Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
  • H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

• the present disclosure relates to integrity protection of data storage, memory caching and cryptography.
• a method for protecting the integrity of a memory system divided in a plurality of memory blocks each of which has a local sequence number.
• the method maintains an age counter for each of the memory blocks; maintains an opportunity counter for each of the memory blocks; maintains an epoch counter for the memory system; writes data in a selected memory block; increases the local sequence number of the selected memory block; updates the opportunity counter for the selected memory block if the local sequence number of the selected memory block rolls over; computes a message authentication code (MAC) in the selected memory block based on a global sequence number and the local sequence number; updates the age counter and the opportunity counter for any non-selected memory blocks if the opportunity counter for the non-selected memory blocks does not match the LSB of the epoch counter for the non- selected memory blocks; and computes a new MAC for any memory block for which the updating is performed.
• MAC message authentication code
• each of the MACs is updated opportunistically (1) after the corresponding age counter rolls over and (2) during the writing of data to the corresponding memory block.
• FIG. 1 is a diagram of a global sequence number.
• FIG. 2 is a flow chart of an example of the use of a local sequence number with an opportunity counter.
• Integrity protection of memory systems located on insecure devices is generally done by computing a cryptographic integrity protection value or Message Authentication Code (MAC) and storing it along with the data. Therefore an unauthorized third party cannot modify the information written in memory.
• MAC Message Authentication Code
• a MAC algorithm sometimes called a keyed (cryptographic) hash function (however, a cryptographic hash function is only one of the possible ways to generate MACs), accepts as input a secret key and arbitrary-length data to be authenticated, and outputs a MAC (sometimes known as a tag).
• the MAC value protects the data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the data content.
• the MAC When the memory is authentically updated, the MAC is recomputed. To prevent replays of previously authentic values, a unique value, such as a counter or a sequence number, is added to the authentication input.
• a MAC is also used when data cache writes out cache-lines to external memory.
• a sequence number is associated to each and every cache line in the memory. Therefore, an attacker cannot capture an image of the external memory and after the memory has been updated, replace the cache-lines within the memory with a previously captured version.
• the memory is segmented into memory blocks, and a MAC is stored along with each memory block.
• a block can be one cache line or a larger memory space. Therefore, the authentication algorithm only needs to be performed over an individual, smaller memory block.
• a separate sequence number needs to be maintained for every memory block. The sequence number needs to be sufficiently large to prevent it from expiring (rolling over) too often.
• the cryptographic integrity algorithm needs to be re-keyed, which results in re-computing the MAC for all data blocks.
• the memory system is not accessible, leading to access delays. Large sequence numbers are therefore preferable, but with a large number of blocks, a substantial amount of sequence number data needs to be stored and maintained.
• An existing solution is to maintain a small local sequence number per memory block and a global epoch counter.
• the epoch counter and the local sequence number are concatenated to form the sequence number applied to the integrity algorithm.
• any time the epoch counter is updated each MAC needs to be updated.
• the memory system is not accessible during the refresh process.
• a global sequence number 100 comprises a local sequence number 101 and a global epoch counter 102.
• the local sequence number 101 is subdivided into two fields: an opportunity counter 110 and an age counter 115.
• An instance of the local sequence number 101 is maintained for every external cache line or memory block. All local sequence numbers reset to zero on key initialization.
• the global epoch counter 102 is a counter global to all blocks.
• the opportunity counter 110 allows the MAC to be updated opportunistically after the age counter 115 rolls over, during normal updates (writes) of the data block. It also allows the MAC to be refreshed to new epoch values off-line.
• the width of the age, opportunity, and epoch counters can be tuned to tradeoff the frequency of epoch update, off-line integrity check refresh to new epoch values, and opportunistic epoch updates versus memory storage requirements for the counter values.
• a 32-bit global sequence number can include a 4-bit age counter and a 2-bit opportunity counter.
• the epoch counter 102 and the age counter are concatenated to form the full sequence number used in computing the integrity protection value.
• the Least Significant Bits (LSB) of the epoch counter are inferred by comparing the global epoch counter 102 to the local opportunity counter 110.
• the opportunity counter 110 is compared to the LSB of the epoch counter 102. If they match, the age counter is incremented by 1. If the age counter wraps (carries into the opportunity counter), the epoch counter is incremented by 1. When the epoch counter increments, all local sequence numbers need to be checked, and every line that has an opportunity counter matching the LSB of the new epoch, needs to immediately have its MAC recomputed with the new sequence number.
• the opportunity counter allows an offline update or refresh of the MAC when the epoch counter changes.
• a background process or thread may update the local sequence numbers so that the opportunity counters are in sync with the current epoch. This can occur when the cache is not busy, i.e., on a low priority process.
• the age counter resets to zero, to minimize the need for epoch updates.
• the opportunity counter is set to match prior to computing the MAC, and the age counter is reset to zero.
• the MAC corresponding to the line is therefore refreshed opportunistically.
• the refresh process of an external cache line MAC value is performed by reading in the cache-line and validating the MAC.
• the new MAC is computed using the updated global sequence number.
• interrupts are optionally generated to the processor at various thresholds to prompt a proactive rekey operation before the counter expires.
• a background process checks the opportunity counters and updates the MAC for any opportunity counter that is about to expire (for example the memory blocks that are 1 bit away from the LSB of the epoch.
• any memory block MAC can be updated based on a pre-determined policy. This maximizes the time a cache-line can be opportunistically updated before getting hit with a refresh, and still allows the refresh to run as a background process.
• FIG. 2 shows an example flow chart of an embodiment when an authentication code is updated for a memory block i is initiated at step 201. If step 203 determines that the opportunity counter for block i is different from the LSB of the epoch counter at step 203, the local sequence number is from a different epoch, then step 205 sets the opportunity counter for block i to the LSB of the epoch counter and resets the age counter for block i to zero. Otherwise, the local sequence number is in the current epoch, and step 207 increments the age counter for block i is incremented. If the age does not roll (i.e., there is no carry) at step 209, the memory block i is updated with the new sequence number at step 211.
• the epoch counter needs to be updated at step 213, the opportunity counter for block i is set to the LSB of the epoch counter and the age is reset to 0.
• the memory block i is updated accordingly. All memory blocks j are checked at step 219 except for the one that was just updated at step 213 which is skipped by the If step 215.
• the opportunity counter for block j is equal to the LSB of the epoch counter at step 219, then the opportunity counter has fallen behind by a number of epochs represented by the number of bits in the opportunity counter (in this example, four epochs, because the opportunity counter is 2 bits), and the MAC of memory block j needs to be refreshed at step 221. If the opportunity counter for block j is not equal to the LSB of the epoch counter at step 219, then no update is necessary for block j, and the next block is checked by incrementing the value of j at step 217.
• Any algorithm, software, or method disclosed herein can be embodied in software stored on a non-transitory tangible medium such as, for example, a flash memory, a CD-ROM, a floppy disk, a hard drive, a digital versatile disk (DVD), or other memory devices, but persons of ordinary skill in the art will readily appreciate that the entire algorithm and/or parts thereof could alternatively be executed by a device other than a controller and/or embodied in firmware or dedicated hardware in a well-known manner (e.g., it may be implemented by an application specific integrated circuit (ASIC), a programmable logic device (PLD), a field programmable logic device (FPLD), discrete logic, etc.).
• ASIC application specific integrated circuit
• PLD programmable logic device
• FPLD field programmable logic device
• machine-readable instructions represented in any flowchart depicted herein can be implemented manually as opposed to automatically by a controller, processor, or similar computing device or machine.
• specific algorithms are described with reference to flowcharts depicted herein, persons of ordinary skill in the art will readily appreciate that many other methods of implementing the example machine readable instructions may alternatively be used. For example, the order of execution of the blocks may be changed, and/or some of the blocks described may be changed, eliminated, or combined.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Theoretical Computer Science (AREA)
• Bioethics (AREA)
• Signal Processing (AREA)
• Health & Medical Sciences (AREA)
• Computer Networks & Wireless Communication (AREA)
• General Health & Medical Sciences (AREA)
• Computer Hardware Design (AREA)
• Software Systems (AREA)
• Physics & Mathematics (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Power Engineering (AREA)
• Storage Device Security (AREA)

Priority Applications (2)

Applications Claiming Priority (1)

Publications (1)

Family

ID=55908652

Family Applications (1)

Country Status (2)

Cited By (2)

Families Citing this family (1)

Citations (5)

Family Cites Families (3)

• 2014
  • 2014-11-07 WO PCT/IB2014/065885 patent/WO2016071743A1/en active Application Filing
  • 2014-11-07 CN CN201480083238.3A patent/CN107111730B/zh active Active

Patent Citations (5)

Also Published As

Similar Documents

Legal Events