WO2003103251A1 - Stockage de cle cryptographique - Google Patents

Stockage de cle cryptographique Download PDF

Info

Publication number
WO2003103251A1
WO2003103251A1 PCT/IE2003/000087 IE0300087W WO03103251A1 WO 2003103251 A1 WO2003103251 A1 WO 2003103251A1 IE 0300087 W IE0300087 W IE 0300087W WO 03103251 A1 WO03103251 A1 WO 03103251A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
real
cryptography
pseudo
security device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IE2003/000087
Other languages
English (en)
Inventor
Carlos Frederico Do Amaral Cid
Michael Ryan
Thomas Maher
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AEP Systems Ltd
Original Assignee
AEP Systems Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AEP Systems Ltd filed Critical AEP Systems Ltd
Priority to AU2003249546A priority Critical patent/AU2003249546A1/en
Publication of WO2003103251A1 publication Critical patent/WO2003103251A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • the invention relates to storage of cryptography keys.
  • a server system has a Web server for communicating via the Internet on a secure communications channel (for example SSL/TLS) and uses a cryptographic service provider (CSP) to perform cryptographic operations.
  • a secure communications channel for example SSL/TLS
  • CSP cryptographic service provider
  • Implementation of a cryptography scheme by a system such as this requires storage of a private key.
  • the private key has in many instances been stored on the computer's primary or secondary memory, either in plaintext or encrypted. In this situation the key is vulnerable to access by an attacker. Even if the key is encrypted, it may be decrypted off-line using brute-force or another method.
  • the invention is therefore directed towards providing improved cryptographic key storage and private key operations.
  • a computer server system comprising:
  • a host server comprising an interface for communicating with external systems, and a cryptography system for performing cryptographic operations; and a physically separate security device for storing a real cryptography key and for performing cryptographic operations with said real key in response to requests from the host server.
  • the cryptography system of the host server performs all cryptography operations except those requiring use of the real key.
  • the cryptography system stores a pseudo key and passes said pseudo key to the security device in a request for the security device to perform an operation with the real key.
  • the cryptography system is not aware at the application level that the key it stores is a real key and the request to the security is made by a lower-level function.
  • the pseudo key has the same format as the real key.
  • the cryptography system stores the pseudo key in a manner similar to that for a real key.
  • the security device uses the received pseudo key to identify the real key.
  • the security device processes the pseudo key to generate an address for the real key.
  • security device hashes the pseudo key.
  • the security device is an exponentiation accelerator.
  • the invention provides a host server comprising a cryptography system for storing a pseudo cryptography key, and for passing a request to a physically separate security device for performance of a cryptography operation requiring use of a real cryptography key.
  • Fig. 1 is a diagram showing a computer server system of the invention.
  • a computer server system 1 comprises a server 2 linked to a separate key storage accelerator 3.
  • the server 2 comprises a Web server 5 which communicates on a secure SSL/TLS communications channel 6.
  • the server 1 also comprises an internal cryptographic service provider (CSP) 7 which stores a certificate 8 and a pseudo key, key' 9.
  • CSP cryptographic service provider
  • the pseudo key 9 is stored in the same manner as is conventional for a real key, and it has a similar format. However, the pseudo key 9 can not be used in valid cryptographic operations because it is not the real key.
  • the CSP 7 is not aware that the pseudo key can not be used for cryptographic operations requiring a private key.
  • the accelerator 3 may be of the type described in our prior published PCT Patent Specification No. WO01/29652.
  • the accelerator 3 stores the real key, and also the pseudo key for addressing/identification purposes. All cryptography operations requiring use of the real key are performed by the accelerator 3, after requests incorporating the pseudo key are passed to it. These requests are generated at a low level in the CSP without application- level "knowledge".
  • the server 1 also user the CSP 7 hosted internally to perform a large range of cryptographic operations which do not require use of the real key.
  • the accelerator 3 uses the received pseudo key to locate the real key by hashing the pseudo key to bring it down from say 1024 bits to 12 bits.
  • the hash result is then used as an address for a look-up table to retrieve the real key.
  • the CSP 7 has a number of pseudo keys and the accelerator 3 has a number of corresponding real keys.
  • Each key is for a different type of operation such as signing, encryption and decryption with different levels of security.
  • the hash result provides access to the relevant real key.
  • the invention provides for a large range of cryptographic operations while at the same time allowing secure key storage. Unauthorised accesses only have access to the server 2, and if such an access retrieves the "key" it is only the pseudo key and so it is of no benefit to the hacker.
  • the invention achieves major security benefits, while allowing a conventional crypto system to be used internally on the server, without it even needing to be aware at the application level that the keys it stores are only pseudo keys.
  • the cryptography server 7 may store multiple certificates and keys. Claims
  • a computer server system comprising:
  • a host server comprising an interface for communicating with external systems, and a cryptography system for performing cryptographic operations
  • a physically separate security device for storing a real cryptography key and for performing cryptographic operations with said real key in response to requests rom the host server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un système de serveur informatique comprenant un serveur (2) et un accélérateur séparé (3). Un fournisseur de services cryptographiques (CSP) (8) dans le serveur (2) exécute toutes les opérations cryptographiques excepté celles requérant l'utilisation d'une clé cryptographique réelle. Dans ce cas, ledit fournisseur de services transmet une demande associée à une pseudo-clé à l'accélérateur (3) qui la stocke de manière identique à la manière conventionnelle pour une clé réelle. L'accélérateur (3) utilise la pseudo-clé pour extraire la clé réelle, exécuter l'opération et renvoyer le résultat.
PCT/IE2003/000087 2002-05-31 2003-05-30 Stockage de cle cryptographique Ceased WO2003103251A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003249546A AU2003249546A1 (en) 2002-05-31 2003-05-30 Cryptography key storage

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US38408302P 2002-05-31 2002-05-31
US60/384,083 2002-05-31

Publications (1)

Publication Number Publication Date
WO2003103251A1 true WO2003103251A1 (fr) 2003-12-11

Family

ID=29711975

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IE2003/000087 Ceased WO2003103251A1 (fr) 2002-05-31 2003-05-30 Stockage de cle cryptographique

Country Status (2)

Country Link
AU (1) AU2003249546A1 (fr)
WO (1) WO2003103251A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8478965B2 (en) 2009-10-30 2013-07-02 International Business Machines Corporation Cascaded accelerator functions
US9444622B2 (en) 2008-09-15 2016-09-13 Hewlett Packard Enterprise Development Lp Computing platform with system key

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5764766A (en) * 1996-06-11 1998-06-09 Digital Equipment Corporation System and method for generation of one-time encryption keys for data communications and a computer program product for implementing the same
EP0886409A2 (fr) * 1997-05-01 1998-12-23 Digital Vision Laboratories Corporation Système fournisseur d'informations
US5940510A (en) * 1996-01-31 1999-08-17 Dallas Semiconductor Corporation Transfer of valuable information between a secure module and another module

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5940510A (en) * 1996-01-31 1999-08-17 Dallas Semiconductor Corporation Transfer of valuable information between a secure module and another module
US5764766A (en) * 1996-06-11 1998-06-09 Digital Equipment Corporation System and method for generation of one-time encryption keys for data communications and a computer program product for implementing the same
EP0886409A2 (fr) * 1997-05-01 1998-12-23 Digital Vision Laboratories Corporation Système fournisseur d'informations

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9444622B2 (en) 2008-09-15 2016-09-13 Hewlett Packard Enterprise Development Lp Computing platform with system key
US8478965B2 (en) 2009-10-30 2013-07-02 International Business Machines Corporation Cascaded accelerator functions

Also Published As

Publication number Publication date
AU2003249546A1 (en) 2003-12-19

Similar Documents

Publication Publication Date Title
US10803194B2 (en) System and a method for management of confidential data
US11329835B2 (en) Apparatus and method for authenticating IoT device based on PUF using white-box cryptography
US8661252B2 (en) Secure network address provisioning
US8396218B2 (en) Cryptographic module distribution system, apparatus, and program
US8601267B2 (en) Establishing a secured communication session
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
US20040210754A1 (en) Shared security transform device, system and methods
KR100702499B1 (ko) 메시지 무결성 보증 시스템, 방법 및 기록 매체
CN108347419A (zh) 数据传输方法和装置
CN107251476A (zh) 保密通信管理
Ferretti et al. A symmetric cryptographic scheme for data integrity verification in cloud databases
EP3908940A1 (fr) Système informatique client-serveur
JP2000206876A (ja) 2つの情報処理装置の間で保護された形で情報を処理するための方法およびシステム
US20030210791A1 (en) Key management
GB2401012A (en) Identifier-based encryption
US7234060B1 (en) Generation and use of digital signatures
US10764065B2 (en) Admissions control of a device
US20060031680A1 (en) System and method for controlling access to a computerized entity
CN119051878A (zh) 一种数据加密传输的方法和系统
CN115567200B (zh) http接口防刷方法、系统及相关设备
CN115118455B (zh) 面向网页安全的基于属性加密访问控制反爬虫系统及方法
Roy et al. A Hybrid Security Framework to Preserve Multilevel Security on Public Cloud Networks
WO2017008556A1 (fr) Procédé et dispositif d'authentification de point d'accès sans fil et plate-forme de gestion
WO2003103251A1 (fr) Stockage de cle cryptographique
IE20030419A1 (en) Cryptography key storage

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP