WO2003103251A1 - Stockage de cle cryptographique - Google Patents
Stockage de cle cryptographique Download PDFInfo
- Publication number
- WO2003103251A1 WO2003103251A1 PCT/IE2003/000087 IE0300087W WO03103251A1 WO 2003103251 A1 WO2003103251 A1 WO 2003103251A1 IE 0300087 W IE0300087 W IE 0300087W WO 03103251 A1 WO03103251 A1 WO 03103251A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- key
- real
- cryptography
- pseudo
- security device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
Definitions
- the invention relates to storage of cryptography keys.
- a server system has a Web server for communicating via the Internet on a secure communications channel (for example SSL/TLS) and uses a cryptographic service provider (CSP) to perform cryptographic operations.
- a secure communications channel for example SSL/TLS
- CSP cryptographic service provider
- Implementation of a cryptography scheme by a system such as this requires storage of a private key.
- the private key has in many instances been stored on the computer's primary or secondary memory, either in plaintext or encrypted. In this situation the key is vulnerable to access by an attacker. Even if the key is encrypted, it may be decrypted off-line using brute-force or another method.
- the invention is therefore directed towards providing improved cryptographic key storage and private key operations.
- a computer server system comprising:
- a host server comprising an interface for communicating with external systems, and a cryptography system for performing cryptographic operations; and a physically separate security device for storing a real cryptography key and for performing cryptographic operations with said real key in response to requests from the host server.
- the cryptography system of the host server performs all cryptography operations except those requiring use of the real key.
- the cryptography system stores a pseudo key and passes said pseudo key to the security device in a request for the security device to perform an operation with the real key.
- the cryptography system is not aware at the application level that the key it stores is a real key and the request to the security is made by a lower-level function.
- the pseudo key has the same format as the real key.
- the cryptography system stores the pseudo key in a manner similar to that for a real key.
- the security device uses the received pseudo key to identify the real key.
- the security device processes the pseudo key to generate an address for the real key.
- security device hashes the pseudo key.
- the security device is an exponentiation accelerator.
- the invention provides a host server comprising a cryptography system for storing a pseudo cryptography key, and for passing a request to a physically separate security device for performance of a cryptography operation requiring use of a real cryptography key.
- Fig. 1 is a diagram showing a computer server system of the invention.
- a computer server system 1 comprises a server 2 linked to a separate key storage accelerator 3.
- the server 2 comprises a Web server 5 which communicates on a secure SSL/TLS communications channel 6.
- the server 1 also comprises an internal cryptographic service provider (CSP) 7 which stores a certificate 8 and a pseudo key, key' 9.
- CSP cryptographic service provider
- the pseudo key 9 is stored in the same manner as is conventional for a real key, and it has a similar format. However, the pseudo key 9 can not be used in valid cryptographic operations because it is not the real key.
- the CSP 7 is not aware that the pseudo key can not be used for cryptographic operations requiring a private key.
- the accelerator 3 may be of the type described in our prior published PCT Patent Specification No. WO01/29652.
- the accelerator 3 stores the real key, and also the pseudo key for addressing/identification purposes. All cryptography operations requiring use of the real key are performed by the accelerator 3, after requests incorporating the pseudo key are passed to it. These requests are generated at a low level in the CSP without application- level "knowledge".
- the server 1 also user the CSP 7 hosted internally to perform a large range of cryptographic operations which do not require use of the real key.
- the accelerator 3 uses the received pseudo key to locate the real key by hashing the pseudo key to bring it down from say 1024 bits to 12 bits.
- the hash result is then used as an address for a look-up table to retrieve the real key.
- the CSP 7 has a number of pseudo keys and the accelerator 3 has a number of corresponding real keys.
- Each key is for a different type of operation such as signing, encryption and decryption with different levels of security.
- the hash result provides access to the relevant real key.
- the invention provides for a large range of cryptographic operations while at the same time allowing secure key storage. Unauthorised accesses only have access to the server 2, and if such an access retrieves the "key" it is only the pseudo key and so it is of no benefit to the hacker.
- the invention achieves major security benefits, while allowing a conventional crypto system to be used internally on the server, without it even needing to be aware at the application level that the keys it stores are only pseudo keys.
- the cryptography server 7 may store multiple certificates and keys. Claims
- a computer server system comprising:
- a host server comprising an interface for communicating with external systems, and a cryptography system for performing cryptographic operations
- a physically separate security device for storing a real cryptography key and for performing cryptographic operations with said real key in response to requests rom the host server.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2003249546A AU2003249546A1 (en) | 2002-05-31 | 2003-05-30 | Cryptography key storage |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US38408302P | 2002-05-31 | 2002-05-31 | |
| US60/384,083 | 2002-05-31 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2003103251A1 true WO2003103251A1 (fr) | 2003-12-11 |
Family
ID=29711975
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/IE2003/000087 Ceased WO2003103251A1 (fr) | 2002-05-31 | 2003-05-30 | Stockage de cle cryptographique |
Country Status (2)
| Country | Link |
|---|---|
| AU (1) | AU2003249546A1 (fr) |
| WO (1) | WO2003103251A1 (fr) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8478965B2 (en) | 2009-10-30 | 2013-07-02 | International Business Machines Corporation | Cascaded accelerator functions |
| US9444622B2 (en) | 2008-09-15 | 2016-09-13 | Hewlett Packard Enterprise Development Lp | Computing platform with system key |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5764766A (en) * | 1996-06-11 | 1998-06-09 | Digital Equipment Corporation | System and method for generation of one-time encryption keys for data communications and a computer program product for implementing the same |
| EP0886409A2 (fr) * | 1997-05-01 | 1998-12-23 | Digital Vision Laboratories Corporation | Système fournisseur d'informations |
| US5940510A (en) * | 1996-01-31 | 1999-08-17 | Dallas Semiconductor Corporation | Transfer of valuable information between a secure module and another module |
-
2003
- 2003-05-30 WO PCT/IE2003/000087 patent/WO2003103251A1/fr not_active Ceased
- 2003-05-30 AU AU2003249546A patent/AU2003249546A1/en not_active Abandoned
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5940510A (en) * | 1996-01-31 | 1999-08-17 | Dallas Semiconductor Corporation | Transfer of valuable information between a secure module and another module |
| US5764766A (en) * | 1996-06-11 | 1998-06-09 | Digital Equipment Corporation | System and method for generation of one-time encryption keys for data communications and a computer program product for implementing the same |
| EP0886409A2 (fr) * | 1997-05-01 | 1998-12-23 | Digital Vision Laboratories Corporation | Système fournisseur d'informations |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9444622B2 (en) | 2008-09-15 | 2016-09-13 | Hewlett Packard Enterprise Development Lp | Computing platform with system key |
| US8478965B2 (en) | 2009-10-30 | 2013-07-02 | International Business Machines Corporation | Cascaded accelerator functions |
Also Published As
| Publication number | Publication date |
|---|---|
| AU2003249546A1 (en) | 2003-12-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10803194B2 (en) | System and a method for management of confidential data | |
| US11329835B2 (en) | Apparatus and method for authenticating IoT device based on PUF using white-box cryptography | |
| US8661252B2 (en) | Secure network address provisioning | |
| US8396218B2 (en) | Cryptographic module distribution system, apparatus, and program | |
| US8601267B2 (en) | Establishing a secured communication session | |
| US20170244687A1 (en) | Techniques for confidential delivery of random data over a network | |
| US20040210754A1 (en) | Shared security transform device, system and methods | |
| KR100702499B1 (ko) | 메시지 무결성 보증 시스템, 방법 및 기록 매체 | |
| CN108347419A (zh) | 数据传输方法和装置 | |
| CN107251476A (zh) | 保密通信管理 | |
| Ferretti et al. | A symmetric cryptographic scheme for data integrity verification in cloud databases | |
| EP3908940A1 (fr) | Système informatique client-serveur | |
| JP2000206876A (ja) | 2つの情報処理装置の間で保護された形で情報を処理するための方法およびシステム | |
| US20030210791A1 (en) | Key management | |
| GB2401012A (en) | Identifier-based encryption | |
| US7234060B1 (en) | Generation and use of digital signatures | |
| US10764065B2 (en) | Admissions control of a device | |
| US20060031680A1 (en) | System and method for controlling access to a computerized entity | |
| CN119051878A (zh) | 一种数据加密传输的方法和系统 | |
| CN115567200B (zh) | http接口防刷方法、系统及相关设备 | |
| CN115118455B (zh) | 面向网页安全的基于属性加密访问控制反爬虫系统及方法 | |
| Roy et al. | A Hybrid Security Framework to Preserve Multilevel Security on Public Cloud Networks | |
| WO2017008556A1 (fr) | Procédé et dispositif d'authentification de point d'accès sans fil et plate-forme de gestion | |
| WO2003103251A1 (fr) | Stockage de cle cryptographique | |
| IE20030419A1 (en) | Cryptography key storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
| AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
| 122 | Ep: pct application non-entry in european phase | ||
| NENP | Non-entry into the national phase |
Ref country code: JP |
|
| WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |