取了一个之前在事务区中写过的内存地址,或者外部线程写了一个之前在事务区读或写过的内存地址。如果发现内存访问冲突,则发生事务abort。
事务内存的实现基础是CPU的cache一致性协议。在事务区的所有内存访问将只在运算核的cache中发生,如果其他核访问了在事务区记录的内存地址,或者运算核cache由于空间不够而必须把cache中的数据同步到内存,就会被cache一致性协议发现,并根据策略产生abort。
本发明正是利用上述Intel TSX技术的事务区,实现高速缓冲存储器中存储的敏感数据如私钥明文不被同步到内存,并且由于TSX保证内存提交的原子性,可以防止系统层的恶意软件攻击。
本发明提供了一种密钥保护方法,该方法由多核处理器执行,如图1所示。
步骤A:在多核处理器的每个核内设置对称主密钥;
步骤B:利用其中任意一个核作为运算核,根据对称主密钥解密出明文私钥执行公钥密码运算,且私钥明文以及运算过程中使用的中间数据变量存储于运算核占用的高速缓冲存储器中;
步骤C:清空运算核占用的高速缓冲存储器中的私钥明文以及运算过程中使用的中间数据变量;
其中,在执行步骤B或步骤C过程中,当多核处理器其他核试图和运算核访问同一内存地址(即计算核占用的高速缓冲存储器的地址),且至少有一个写操作时,或者当高速缓冲存储器空间不够,发生高速缓冲存储器替换时,放弃运算核当前已执行的所有操作,重新执行步骤B 和步骤C。
通过上述方案,将私钥明文和中间变量存储于高速缓冲存储器存储能够防止物理攻击如冷启动攻击,当多个核同时访问到相同的内存地址时,使运算核发生abort,即运算核放弃之前的所有操作,并重新执行已执行的操作。这样,无需将其它核设置成no fill模式,使得多个核能够同时执行密码运算,从而提高多核处理器的工作效率,并且有效地防止了系统攻击。
作为一个例子,当执行步骤B和步骤C时,多核处理器可以动态记录步骤B和步骤C执行过程中的所有内存访问,根据记录的所有内存访问确定多核处理器其他核线程和运算核是否同时访问同一内存地址并至少有一个写操作;或者根据记录的所有内存访问确定高速缓冲存储器空间是否足够。
具体的,本发明提供了一种密钥保护方法,能够有效地抵抗物理攻击和系统攻击的,如图2和图3所示,包括:
步骤A:设置多核处理器的每个核使其包含对称主密钥(即在多核处理器的每个核内设置对称主密钥);
步骤B:利用其中任意一个核作为运算核执行公钥密码运算,且私钥明文以及运算过程中使用的中间数据变量存储于运算核占用的高速缓冲存储器中;
步骤C:清空所述运算核占用的高速缓冲存储器中的私钥明文以及运算过程中使用的中间数据变量;
当执行步骤B和步骤C时,多核处理器动态记录所述步骤B和步骤C执行过程中的所有内存访问;
当所述多核处理器其他核线程试图和运算核(或运算核线程)同时访问同一内存地址,且至少有一个写操作时,或者运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时,运算核放弃已执行的步骤B和步骤C的所有操作(即运算核放弃当前已执行的所有操作),重新执行步骤B和步骤C,直至步骤B和步骤C执行完成,退出事务区提交内存。
为了更好的对本发明进行阐述,下面以在Intel Haswell处理器进行 RSA公钥密码运算为例。在本实施例中,处理器为拥有4核的intel i74770S,使用的RSA算法可通过中国剩余定理加速、蒙哥马利模乘加速以及滑动窗口实现;其中,使用的滑动窗口大小为32,RSA计算中用到的最大内存为4708字节;
首先,执行步骤A,设置多核处理器的每个核使其包含对称主密钥,具体包括:
如图4所示,步骤A1:操作系统启动时弹出提示界面,用户输入口令;操作系统通过密钥生成算法把口令转化为对称主密钥;
步骤A2:对称主密钥被复制到多核处理器中指定的寄存器中存储,以便用于公钥密码运算,其中可以选择debug寄存器或性能监控计数器(PMC,Performance Monitor Counter)。
然后,执行步骤B:利用其中任意一个核作为运算核执行公钥密码运算,且私钥明文以及运算过程中使用的中间数据变量存储于运算核占用的高速缓冲存储器中;其中,公钥密码运算包括私钥明文获取运算和私钥计算操作运算;
私钥明文获取运算时,参照图4,步骤B1:运算核从硬盘中读取以对称主密钥加密的私钥,并复制到内存;运算核利用多核处理器中指定的寄存器中的对称主密钥解密以对称主密钥加密的私钥获得私钥明文,并将私钥明文存储于运算核占用的高速缓冲存储器。在实现上述过程时,在本实施例中,如图5所示,步骤B2:可将debug寄存器或性能监控计数器PMC中的对称主密钥写入高速缓冲存储器中,通过调用AES-NI指令,使用SSE寄存器解密以对称主密钥加密的私钥,并把私钥明文复制到高速缓冲存储器中;
私钥计算操作运算时,如图6所示,步骤1:运算核利用私钥明文进行数字签名和/或解密运算;步骤2:将计算过程中产生的中间数据变量存储于运算核占用的高速缓冲存储器;步骤3:将计算结果存储于运行核占用的高速缓冲存储器;
最后执行步骤C:参照图7,清空所述运算核占用的高速缓冲存储器中的私钥明文以及运算过程中使用的中间数据变量,只留下运算结果;
其中,当执行步骤B和步骤C时,多核处理器动态记录所述步骤B和步骤C执行过程中的所有内存访问;
当所述多核处理器其他核线程试图和运算核同时访问同一内存地址,且至少有一个写操作时,或者运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时,运算核放弃已执行的步骤B和步骤C的所有操作,重新执行步骤B和步骤C。
其中,可通过Transactional Memory机制,如通过Intel TSX机制实现将步骤B和步骤C对应的代码指定为事务区,当进入该事务区后,多核处理器动态记录事务区内代码的所有内存访问;换而言之,即记录执行步骤B和步骤C时的所有内存访问;具体地,可以利用Intel TSX机制的RTM实现当多核处理器其他核线程与多核处理器动态记录的所有内存访问发生内存访问冲突时,或者,当运算核占用的高速缓冲存储器空间不够,而将数据同步到内存时,运算核放弃已执行的步骤B和步骤C的所有操作,重新执行步骤B和步骤C。
由此可见,由于当发生内存访问冲突或高速缓冲存储器空间不够时,运算核放弃操作后跳转到指定的代码区,因此可使密码运算过程中一切内存写操作都只发生在高速缓冲存储器中,由此可防止存储在高速缓冲存储器中的数据被同步到内存,从而从根源上防止了冷启动攻击;而且其他核读取密钥时,将导致重新执行,而不能获取密钥信息。在本申请中,没有通过限制多核处理器其他核的进程使用高速缓存,并且可以支持多核处理器的每个核均可以进行不同的密码运算,从而提高了多核处理器的工作效率。
进一步,为了尽可能增加公钥密码运算的成功率,在执行步骤B之前,即进入事务区之前,在本实施例中还可包括禁止操作系统进程调度,并屏蔽本地中断的步骤;在清空所述运算核占用的高速缓冲存储器中的数据后,即退出事务区之后,还包括恢复操作系统进程调度和本地中断的步骤。其中,可通过清除多核处理器的EFLAGS寄存器的IF位实现禁止操作系统进程调度,并屏蔽本地中断;以及,通过设置多核处理器的EFLAGS寄存器的IF位实现恢复操作系统进程调度和本地中断。
由于在设定事务区及后续的处理都利用了Intel TSX技术,事务区中 的代码(即私钥明文获取运算和私钥计算操作运算对应的代码)所有的内存访问均被记录,如果发现其他非运算核的内存访问与事务区记录的内存访问发生冲突,就会发生abort:运算核放弃前面的操作,把运算核的状态恢复到进入事务区之前的状态,然后直接转跳到指定的代码区(在使用RTM情况下),由此使得进入这个事务区后,即开始执行步骤B和C时,运算核一切内存写操作都将发生在运算核的高速缓冲存储器中,从而实现了整个密钥保护过程中使用的私钥明文以及运算时生成的中间变量均不会从运算核占用的高速缓冲存储器同步到内存中去,且利用Intel TSX的机制,使得非运算核的进程的运行速度不被影响。
进一步,由于运算核在进行运算过程中会使用SSE寄存器和通用寄存器,因此,清空运算核占用的高速缓冲存储器中的私钥明文以及运算过程中使用的中间数据变量时,还包括清除SSE寄存器和通用寄存器中数据的步骤。在本实施例中,可通过memset函数清空运算核占用的高速缓冲存储器中的数据,通过XOR指令清除SSE寄存器和通用寄存器。
进一步,为了避免非运算核的进程频繁地访问事务区所访问的内存,导致上述事务区代码频繁地发生abort,因此,在本实施例中优选地,执行步骤B之前,即在进入事务区之前,该方法还包括为多核处理器中的每个核预留步骤B和步骤C所访问内存区域的步骤,通过该设定使得多核处理器的每个核均在固定的内存区域内进行访问,从而防止其他核的内存访问与运算核事务区所访问的内存发成冲突,使私钥明文获取运算和私钥计算操作运算得以顺利执行。
综上所述,采用本发明提供的密钥保护方法,通过设置多核处理器的每个核的寄存器一个对称主密钥,动态解密出明文的非对称私钥,并通过Intel的TSX扩展指令,硬件上保证私钥以及计算过程中使用的中间变量只存在于该核占用的高速缓冲存储器中,可以防止攻击者直接从物理内存中窃取私钥信息或者通过恶意软件读取私钥信息,从而保障公钥密码算法在计算机系统环境下实现的安全性,并且利用Intel TSX的机制,使得多核处理器的其他核也可以进行密码运算,提高了运算效率。
图8是本发明示例的密钥保护装置的结构框图,该密钥保护装置800包括设置模块801,运算模块802和放弃执行模块803。
设置模块801用于执行步骤A:在多核处理器的每个核内设置对称主密钥。
运算模块802用于执行步骤B:利用其中任意一个核作为运算核,根据设置模块801设置的对称主密码执行公钥密码运算,且私钥明文以及运算过程中使用的中间数据变量存储于运算核占用的高速缓冲存储器中;还用于执行步骤C:清空存储在运算核占用的高速缓冲存储器中的私钥明文以及中间数据变量;
放弃执行模块803用于在运算模块802用于执行步骤B或步骤C的过程中,当多核处理器其他核线程试图和运算核访问同一内存地址,且至少有一个写操作时,或者当高速缓冲存储器空间不够,发生高速缓冲存储器替换时,使运算模块802放弃当前已执行的所有操作,并使运算模块802重新执行步骤B和步骤C。
密钥保护装置800可实现图1至图7的方法实施例中所涉及的步骤,因此为避免重复,不再详细描述。
作为一个例子,多核处理器800还包括记录模块804,记录模块804用于当运算模块802执行步骤B和步骤C时,动态记录步骤B和步骤C执行过程中的所有内存访问;运算模块802还用于根据记录模块804记录的所有内存访问确定所述多核处理器其他核线程和所述运算核是否同时访问同一内存地址并至少有一个写操作;或者根据记录模块804记录的所有内存访问确定所述高速缓冲存储器空间是否足够。
进一步地,放弃执行模块803具体用于通过事务内存机制(例如IntelTSX)实现当多核处理器其他核线程试图和运算核同时访问同一内存地址,且至少有一个写操作时,或者当高速缓冲存储器空间不够,发生高速缓冲存储器替换时,使运算模块802放弃当前已执行的所有操作,并使运算模块802重新执行步骤B和所述步骤C。再进一步地,放弃执行模块803具体用于:通过Intel TSX的RTM机制中的开始指令(如xbegin)进入事务区,并指定运算模块802执行步骤B的开始为发生多核处理器其他核线程试图和运算核同时访问同一内存地址,且至少有一个写操作时的回退入口,或者指定运算模块802执行步骤B的开始为运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时的回退入口; 当运算模块802执行完步骤C后,通过结束指令(如xend指令)退出所述事务区。
通过上述方案,由于当发生内存访问冲突或高速缓冲存储器空间不够时,运算核放弃操作后跳转到指定的代码区,因此可使密码运算过程中一切内存写操作都只发生在高速缓冲存储器中,由此可防止存储在高速缓冲存储器中的数据被同步到内存,从而从根源上防止了冷启动攻击;而且其他核读取密钥时,将导致重新执行,而不能获取密钥信息。在本申请中,没有通过限制多核处理器其他核的进程使用高速缓存,并且可以支持多核处理器的每个核均可以进行不同的密码运算,从而提高了多核处理器的工作效率。
作为另一个例子,如图9所示,设置模块801包括弹出单元901,接收单元902,转化单元903和复制单元904。
弹出单元901用于操作系统启动时弹出提示界面。
接收单元902用于接收用户在弹出单元901弹出的提示界面输入的口令。
转化单元903用于通过操作系统采用密钥生成算法把接收单元902接收的口令转化为对称主密钥。
复制单元904用于将转化单元903转化的对称主密钥复制到多核处理器中指定的寄存器中存储。
具体的例子可以参考上述方法部分的描述,此处不再赘述。
作为另一个例子,设置模块801还可以用于在运算模块802执行步骤B之前,禁止操作系统进程调度,并屏蔽本地中断的步骤;在运算模块802执行步骤C之后,恢复操作系统进程调度和本地中断的步骤。这样,可以进一步地增加公钥密码运算的成功率。
进一步地,设置模块801还可以具体用于通过清除多核处理器的EFLAGS寄存器的IF位实现禁止操作系统进程调度,并屏蔽本地中断;通过设置多核处理器的EFLAGS寄存器的IF位实现恢复操作系统进程调度和本地中断。
优选地,为了避免非运算核的进程频繁地访问事务区所访问的内存,导致上述事务区代码频繁地发生abort,设置模块801还可以用于为 多核处理器中的每个核预留运算模块802执行步骤B和步骤C所访问的内存区域。通过该设定使得多核处理器的每个核均在固定的内存区域内进行访问,从而防止其他核的内存访问与运算核事务区所访问的内存发成冲突,使私钥明文获取运算和私钥计算操作运算得以顺利执行。
本例子给出实现上述方法中各步骤的装置。图10是一个示例的密钥保护装置,在该例子中,密钥保护装置1000包括多核处理器1001,存储器1002,多核处理器1001还可以称为CPU(Central Processing Unit,中央处理单元)。存储器1002可以包括只读存储器和随机存取存储器,并向多核处理器1001提供指令和数据。存储器1002的一部分还可以包括非易失性随机存取存储器(NVRAM)。处理器1001和存储器1002通过总线系统1010耦合在一起,其中总线系统1010除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图中将各种总线都标为总线系统1010。
上述例子中揭示的方法可以应用上述的密钥保护装置1000。其中,多核处理器1001可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过多核处理器1001中的硬件的集成逻辑电路或者软件形式的指令完成。
多核处理1001支持Intel TSX扩展,并且连接有一个高速缓冲存储器1003,计算过程中的敏感信息都存在于装置1003中。
系统启动时需要弹出用户界面以及输入口令,这些操作通过桥设备1004上连接的键盘1005和显示器1006完成。其中桥设备可以是高速的北桥用于连接图形显示卡或者被南桥用于连接外设,比如键盘。
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明保护的范围之内。

Claims (20)

  1. 一种密钥保护方法,其特征在于,所述方法应用于多核处理器,包括:
    步骤A:在多核处理器的每个核内设置对称主密钥;
    步骤B:将其中任意一个核作为运算核,采用所述运算核根据所述对称主密钥解密出明文私钥来执行公钥密码运算,且私钥明文以及运算过程中使用的中间数据变量存储于运算核占用的高速缓冲存储器中;
    步骤C:清空所述运算核占用的高速缓冲存储器中的私钥明文以及运算过程中使用的中间数据变量;
    其中,在执行步骤B或步骤C过程中,当所述多核处理器其他核试图和所述运算核访问同一内存地址,且至少有一个写操作时,或者当所述高速缓冲存储器空间不够,发生高速缓冲存储器替换时,放弃运算核当前已执行的所有操作,重新执行步骤B和步骤C。
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    当执行步骤B和步骤C时,动态记录所述步骤B和步骤C执行过程中的所有内存访问;
    根据记录的所有内存访问确定所述多核处理器其他核和所述运算核是否同时访问同一内存地址并至少有一个写操作;或者根据记录的所有内存访问确定所述高速缓冲存储器空间是否足够。
  3. 根据权利要求2所述的方法,其特征在于,
    通过事务内存机制将步骤B和步骤C对应的代码指定为事务区从而实现多核处理器动态记录所述步骤B和步骤C执行过程中的所有内存访问,以及当所述多核处理器其他核试图和运算核同时访问同一内存地址,且至少有一个写操作时,或者运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时,放弃运算核当前已执行的所有操作,重新执行步骤B和步骤C。
  4. 根据权利要求3所述的方法,其特征在于,所述事务内存机制包括英特尔事务性同步扩展指令集Intel TSX。
  5. 根据权利要求4所述的方法,其特征在于,通过限制事物内存RTM机制中的开始指令进入所述事务区,并指定步骤B的开始为发生所述多核处理器其他核试图和运算核同时访问同一内存地址,且至少有一个写操作时的回退入口,或者指定步骤B的开始为运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时的回退入口;当执行完步骤C后,通过结束指令退出所述事务区。
  6. 根据权利要求1所述的方法,其特征在于,所述步骤A中设置多核处理器的每个核使其包含对称主密钥的步骤包括:
    操作系统启动时弹出提示界面,接收用户在所述提示界面输入的口令;
    通过操作系统采用密钥生成算法把口令转化为对称主密钥;
    将对称主密钥复制到多核处理器中指定的寄存器中存储。
  7. 根据权利要求6所述的方法,其特征在于,所述公钥密码运算包括私钥明文获取运算和私钥计算操作运算;
    所述私钥明文获取运算包括运算核从硬盘中读取以对称主密钥加密的私钥,并复制到内存;运算核利用多核处理器中指定的寄存器中的对称主密钥解密以对称主密钥加密的私钥获得私钥明文,并将私钥明文存储于运算核占用的高速缓冲存储器;
    所述私钥计算操作运算包括数字签名和/或解密步骤,其中,利用私钥明文进行数字签名和/或解密运算,并将计算过程中产生的中间数据变量和计算结果存储于运算核占用的高速缓冲存储器。
  8. 根据权利要求7所述的方法,其特征在于,所述私钥明文获取运算通过调用AES-NI指令,使用SSE寄存器解密以对称主密钥加密的私钥,并把私钥明文复制到高速缓冲存储器中。
  9. 根据权利要求8所述的方法,其特征在于,在步骤C中还包括清除SSE寄存器和通用寄存器中的数据。
  10. 根据权利要求1所述的方法,其特征在于,在执行步骤B之前,还包括禁止操作系统进程调度,并屏蔽本地中断的步骤;在执行步骤C之后,还包括恢复操作系统进程调度和本地中断的步骤。
  11. 根据权利要求10所述的方法,其特征在于,通过清除多核处理器的EFLAGS寄存器的IF位实现禁止操作系统进程调度,并屏蔽本地中断;通过设置多核处理器的EFLAGS寄存器的IF位实现恢复操作系统进程调度和本地中断。
  12. 根据权利要求1至11任一项所述的方法,其特征在于,在执行步骤B之前,还包括为所述多核处理器中的每个核预留步骤B和步骤C所访问内存区域的步骤。
  13. 一种密钥保护装置,包括设置模块,运算模块和放弃执行模块,其中
    所述设置模块,用于执行步骤A:在多核处理器的每个核内设置对称主密钥;
    所述运算模块,用于执行步骤B:利用其中任意一个核作为运算核,根据所述设置模块设置的对称主密码执行公钥密码运算,且私钥明文以及运算过程中使用的中间数据变量存储于运算核占用的高速缓冲存储器中;还用于执行步骤C:清空存储在所述运算核占用的高速缓冲存储器中的私钥明文以及中间数据变量;
    所述放弃执行模块,用于在所述运算模块用于执行步骤B或步骤C的过程中,当所述多核处理器其他核试图和所述运算核访问同一内存地址,且至少有一个写操作时,或者当所述高速缓冲存储器空间不够,发生高速缓冲存储器替换时,使所述运算模块放弃当前已执行的所有操 作,并使所述运算模块重新执行步骤B和所述步骤C。
  14. 根据权利要求13所述的装置,其特征在于,所述多核处理器还包括记录模块,
    所述记录模块,用于当所述运算模块执行步骤B和步骤C时,动态记录所述步骤B和步骤C执行过程中的所有内存访问;
    所述运算模块还用于根据所述记录模块记录的所有内存访问确定所述多核处理器其他核和所述运算核是否同时访问同一内存地址并至少有一个写操作;或者根据所述记录模块记录的所有内存访问确定所述高速缓冲存储器空间是否足够。
  15. 根据权利要求14所述的装置,其特征在于,
    所述放弃执行模块,具体用于通过事务内存机制来实现当所述多核处理器其他核试图和所述运算核同时访问同一内存地址,且至少有一个写操作时,或者当所述高速缓冲存储器空间不够,发生高速缓冲存储器替换时,使所述运算模块放弃当前已执行的所有操作,并使所述运算模块重新执行步骤B和所述步骤C。
  16. 根据权利要求15所述的装置,其特征在于,所述事务内存机制包括英特尔事务性同步扩展指令集Intel TSX,
    所述放弃执行模块,具体用于通过所述Intel TSX的限制事物内存RTM机制中的开始指令进入所述事务区,并指定所述运算模块执行步骤B的开始为发生所述多核处理器其他核试图和运算核同时访问同一内存地址,且至少有一个写操作时的回退入口,或者指定所述运算模块执行步骤B的开始为运算核占用的高速缓冲存储器空间不够,发生高速缓冲存储器替换时的回退入口;当所述运算模块执行完步骤C后,通过结束指令退出所述事务区。
  17. 根据权利要求13所述的装置,其特征在于,所述设置模块包括弹出单元,接收单元,转化单元和复制单元,
    所述弹出单元,用于操作系统启动时弹出提示界面;
    所述接收单元,用于接收用户在所述弹出单元弹出的提示界面输入的口令;
    所述转化单元,用于通过操作系统采用密钥生成算法把所述接收单元接收的口令转化为对称主密钥;
    所述复制单元,用于将所述转化单元转化的对称主密钥复制到多核处理器中指定的寄存器中存储。
  18. 根据权利要求13所述的装置,其特征在于,
    所述设置模块,还用于在所述运算模块执行步骤B之前,禁止操作系统进程调度,并屏蔽本地中断的步骤;在所述运算模块执行步骤C之后,恢复操作系统进程调度和本地中断的步骤。
  19. 根据权利要求18所述的装置,其特征在于,
    所述设置模块,具体用于通过清除多核处理器的EFLAGS寄存器的IF位实现禁止操作系统进程调度,并屏蔽本地中断;通过设置多核处理器的EFLAGS寄存器的IF位实现恢复操作系统进程调度和本地中断。
  20. 根据权利要求13所述的装置,其特征在于,
    所述设置模块还用于为所述多核处理器中的每个核预留所述运算模块执行步骤B和步骤C所访问的内存区域。
PCT/CN2014/085236 2014-02-27 2014-08-27 密钥保护方法和装置 WO2015127772A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14/909,849 US10313111B2 (en) 2014-02-27 2014-08-27 Key protecting method and apparatus
EP14884251.1A EP3113406B1 (en) 2014-02-27 2014-08-27 Key protecting method and apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410068010.9 2014-02-27
CN201410068010.9A CN104883256B (zh) 2014-02-27 2014-02-27 一种抵抗物理攻击和系统攻击的密钥保护方法

Publications (1)

Publication Number Publication Date
WO2015127772A1 true WO2015127772A1 (zh) 2015-09-03

Family

ID=53950596

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/085236 WO2015127772A1 (zh) 2014-02-27 2014-08-27 密钥保护方法和装置

Country Status (4)

Country Link
US (1) US10313111B2 (zh)
EP (1) EP3113406B1 (zh)
CN (1) CN104883256B (zh)
WO (1) WO2015127772A1 (zh)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7949130B2 (en) * 2006-12-28 2011-05-24 Intel Corporation Architecture and instruction set for implementing advanced encryption standard (AES)
US10127399B1 (en) * 2015-12-29 2018-11-13 EMC IP Holding Company LLC Secrets as a service
CN106130719A (zh) * 2016-07-21 2016-11-16 中国科学院信息工程研究所 一种抵抗内存泄漏攻击的密码算法多核实现方法及装置
CN106411893B (zh) * 2016-09-30 2019-08-13 成都知道创宇信息技术有限公司 一种https服务的部署方法
CN108242994B (zh) 2016-12-26 2021-08-13 阿里巴巴集团控股有限公司 密钥的处理方法和装置
CN107911567B (zh) * 2017-11-10 2019-05-21 西安电子科技大学 一种抵抗打印机物理攻击的系统和方法
CN109522736B (zh) * 2018-12-13 2021-12-10 中国科学院信息工程研究所 一种在操作系统中进行密码运算的方法和系统
CN110138557A (zh) * 2019-05-28 2019-08-16 上海兆芯集成电路有限公司 数据处理装置及数据处理方法
US11398899B2 (en) 2019-05-28 2022-07-26 Shanghai Zhaoxin Semiconductor Co., Ltd. Data processing device and data processing method
KR20210041932A (ko) * 2019-10-08 2021-04-16 한화테크윈 주식회사 보안 부팅 장치 및 그 동작 방법
US11709928B2 (en) * 2020-05-22 2023-07-25 Jpmorgan Chase Bank, N.A. Method and system for securing access to a private key
CN111934860B (zh) * 2020-08-06 2024-01-05 山东省计算中心(国家超级计算济南中心) 一种用于移动端密钥存储的实现方法和系统

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1822217A (zh) * 2005-01-06 2006-08-23 三星电子株式会社 将数据存储在非易失性高速缓冲存储器中的设备和方法
CN102355350A (zh) * 2011-06-30 2012-02-15 北京邮电大学 一种用于移动智能终端的文件加密方法和系统

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4263976B2 (ja) * 2003-09-24 2009-05-13 株式会社東芝 オンチップマルチコア型耐タンパプロセッサ
JP4447977B2 (ja) * 2004-06-30 2010-04-07 富士通マイクロエレクトロニクス株式会社 セキュアプロセッサ、およびセキュアプロセッサ用プログラム。
US8538015B2 (en) * 2007-03-28 2013-09-17 Intel Corporation Flexible architecture and instruction for advanced encryption standard (AES)
US8706982B2 (en) 2007-12-30 2014-04-22 Intel Corporation Mechanisms for strong atomicity in a transactional memory system
US20120331308A1 (en) * 2011-06-22 2012-12-27 Media Patents, S.L. Methods, apparatus and systems to improve security in computer systems
WO2014004222A1 (en) 2012-06-29 2014-01-03 Intel Corporation Instruction and logic to test transactional execution status
US8943278B2 (en) 2012-07-31 2015-01-27 Advanced Micro Devices, Inc. Protecting large regions without operating-system support
EP2965254B1 (en) * 2013-03-08 2020-05-13 Robert Bosch GmbH Systems and methods for maintaining integrity and secrecy in untrusted computing platforms
US9292444B2 (en) * 2013-09-26 2016-03-22 International Business Machines Corporation Multi-granular cache management in multi-processor computing environments
CN103607279B (zh) * 2013-11-14 2017-01-04 中国科学院数据与通信保护研究教育中心 基于多核处理器的密钥保护方法及系统
US9348523B2 (en) * 2013-12-12 2016-05-24 International Business Machines Corporation Code optimization to enable and disable coalescing of memory transactions

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1822217A (zh) * 2005-01-06 2006-08-23 三星电子株式会社 将数据存储在非易失性高速缓冲存储器中的设备和方法
CN102355350A (zh) * 2011-06-30 2012-02-15 北京邮电大学 一种用于移动智能终端的文件加密方法和系统

Also Published As

Publication number Publication date
US10313111B2 (en) 2019-06-04
EP3113406B1 (en) 2020-04-29
CN104883256A (zh) 2015-09-02
US20160359621A1 (en) 2016-12-08
CN104883256B (zh) 2019-02-01
EP3113406A4 (en) 2017-11-01
EP3113406A1 (en) 2017-01-04

Similar Documents

Publication Publication Date Title
WO2015127772A1 (zh) 密钥保护方法和装置
US10685145B2 (en) Secure processor and a program for a secure processor
US11012231B2 (en) Authenticated copying of encryption keys between secure zones
US9753865B2 (en) System and methods for executing encrypted code
Kim et al. Hardware-based always-on heap memory safety
US9524240B2 (en) Obscuring memory access patterns in conjunction with deadlock detection or avoidance
US10095862B2 (en) System for executing code with blind hypervision mechanism
US9756048B2 (en) System and methods for executing encrypted managed programs
US20150310231A1 (en) Multi-Core Processor Based Key Protection Method And System
Strackx et al. The Heisenberg defense: Proactively defending SGX enclaves against page-table-based side-channel attacks
CN105678173A (zh) 基于硬件事务内存的vTPM安全保护方法
JP5316592B2 (ja) セキュアプロセッサ用プログラム
Fu et al. RegKey: a register-based implementation of ECC signature algorithms against one-shot memory disclosure
JP5365664B2 (ja) セキュアプロセッサ
Li et al. Peapods: OS-independent memory confidentiality for cryptographic engines
Alam et al. CAUSEC: Cache-Based Secure Key Computation with (Mostly) Deprivileged Execution

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14884251

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2014884251

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2014884251

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 14909849

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE