WO2000019322A1 - Method and apparatus for controlling access to confidential data - Google Patents
Method and apparatus for controlling access to confidential data Download PDFInfo
- Publication number
- WO2000019322A1 WO2000019322A1 PCT/US1998/020122 US9820122W WO0019322A1 WO 2000019322 A1 WO2000019322 A1 WO 2000019322A1 US 9820122 W US9820122 W US 9820122W WO 0019322 A1 WO0019322 A1 WO 0019322A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- memory
- data
- data blocks
- logic circuit
- confidential data
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
- G06F2211/007—Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
Definitions
- the invention relates generally to security in programmed devices, and, more particularly, to a method and apparatus for controlling access to
- the financial value of data and/or programmed instructions is often dependent upon its general availability to the interested public. For example, if information in the form of data or programmed instructions is made available free of charge on the Internet, the commercial value of that information will quickly fall toward zero as few people will pay to receive something they can readily obtain for free. Thus, the desirability of mamtaining the secrecy of data and/or programmed instructions with respect to all but paying purchasers of the secret information has long been
- conditional access broadcasting networks such as cable television networks and, more recently, direct satellite broadcasting networks are based on the premise of limiting access to broadcasted information to paying subscribers. Even more recently, the idea of limiting access to broadcasted data has been
- the DirecPCTM product broadcasts requested information to a requesting computing device (typically, a personal computer) via a satellite as a means to expedite information delivery from the Internet.
- a requesting computing device typically, a personal computer
- Most such broadcasting systems employ one or more cryptographic techniques to control access to the broadcasted information. For example,
- the need to protect the secrecy of information is not limited to the
- the secrecy of the key material is of paramount importance in a device for providing a secure environment.
- devices for encrypting, decrypting and/or mamtaining are provided. To this end, devices for encrypting, decrypting and/or mamtaining
- the secrecy of information typically include a secure memory of some type
- memory to trusted software and/or hardware components. More specifically, it is often necessary to place restrictions on when, who, and under what circumstances the memory storing key material can be addressed.
- One problem with limiting access to a memory is testability.
- Another problem is limiting access to field deployed units while still allowing initial prog ⁇ imming in the factory. In order to verify that the memory is
- one or more mode bits stored in memory, or in an anti-fuse device, or the like define whether the memory contains confidential data and/or whether the memory is in the testing mode.
- This mode bit(s) may be implemented as a simple checksum on the data in memory. In other words, the mode bit(s) may be set to equal some mathematical function(s) of some or all of the data stored in memory. Regardless of which traditional method for defining the mode bit(s) is
- the apparatus includes a non-volatile memory for storing data and a logic circuit for controlling access to the data contained in the memory.
- the logic circuit selectively accesses the memory to determine whether at least a portion of the data contained in the memory comprises confidential data by analyzing a property inherent in the accessed data.
- the logic circuit determines whether the data contained in the memory comprises confidential data by identifying data blocks in the accessed data having a predetermined characteristic, by counting the identified data blocks, and by comparing the count to a threshold value.
- each of the data blocks may comprise a bit, and the predetermined characteristic may comprise a predefined logic state.
- each of the data blocks may comprise a
- the predetermined characteristic may comprise a binary value falling within a range of binary values.
- a change in the inherent property sufficient to cause the logic circuit to determine the data stored in the memory does not comprise confidential data will substantially destroy the data in memory.
- the logic circuit preferably comprises a hardware circuit.
- the apparatus is provided with a processor and firmware cooperating with the logic circuit to control access to the confidential data stored in the memory.
- the memory and logic circuit are resident on an integrated circuit and the integrated circuit provides a secure environment for loading and executing software.
- the logic circuit preferably erases the memory by replacing the data blocks originally stored in the memory with intermediate data blocks before erasing the memory to a final state.
- the intermediate datablocks comprise non- confidential data having the predetermined characteristic. Also in such
- the intermediate datablocks are preferably selected to ensure
- the logic circuit preferably erases the memory to the final state by replacing the intermediate data blocks stored in the memory with final data blocks.
- the final data blocks comprise non-confidential data which does not have the predetermined characteristic.
- the logic circuit is responsive to a predefined
- the logic circuit writes a first intermediate value to a first location of the
- the logic circuit writes a second
- the logic circuit writes a final value to the first and second locations of the programmable memory in a third stage.
- the first intermediate value is preferably selected such that, if erasing of the memory is terminated before completion of the first stage, the
- a method for identifying the presence of confidential data in a programmable memory comprises the steps of: defining a predetermined section of the programmable memory including a number of data blocks as a
- the predetermined relationship comprises the calculated number being greater than the threshold value. In other embodiments, the p- ⁇ etermined relationship comprises the calculated number being less than the threshold value.
- the apparatus comprises a programmable memory having a predefined section for storing confidential data
- the predefined section includes a plurality of data blocks.
- the apparatus also comprises a logic circuit programmed to selectively access the predefined section to determine whether confidential data is present therein.
- the logic circuit identifies the presence of confidential data by identifying data blocks in the predefined section having a predetermined characteristic, by calculating the number of identified data blocks, and by comparing the number to a predetermined threshold value.
- FIG. 1 is an illustration of an apparatus constructed in accordance
- FIG. 2 is a schematic illustration of the apparatus of FIG. 1.
- FIG. 3 is a more detailed schematic illustration of the apparatus of
- FIG. 4 is a schematic illustration of the software architecture employed in the apparatus.
- FIG. 5 is a schematic illustration of an exemplary system for programming the apparatus.
- FIG. 6 is a ladder diagram illustrating the programming of the EEPROM of the apparatus.
- FIG. 7 is a flow chart illustrating the startup operation of the apparatus.
- FIG. 8 is a flow chart illustrating the interrupt handling process employed by the apparatus.
- FIG. 9 is a flow chart illustrating the process used by the apparatus to swap applets between an external memory and the DMEM.
- FIG. 1 An apparatus 10 constructed in accordance with the teachings of the invention is schematically illustrated in FIG. 1 in one possible environment
- the apparatus 10 is constructed to provide a secure environment for processing sensitive information.
- information refers to data, programmed instructions (e.g., software, firmware) or both.
- the apparatus 10 is capable of use in the DirecPCTM product
- the apparatus 10 is not limited to use in any specific environment or with any specific application. On the contrary, without departing from the scope or spirit of the invention the illustrated apparatus 10 can be used in any application or environment which would benefit from the enhanced processing security it provides. For example, it would be especially advantageous in smart card applications. Further, although the apparatus 10 is illustrated in FIG. 1 as being
- the apparatus 10 need not be constructed as an integrated circuit. As explained below, the illustrated apparatus 10 is adapted to provide a secure environment in which sensitive information can be decrypted,
- the illustrated apparatus 10 achieves
- the apparatus 10 provides a secure environment for decrypting the data which hides the key material employed, and the processes performed during decryption.
- While the illustrated apparatus 10 is very valuable in conditional data access applications such as a television subscriber broadcast system, the full capabilities of the apparatus 10 are more fully utilized in conditional software access applications. In such applications, the illustrated apparatus
- the encrypted software may optionally be stored in the apparatus 10, or, due to memory constraints, may be stored outside the apparatus 10 and selectively imported (either collectively or in segments) into the apparatus 10 as needed. In either event, since, as explained below, the illustrated apparatus 10 is provided with significant on-board processing capacity, the execution of the decrypted software (or firmware) can occur
- the apparatus 10 While execution of the encrypted software (or firmware) may cause the apparatus 10 to output information to an external device (e.g., a monitor, a printer, a storage device, etc.) in a form where it can be read by a user, the software generating the output information would not ordinarily be exposed outside the secure environment provided by the apparatus 10 (absent, of course, instructions in the executed software (or firmware) to export the instructions in decrypted form). Thus, the security of the software (or firmware) is always maintained by the illustrated apparatus 10.
- an external device e.g., a monitor, a printer, a storage device, etc.
- a valuable result of this aspect of the illustrated apparatus 10 is the ability to implement software (or firmware) metering wherein a user of licensed software (or firmware) can be charged on a usage basis which is keyed, for example, to the amount of time the software (or
- the apparatus 10 can be adapted to
- the apparatus 10 For the purpose of storing programmed instructions that define some of the operations of the apparatus 10 (i.e., "the secure kernel"), the apparatus 10 is provided with a non-volatile memory 14 (FIG. 2).
- the secure kernel is in charge of resource management within the apparatus 10. It enforces many of the security limitations discussed below.
- non-volatile memory 14 Although the code stored in the non-volatile memory 14 is preferably not encrypted, persons of ordinary skill in the art will appreciate that encrypted information (e.g., data or programmed instructions) can be stored in the non-volatile memory 14 without departing from the scope or spirit of the invention. Although it will be appreciated that the non- volatile memory 14 can be implemented in many
- apparatus 10 runs secure software which is preferably segmented into VersaCrypt applets which are individually encrypted using triple key, triple DES-CBC with whitening.
- the apparatus 10 is provided with a processor
- processor 16 is to enforce at least two security cells. A first one of the
- security cells which is referred to herein as the kernel mode cell
- the second security cell which is referred to herein as the user mode cell, is enforced wherein no access to sensitive data is permitted.
- the processor 16 places no restrictions on access to the hardware and software resources within the apparatus 10. As explained
- the processor 16 places an enhanced level of restrictions on operations within the apparatus 10, but no restrictions on which operations are externally visible. However, as explained below, certain hardware enforced restrictions are preferably maintained in both
- the apparatus 10 is further provided with a volatile read/ write memory 18.
- the read/ write memory 18 is addressable by the processor 16
- the processor 16 can both read information contained in the memory 18 and write information to the memory 18 as needed.
- encrypted information to be processed by the apparatus 10 is first written to the read write memory 18.
- the read/ write memory 18 serves as a storage area for
- the apparatus 10 is provided with cipher means for decrypting encrypted information into decrypted information and for re-encrypting decrypted information into encrypted
- the cipher means can be implemented in many different ways without departing from the scope or spirit of the invention.
- the cipher means can be implemented by a cipherer 20 such as a dedicated hardware circuit or a processor executing software or firmware.
- a cipherer 20 such as a dedicated hardware circuit or a processor executing software or firmware.
- the cipherer 20 can be adapted to perform a wide variety of well known cryptographic techniques and/or algorithms without departing from the scope or spirit of the invention.
- the cipherer 20 is implemented by a dedicated hardware circuit 20 referred to herein as a crypto-module which is capable of performing both (1) triple key, triple DES/ECB encryption and
- the cipherer 20 is in communication with the read/write memory 18. In operation, encrypted information written to the
- read/ write memory 18 is transferred to the cipherer 20 for decryption as needed.
- the decrypted information is then written from the cipherer 20 to
- the read/ write memory 18 for subsequent use by the processor 16.
- the processor 16 is not permitted to process information which has been decrypted by the cipherer 20 until the decrypted information has been authenticated.
- the apparatus 10 is provided with an authenticator 22.
- the authenticator 22 could employ any of a large number of authentication algorithms to authenticate the decrypted information, in the preferred embodiment, the authenticator performs a
- CBC-MAC Cipher Block Chain Message Authentication Code
- the authenticator utilizes the MAC
- the contents of the read/ write memory 18 may have been updated by the processor 16, or by other means, in the course of executing the VersaCrypt applet.
- the authenticator 22 re-
- the cipherer 20 After re-authentication, the cipherer 20 re-encrypts the decrypted, re-
- the apparatus 10 is provided with import export means for selectively importing and exporting encrypted information between an external device such as memory 24 and the read/ write memory 18.
- an external device such as memory 24 and the read/ write memory 18.
- the encrypted information could be imported and exported over an internal bus in the system, over a Lan or Wan network connection, to a hard drive, or to another storage media or communications device without departing from the scope or spirit of the invention.
- the import export means cooperates
- the encrypted information is decrypted by the cipherer 20 and authenticated by the authenticator 22 as explained above.
- the processor 16 can then process the decrypted information.
- the processor 16 is finished with the information block (at least for the near future), the decrypted information (with any processing changes that were effectuated) is
- import export means can be implemented in many ways without departing from the scope or spirit of the invention, in the illustrated embodiment it is implemented by a bus having one or more external connections.
- the cipherer 20 of the apparatus 10 is preferably adapted to perform key cycling on the whitening key.
- whitening performs a mathematical operation (such as an exclusive-or operation) to combine a whitening key with an information
- the whitening process can be performed on an encrypted information block and the corresponding decrypted information block (i.e., both before and after encryption occurs).
- a benefit of using this technique in the illustrated apparatus 10 is that encrypted blocks of information will always look different when exported (from previous import export sequences) regardless of whether the content of the decrypted information has been changed. In other words, in the
- the cipherer 20 re-encrypts the decrypted, re- authenticated information such that it differs from its original encrypted form to thereby mask modification information as to whether the content of the decrypted information was modified while in the secure environment provided by the apparatus 10.
- the cipherer 20 encrypts information such that encrypted information corresponding to the decrypted information
- the cipherer 20 is adapted to perform key cycling with respect to the whitening key. More specifically, the cipherer 20 is arranged to use a new w tening key for every section of information that it encrypts. Thus, when a previously exported block of encrypted information is imported from the external memory 24, the whitening key used in the previous import/export cycle is used by the cipherer 20 in the decryption process. Then, when that
- the cipherer 20 uses a new
- the cipherer 20 must be provided with the whitening key. Since a new whitening key is preferably used for every block of exported encrypted information, storing the whitening keys internally would quickly deplete the memory resources of the apparatus 10. To avoid this result, in the presently preferred embodiment, an encrypted version of the whitening key is written to a predetermined location in the corresponding whitened,
- the cipherer 20 retrieves the whitening key from the known predetermined location in the block and
- the whitening key in the decryption process. Since the encrypted whitening key is resident inside the block, it is explicitly covered by the authentication with the rest of the block.
- the whitening keys are stored externally to the apparatus 10 to
- the CBC-MAC values for the exported information blocks are stored in the volatile read/write memory 18, should there be a power failure, or should some other re-set condition occur, the
- non-volatile storage storing data modified in previous uses of the apparatus 10 can be stored in permanent storage devices off the apparatus 10 and imported as needed.
- This non-volatile storage can store information in encrypted or decrypted form, as dictated by the application. If stored in encrypted and or authenticated format, the authentication information for such information must either be stored internally via some non-volatile storage or stored outside the apparatus 10 on some non-volatile storage and
- the illustrated apparatus 10 encrypts all of the encrypted information blocks via a triple key, triple DES CBC with whitening algorithm.
- a key hierarchy is employed.
- the information blocks are encrypted via a triple DES process keyed with the session key.
- the session key is required to decrypt any of the information blocks processed by the system.
- To obtain the session key one must have access to the master key.
- To obtain the master key one must have access to the
- the unencrypted forms of the device, master and session keys are available only in the cipherer 20 and the cipherer's key facility. They preferably are not accessible by the
- processor 16 at any time. It is also preferable to store the device key in a
- DK refers to the device key
- MK refers to the master key
- SK refers to the session key'
- EK refers to the encrypted master key (i.e., the master key encrypted with the device key)
- EK refers to the encrypted session key (i.e., the session key encrypted with the master key).
- FIG. 3 A more detailed block diagram of the illustrated apparatus 10 is shown in FIG. 3. As shown in that figure, the apparatus 10 is provided with a device 30 including a non-volatile memory 32 for storing data and means for controlling access to the data contained in the memory 34.
- volatile memory 32 is implemented as an EEPROM in the illustrated apparatus 30.
- control means could be implemented by a logic circuit 34 such as a hardware circuit including a number of logic gates configured to
- logic circuit 34 could be implemented in many ways without departing from the scope or spirit of the invention.
- the logic circuit 34 is implemented by the programmed
- the logic circuit 34 is adapted to access the memory 32 to determine whether at least a portion of the data contained in the memory 32 comprises confidential data.
- the logic circuit 34 makes this dete ⁇ nination by analyzing a property inherent in the data. More specifically, in the
- the logic circuit 34 identifies and counts any data blocks in the memory 32 having a predetermined characteristic. It then
- the logic circuit 34 uses the results of this comparison as an indication of the presence or absence of confidential data in the memory 32.
- data stored in the memory 32 is represented by a series of bits; each of which has a logic state of "1" or "0" as is conventional.
- the logic circuit 34 is constructed to count the number of bits in the memory 32 having the logic
- the counted number is then compared to a predetermined threshold number. If that comparison indicates that there are more than the threshold number of bits with logic state "1" in the memory 32, the logic circuit 34 assumes confidential data is stored in the memory and limits access thereto. If the comparison indicates that less than the threshold
- the determination of whether or not confidential data is present in a memory was often performed by reading the state of one or more flag bit(s) stored in the memory.
- the flag bit(s) are set to a first state when no confidential data is present and to a second state
- the state of nearly all of the data in the memory 32 must be changed to convince the logic circuit 34 that no confidential data is present.
- the data that is used to identify the presence of confidential data is the confidential data itself, changing the state of this data sufficiently to unlock the memory 32 will preferably destroy substantially all of the confidential data stored in the memory 32.
- a change in the inherent property sufficient to cause the logic circuit 34 to determine that no confidential data is stored in the memory 32 substantially destroys the data in
- the diffused checksum process described above may be performed on either the
- the threshold value is set to a relatively low level.
- the threshold would be set to one such that all confidential data would have to be destroyed before the apparatus would unlock. But to permit testing, a tradeoff between security and testability must be made in selecting the threshold value. Indeed, in the illustrated apparatus, the controlled portion of memory 32 is 3K bits and the threshold value is set to 64 bits.
- the threshold value is selected based on a determination as to what would be an acceptable level of disclosure without unacceptably compromising the security of the system.
- the data blocks counted by the logic circuit 34 are bits having a logic state of "1"
- the logic circuit 34 could be implemented to count bits having logic states "0”, or to count data blocks comprising a plurality of bits having some property such as a binary value falling within a predetermined range of binary values (e.g., between 00000010 and 00010001) without departing from the scope or spirit of the
- testing can only be conducted after the diffused checksum test discussed above indicates that no confidential data is present in the memory 32. With respect to returned units and the like that have already been programmed with confidential data, testing can only be performed by first erasing the memory 32.
- the apparatus 10 is provided with a means to trigger erasure of the memory 32 through a controlled process as describe below.
- the erasure method can also be used as a tamper response if so
- the logic circuit 34 is constructed to respond to an erasure trigger to erase the memory 32 by replacing the data blocks originally stored in the memory 32 with intermediate data blocks having one or more intermediate values before erasing the memory 32 to a final state.
- the intermediate value(s) are
- the logic circuit 34 erases the memory 32 to the final state by replacing the intermediate date blocks stored in the memory with final data blocks having one or more final values.
- the logic circuit 34 erases the memory 32 in three stages. In a first stage, the logic circuit 34
- the logic circuit 34 writes a second intermediate value to a second group of intermediate locations in the memory 32. In a third stage, the logic circuit 34 writes a final value to both the first and second groups of locations of the memory 32.
- the first intermediate value is
- the intermediate values are selected to be non-confidential data that have the inherent property.
- Each half of the confidential information is selected to have the inherent property to ensure that the presence of either half is sufficient to classify the information as confidential under the diffused checksum process. This selection is made because, when performing a bulk
- each half should be significantly over the threshold to protect against false classifications in the event of some degradation of the non-volatile storage.
- at least 96 bits in each half must be set. This is not an unreasonable restriction in that randomly generated key material should be unbiased and should, thus, easily meet this number.
- the first and second intermediate values are
- the first stage is performed by writing the hexadecimal value 0x55 to all even addresses in the memory 32; the second stage is preformed by writing the hexadecimal value 0x55 to all odd addresses in the memory 32; and the final stage is performed by writing the hexadecimal value 0x00 to all addresses in the memory 32.
- Persons of ordinary skill in the art will, however, appreciate that other values can be selected for the first intermediate value, the second intermediate value and/or
- various security measures can be employed (e.g. , a protective layer can be physically secured to the memory 32).
- memory 32 is defined as being in a first security state. If no confidential data is present, the memory 32 is defined as being in a second security state. In the illustrated apparatus 10, 30, testing of the memory 32 is only enabled when the memory 32 is in its second security state.
- the illustrated apparatus 10 enforces at least two security cells, namely, a kernel mode cell and a user mode cell.
- the processor 16 preferably operates non-secure software in the user mode and secure software in the kernel mode.
- two security cells is sufficient.
- it is desirable to have more than two security cells For example, it might be desirable to permit multi- tasking between multiple secure tasks, it might be desirable to provide
- the illustrated apparatus 10 may optionally be provided with a memory management unit 38 to facilitate the enforcement of multiple security cells through separate address spaces and demand paging
- the memory management unit 38 is implemented as a co-processor that assists the processor 16 in apportioning memory resources between the multiple security cells as needed.
- each page is a separate, independently encrypted and authenticated block.
- some or all of the security cells can be rining in a user mode such that they have limited
- the processor 16 is implemented by the R3000A MIPS RISC CPU (million instructions per second Reduced Instruction Set Computer Central Processing Unit) which forms the core of the R3904 chip sold by Toshiba.
- the non-volatile memory 14 is preferably implemented by a ROM; the non-volatile memory 32 is preferably implemented by an EEPROM; the read/write memory 18 is
- DMEM volatile data memory
- the cipherer 20 and/or the authenticator 22 could be implemented by software without departing from the scope of the invention. Combining the cipherer 20 and the authenticator 22 may not be an acceptable tradeoff where the security requirements of the device require a larger hash than the
- the processor 16 communicates with the ROM 14, the logic circuit 34 and the DMEM 18 via a 32 bit general bus 40 (GBUS)
- the apparatus 10 is further provided with a second processor 42.
- the second processor 42 is in communication with the cipherer 20 (implemented in the illustrated apparatus 10 by crypto module 20), and with the read/ write memory 18 (in the illustrated embodiment, the DMEM) via a bus 44.
- the second processor 42 is adapted to initiate decryption and re- encryption of information blocks stored in the DMEM 18.
- the second processor 42 is implemented by a sequencer. The presence of the sequencer 42 and its connection to the cipherer 20 in the disclosed embodiment is dictated by the end application (FIG. 1) and is not necessary to a successful implementation of the invention.
- sequencer 42 acts as a peer to the processor 16. To facilitate instruction delivery from the processor 16 to the
- the processor 16 when the processor 16 needs to request the sequencer 42 to perform a task, it writes the necessary instruction(s) to the IMEM 46 and sends a control signal to the sequencer 42 indicating the presence of the instruction(s) in the IMEM 46. The sequencer 42 then reads and executes the instruction(s) from the IMEM 46.
- the apparatus 10 is provided with an authenticator 22 which serves to authenticate decrypted information prior to execution by the processor 16 and to re-authenticate the information prior to encryption by the cipherer 20.
- the authenticator 22 serves to authenticate decrypted information prior to execution by the processor 16 and to re-authenticate the information prior to encryption by the cipherer 20.
- authenticator 22 is implemented by the cipherer 20.
- the cipherer 20 is preferably adapted to
- the apparatus 10 is provided with an entropy source 48 which is used to continuously re-seed a cryptographically strong pseudorandom number generator (CSPRNG).
- CSPRNG cryptographically strong pseudorandom number generator
- the cipherer 20 implements the CSPRNG.
- the entropy source 48 is in communication with the sequencer 42 and the crypto module 20 via the bus
- the sequencer 42 is adapted to request the entropy source 48 to generate a new random number when required and to deliver the random number to the crypto module 20 for use by the CSPRNG in generating the whitening key to be used in the re-encryption process.
- some of the keys used in the triple key, triple DES algorithm are stored in the memory 32. In order to ensure that these keys are only available in the cipherer 20 and the memory 32, and that the keys are not accessible by the processor 16, the sequencer 42 or any of the software/firmware they execute, the apparatus 10 is provided with a key
- the key isolation circuit 50 connecting the logic circuit 34 to the cipherer 20 for loading the root key of the key hierarchy. More specifically, in the illustrated apparatus 10, the key isolation circuit 50 provides a mechanism for delivering the necessary key material from the EEPROM 32 to the crypto module 20. To ensure the keys cannot be accessed by other system components (hardware, software or firmware), the memory 32, the logic circuit 34, the key isolation circuit 50 and the crypto module 20 define a
- the apparatus 10 is provided with one or more silent mode silencing circuit(s) 52.
- the silent mode silencing circuit(s) 52 are preferably implemented as hardware circuits including logic gates which pull the external pins to the predefined state (such as a tri-state) except after detection that the bus cycle will not be accessing confidential data. This detection can be done based on the address appearing on the bus. In this way, both
- RTOS Realtime Operating Systems
- Context Switching The Secure Kernel (running on the RISC 54 (16)) performs the actual context switching (i.e., switching
- the RTOS is expected to set a flag to indicate when a VersaCrypt applet has run long enough to consider allowing another VersaCrypt applet to run.
- the Secure Kernel is integrally involved with the process of system startup. If the RTOS has any requirements about initial state, where it is loaded from, or how it is loaded, it can be accommodated by the VersaCrypt bootstrap applet that is a part of the Secure Kernel startup.
- Kernel Mode - The Secure Kernel and VersaCrypt (i.e. , the encrypted software being executed within the secure environment provided by the apparatus 10) have sole use of the Kernel mode of the processor. This implies a) Interrupt Handling -- all interrupts
- Kernel is via the Syscall instruction.
- the RTOS may not implement any system calls via the Syscall instruction, c) Error Handling — events such as Bus errors, etc., are not passed on to the RTOS. d) Address Map — all nonsecure peripherals are mapped into the user address space, so that the Secure Kernel does not become a bottleneck in accessing them.
- FIG. 4 illustrates the relationship between the various classes of software that will be ranning on the MIPS processor 54 (16).
- the difference between this model, and a more traditional model is that certain functions require going through the Secure Kernel. These functions are: 1. access to hardware that is controlled for security reasons; 2. any functions that must be assumed for security reasons, such as dispatching interrupt handlers; and 3. communications with the VersaCrypt environment, so as to have a well defined secure interface.
- VersaCrypt applets are able to directly access the Realtime Operating System and application software, both via
- variable access and subroutine calls they will restrict themselves to communicating through the Secure Kernel API.
- Most system calls are executed with interrupts disabled, but some that are expected to have a longer execution time will execute with interrupts enabled as a part of the callers task, but with preemption disabled. This is a security requirement,, as there are a limited number of Kernel contexts available in internal memory 18. This ability to disable preemption is only exercised for a limited time by the Secure Kernel. It could also be used by a VersaCrypt applet, if needed, but its use is discouraged due to its impact on realtime performance.
- the portion of the Secure Kernel that executes in this task are either the export/import software (whose execution is always mutually exclusive with the execution of VersaCrypt) or in response to system calls that execute as part of the callers task.
- the user function is
- the secure kernel implements support for a synchronous call
- kernel software and a user function.
- the importance of this is to provide a secure transfer between the two modes and to protect the state of the kernel.
- the Secure Kernel When the Secure Kernel is not runable, it will keep calling an RTOS routine to sleep for one tick. This includes the time when there are no VersaCrypt applets to execute, as well as the time when it is performing a
- VersaCrypt export/import operation This can cause an initial delay of up to one tick until starting to execute a VersaCrypt request or until the start of the VersaCrypt export/import operation to load the requested applet.
- the sequencer code (executed from IMEM 46) is split up into kernel and user segments.
- the kernel segment is further broken down into a
- VersaCrypt is intended to meet soft realtime demands. It cannot meet hard realtime demands due to the long time (multiple ms) taken to perform an export/import operation. Although it cannot guarantee a small latency due to this context switch time, in the disclosed embodiment it is capable of supporting 10' s of requests per second while using a small percent of system resources for the Export/Import operation. If most of the requests only involve a single VersaCrypt applet, then the export/import operation is avoided and 1000' s (or more) of request per second can be processed. It is also worth noting, that some of these requests can take extended amounts of time to process, such as an RSA key operation that might take multiple seconds to complete, depending on the key length.
- the cipherer 20 is to support multiple key sizes, i.e., single DES operations, then interlocks must exist to protect against incremental attacks on triple DES keys. Even if a key hierarchy is used, it is important to
- the apparatus 10 is capable of executing software in an externally unobservable fashion and has a hardware random number generator (RNG 48). Self key generation is an example of the class of operations it was designed to perform. This capability is of great importance
- the apparatus 10 requires three secrets to generate its own key material.
- the first secret is the shipment keys (the software export/import EMK, triple key, triple DES) that are programmed in at the ASIC factory.
- the second secret is an ESK (triple key, triple DES) with its associated VersaCrypt applets, all of which are
- the third secret is, for example, an RSA
- the key server is preferably located at a third physically secured site referred to as a vault.
- the following hardware is required: 1. a key server 120 and 2. a "test jig" 122 (see FIG. 5).
- the key server 122 is implemented as a personal computer (PC) with a network connection and with an apparatus 10' ranning special software.
- the satellite I/F 94 is optionally connected to a hardware random source 126 so as to have access to even more entropy during key generation.
- adapter 10' must be unique, so that if any other adapters are compromised in
- the key server 120 is preferably isolated from the network 128 by a firewall
- the test jig 122 is located at the second factory. In the disclosed embodiment
- the test jig 122 is implemented by a PC that is connected to each apparatus 10 as it is programmed.
- the test jig 122 is connected to the key server 120 through some network interface 128.
- the satellite I/F 94 of the apparatus 10 is also optionally connected to a hardware random source 130 for the same reason. It may also be optionally isolated from the network 128 by a firewall 132.
- FIG. 6 actions occurring at the adaptor 10 being programmed are shown on the left; actions occurring at the key server 120 are shown on the right; and communications between the key server 120 and the test jig 122 are represented by the arrows in the middle of the diagram.
- the apparatus 10 securely boots from an external ROM, as described in the startup operation below. All of the following operations are from VersaCrypt applets. All communications are between the VersaCrypt applets at the key server 120, and the VersaCrypt applets in the apparatus 10 being programmed in the test jig 122. Preferably, all the data stored to disk on the key server 120 is encrypted to protect against compromises/viruses on the key server 120.
- the first applet contains the "public key" of the key server 120, although it is not really publicly known.
- the hardware random source 130 is used to update the random seed material. To maximize the effect of external random bits, updating the seed material is performed an application specific number of times. The apparatus 10 being programmed then
- the public key of the key server 120 is sent to the key server 120 using
- the key server 120 validates that it is talking to an apparatus 10 by checking the source IP Address. It also knows it is talking to an apparatus 10 because the source used the public key. The key server 120 confirms that it has never (or in the last application specific number of times) seen this session key before, to protect against replayed data attacks or a tainted
- the key server 120 are encrypted (O-CBC) with this session key and contain an SHA hash to validate it. They also include the unique serial number assigned to this apparatus 10 and a packet type, to protect against replayed data attacks.
- the key server 122 then sends the apparatus 10 some random numbers from the key server's source 126 (which is assumed to be more
- the apparatus 10 knows it is talking to the key server 120 since the
- the apparatus 10 updates its random seed material based on the random numbers received from the key server 120 and generates its new 512 byte
- the apparatus 10 also generates any other confidential data that might be needed for an application.
- the apparatus 10 then sends the RSA public keys to the key server 120, who signs them in a database 134, saves them, and returns the signed keys.
- the apparatus 10 then sends the key server 120 any confidential
- the key server 120 logs the received escrow material, and tells the apparatus 10 to commit its configuration. Finally, the apparatus 10 responds by reprogramming its internal EEPROM 32 and by informing the test jig
- test jig 122 it has succeeded, so the test jig 122 can proceed with the next apparatus 10.
- the EEPROM 32 preferably includes the following data blocks.
- unsecure EEPROM unsecure EEPROM
- an external encrypted EEPROM with a device specific key and internally authenticated
- a larger internal EEPROM 32 e.g.
- 32x2 Seed for hardware random number generator [The following sections constitute the field programmable Kernel area.] 64 Seed for CSPRNG random number generator.
- the main purpose of the Secure Kernel is to provide the VersaCrypt environment, but to do this it must become involved in the following operations: startup, interrupt processing, context switching, system calls, exception handling, alarm condition handling, and VersaCrypt management.
- the Reset/NMI cause register is a hardware register used to detect the cause of all reset/NMI conditions which may be due to alarms. If it contains an alarm condition (block 144), then on reset or NMI, software disables some internal peripherals. The reason for this operation is to stop operations that might either cause additional alarms to occur, or interfere with error processing. If debugging is enabled (block 148), execution will
- the unit 10 will keep rebooting indefinitely, and no cause will be
- the cause should be written to a well known location, before self reset, so it can be diagnosed with a logic analyzer if need be. If
- the subject apparatus 10 is not a stand alone unit (block 152) (i.e., a second external processor), all operations will stop, memory will not be cleared, the cause code will be made available (through the PCI 80, an externally visible bus operation, and the LED 140), and the chip 10 will wait for an external
- the 3K section of EEPROM 32 is read and a l's density is calculated. If the 1 's density is below the threshold of 64 (block 170), it is assumed that no key material is present and testing or initial programming can occur. In such a circumstance, some security circuitry is disabled (block 172). If a fixed pattern (used to detect the presence of an external ROM 142
- a checksum on the restricted block of the EEPROM 32 is calculated (block 182). If the checksum is bad, a fatal error occurs (block 184). The apparatus 10 is locked up because either the EEPROM 22 has degraded or the unit 10 has been tampered with. If the checksum is o.k. (block 182), various hardware configurations are set based on values retrieved from the EEPROM 32 (block 186).
- This delay serves multiple purposes. Most importantly, it causes an attacker to take longer per iteration (for many types of automated attack) without being noticeable to users during a longer system reboot time.
- Kernel sequencer applets assumes that the user code is present and interacts with it.
- the Kernel sequencer applets expect to be called by the user background, and must have a foreground handler (part of the satellite transport function of the chip) for it to yield to.
- RISC code will keep attempting to yield control to the RTOS while waiting for the sequencer 42 to complete. Some user nub must be present to handle
- An external ROM 142 can be used for booting on systems without a PCI Bus 78, for testing, for diagnostics on returned units, for debugging, etc. Its presence can be detected by the first half of a well known pattern at a fixed offset (block 188). If no external ROM 142 is present (block 188), then the apparatus 10 attempts to boot over the PCI bus
- block 190 it first waits for the SCB to be set (become non 0) from the PCI host (block 190). It then reads the block specified in the SCB into SDRAM. If the first half of the pattern does not match (block 192), then a fatal error occurs (block 194) and control will return to block 146. If a match occurs (block 192) it will then write back into the SCB after offset 8 the serial number and software export import EMK index for the apparatus 10 from the EEPROM 32 (block 196). If the second half of the pattern does not match (block 198), then a fatal error occurs (block 200).
- the bootstrap applet executes with
- Typical operation of the VersaCrypt bootstrap applet is as follows (1) initialize the VersaCrypt environment and load VersaCrypt applets and authentication information; (2) load and tamper check user software; (3)
- insecure functions such as interrupt handlers and stacks.
- interrupt handlers are executed in user mode, through a user provided table of handlers. Retaining from an interrupt is via a system call. Although there is a separate interrupt stack (as required for VersaCrypt, and
- the context is saved on the stack for a variety of reasons. It simplifies preemptive context switches, as might be triggered from a timer interrupt routine which must have already saved a partial context on the stack.
- the Secure Kernel would be the logical place for this to happen,
- the Secure Kernel also serves as the interrupt handling part of the Secure Kernel.
- the Secure Kernel also serves as the interrupt handling part of the Secure Kernel.
- Kernel mode code For system security, when interrupts are enabled (or when system calls are made), user mode code must have a user space stack, and Kernel mode code must have a Kernel space stack. In addition, Kernel mode code cannot be run with interrupts enabled from an interrupt handler. These requirements are present because, under these circumstances, we may need to save the current context onto the stack. If the user had a Kernel stack, he could use it to access Kernel space resources when his context is saved. If the Kernel had a user stack, his security could be compromised from an interrupt routine who could read and modify his saved context. And finally, the limit on Kernel mode from an interrupt routine is to limit the number of Kernel contexts that must be stored in DMEM 18 concurrently.
- the Secure Kernel has a number of contexts that it must maintain.
- Each VersaCrypt applet has a context on its own stack, whether in DMEM
- the Secure Kernel must also have a second context that is used while performing export/import operations. It also has a third context for handling system calls that are nonpreemptable, but are run with interrupts enabled because of the time they take to execute, in order to minimize system interrupt latency. These system calls must be nonpreemptable because otherwise they would require multiple contexts in
- This third context is also used when stealing cycles to assist VersaCrypt Export/Import operations when returning from interrupts or performing context switches.
- Kernel mode code (VersaCrypt applets or the Secure Kernel)
- an interrupt latency of 4-5 ⁇ S (not including any time when interrupts are disabled, such as most system calls, or bus usage by the dma). Since realtime software must be able to survive this long of an interrupt latency, and to simplify the writing of interrupt handlers, the kernel will save a partial context on the stack when user code is interrupted. This will still be faster than Kernel mode, but should be more than sufficient for interrupt processing.
- the Secure Kernel Before retaraing from an interrupt and when performing a context switch, the Secure Kernel may perform some limited operations (uses limited time) associated with VersaCrypt export/import operations, such as copying a block of memory and scheduling Kernel sequencer applets. This can defer
- Kernel task There is a single Kernel task that will either be executing user
- the saved stack pointer is a false value (all Is), rather than exposing the real value or allowing user software to change it.
- the real stack pointers are saved in DMEM 18, or encrypted in external SDRAM 24 for exported VersaCrypt applets. This single task gives VersaCrypt applets a low priority, but that would be the case anyway due to the large delay associated with exporting the old applet with its data, and importing the new applet with its data.
- the RTOS To support preemptive VersaCrypt scheduling, the RTOS must set a global flag to request VersaCrypt Swaps. This can be easily accomplished from the RTOS timer interrupt routine.
- applet vs. sub applet vs. data segment and the run state for applets.
- the apparatus 10 uses a single DES CBC-MAC.
- the PreWhite field is the DES key for this operation, since choice of key should not be a security concern.
- the IV will be the PreWhite field, only with its words swapped.
- the apparatus 10 uses whitening to strengthen the key material, since the export process provides an attacker with a large amount of ciphertext. It
- VersaCrypt can change its key material for each VersaCrypt export to further strengthen security and limit key lifetime.
- the apparatus 10 also protects against stale data attacks (this is similar to a replayed data attack on networks), where an old value of a VersaCrypt
- the limit for VersaCrypt blocks is 32 blocks, or 256 bytes in the illustrated apparatus 10.
- VersaCrypt block IDs can be any 16 bit value, other than the reserved value of 0. The only restriction is that the bottom 5 bits of the ID must be unique for a given system, since they are used as an index into the various
- VersaCrypt blocks There are three different types of VersaCrypt blocks, namely, data segments, VersaCrypt applets, and VersaCrypt sub applets.
- Data segments are used to store data that can be shared between VersaCrypt applets. They may be exported/imported by VersaCrypt applets and are not useable by user code.
- VersaCrypt applets are user callable VersaCrypt functions. They are called via
- VersaCrypt sub applets are VersaCrypt applets, except they are only called by other VersaCrypt applets, and never by the user directly.
- VersaCrypt applet is used to refer collectively to both VersaCrypt applets and VersaCrypt sub applets. The only real distinction is on who they are intended to be called by, as will be described below.
- VersaCrypt applets are called as subroutines using normal C calling conventions and must observe standard C register usage. Their stack pointers are initialized to the end of the applet's VersaCrypt block, and have its
- V. VersaCrypt Data Segment The data segments are managed by VersaCrypt applets via four systems calls to import and export a data segment and to create and delete data segments.
- a VersaCrypt applet may have as many as eight data segments loaded at a time, and must explicitly unload them when finished (excluding the parameter to VersaCrypt sub applets). When they are loaded (imported) their format is the same as in external memory (tamper checked region through data), except that they are not encrypted. It is not valid to keep executable instructions in a VersaCrypt data segment, and the instruction cache is not flushed when VersaCrypt data
- VersaCrypt applets are responsible for taking care of any semaphores for shared access to data in a data segment, if multiple VersaCrypt applets are going to be accessing the same data. They can use the disable VersaCrypt
- the VersaCrypt applets are only called via a system call.
- This system call enqueues the CallCB into the queue for that VersaCrypt applet, and, if this is its first entry, adds the VersaCrypt applet to the end of the VersaCrypt run queue.
- the scheduler shares the CPU 54 (16) between multiple tasks, one of which is the single kernel task.
- the kernel task in turn shares its cycles between user functions, the Secure Kernel, and all the VersaCrypt applets that
- VersaCrypt applets from running. When a VersaCrypt applet is entered, it has the CallCB as its only parameter.
- any true task like a VersaCrypt applet is split into an insecure user task that calls the secure VersaCrypt applet.
- conditional access software might have a User portion (that includes an
- the user portion could also handle message passing, semaphores, and periodic
- VersaCrypt cannot hide the external events that cause a secure task to be invoked, but should instead hide the processing of the event.
- the VersaCrypt sub applets are just like regular applets, but are used to break up any VersaCrypt applets that exceed the memory limits. They can only be called via a kernel only system call, and cannot be called directly by
- This data segment as its only parameter.
- the data segment is used to both pass
- a Secure Kernel task is now currently running to perform export/import operations. If an applet is currently loaded (block 212) and is not the desired applet (block 214), it is exported. Specifically, if the applet hasn't finished execution (block 216), it is added to the end of the run queue (block 218). For each data segment loaded, and then for the applet itself: a) the Random Whitening value for export is generated; b) the MAC is calculated and saved in the table in DMEM 18; c) the block is encrypted with whitening; and d) the encrypted, whitened applet is copied from DMEM 18 into SDRAM 24 (block 220). The next applet is then removed from the top of the VersaCrypt run queue (block 222).
- the applet is imported (block 222). Specifically, the imported applet and each of its data segments are: a) copied from SDRAM 24 into DMEM 18; b) decrypted with whitening; c) the MAC for the decrypted block is calculated and compared with the value in the table in DMEM 18; d) the flags are
- control next disables interrupts; restores the saved stack pointer; and clears the disable VersaCrypt preemption flag and the VersaCrypt preemption
- Control restores the Kernel Context, and enters into Kernel Mode. [If no VersaCrypt Applets are runable, this will be a loop that keeps calling the RTOS to sleep for 1 tick.]
- 8x32 Dsmap This is the map of data segments that are currently loaded. The first 16 bits of each segment is the segment ID. The second 16 bits is an offset to where it is loaded. The segments are sorted by decreasing offset, with any unused (all 0s) entries at the end.
- 32n Applet This it the VersaCrypt applet: text, data, Bss, and stack.
- the Bss and stack are initially 0s.
- the entry point into the VersaCrypt applet is the beginning of this section, and the stack will work down from the end of this section.
- CallCB allows for asynchronous requests, so that user software need not wait
- the apparatus 10 further implements a method for tamper checking the integrated circuit.
- the method is implemented upon detection of a reset event.
- the processor 54 (16) is held in a reset state such that the EEPROM 32 cannot be accessed.
- the EEPROM 32 cannot be accessed when the processor 54 (16) is held in a reset state because the processor must initiate all EEPROM accesses..
- all possible circuits including memories are tested by a BIST (Built In Self
- the processor 54 (16) is held in the reset state during execution of these tests.
- the processor 54 (16) is only released from the reset state if the tested elements respectively pass the BIST tests. If any of the tested elements fail their respective tests, the apparatus 10 is assumed to have been tampered with and the processor 54 (16) is held in the reset state so that no further instructions can be executed, so that boot-up does not occur, and so that no
- the tamper checking method is performed by one of the watchdog circuits 88 (see FIG. 3).
- the tamper checking method is preferably implemented by hardware and is performed every time a reset condition occurs.
- the apparatus will preferably isolate and test the possibly effected elements.
- persons of ordinary skill in the art will readily appreciate that, in addition to (or instead of) holding
- processor can be used to initiate and/or run the tests without departing from
- the apparatus 10 is implemented in a single die.
- the processor 16 will have a
- bus masters besides the processor 16, i.e., DMA should have a limited view.
- no external bus masters are allowed.
- the address map should be defined such that all secure peripherals fall in the kernel address space, and such that all other peripherals fall in the user address space.
- the system could contain any desired standard or application specific peripherals, without departing from the scope or spirit of the invention.
- a hostile posture is taken with respect to all external resources and user supplied parameters. Such resources should be expected to change without notice at unexpected times as a result of attacks. Regular accesses should be considered to be providing information for statistical attacks. All addresses must be checked for validity before use, and all values must be copied to internal memories before authentication and/or use.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP98949515A EP1032879A1 (en) | 1998-09-25 | 1998-09-25 | Method and apparatus for controlling access to confidential data |
AU95822/98A AU750573B2 (en) | 1998-09-25 | 1998-09-25 | Method and apparatus for controlling access to confidential data |
PCT/US1998/020122 WO2000019322A1 (en) | 1998-09-25 | 1998-09-25 | Method and apparatus for controlling access to confidential data |
CA002311392A CA2311392C (en) | 1998-09-25 | 1998-09-25 | Method and apparatus for controlling access to confidential data |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US1998/020122 WO2000019322A1 (en) | 1998-09-25 | 1998-09-25 | Method and apparatus for controlling access to confidential data |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000019322A1 true WO2000019322A1 (en) | 2000-04-06 |
Family
ID=22267938
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US1998/020122 WO2000019322A1 (en) | 1998-09-25 | 1998-09-25 | Method and apparatus for controlling access to confidential data |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1032879A1 (en) |
AU (1) | AU750573B2 (en) |
CA (1) | CA2311392C (en) |
WO (1) | WO2000019322A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112541186A (en) * | 2020-12-21 | 2021-03-23 | 中国电子科技集团公司第三十研究所 | Password out-of-control resisting system and method based on motion state perception |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110602206B (en) * | 2019-09-12 | 2022-06-10 | 腾讯科技(深圳)有限公司 | Data sharing method and device based on block chain and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4734568A (en) * | 1985-07-31 | 1988-03-29 | Toppan Moore Company, Ltd. | IC card which can set security level for every memory area |
US5432950A (en) * | 1990-09-28 | 1995-07-11 | Motorola Inc. | System for securing a data processing system and method of operation |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100238070B1 (en) * | 1996-11-28 | 2000-01-15 | 윤종용 | Track cross signal generator of an optical disc system |
-
1998
- 1998-09-25 CA CA002311392A patent/CA2311392C/en not_active Expired - Fee Related
- 1998-09-25 WO PCT/US1998/020122 patent/WO2000019322A1/en not_active Application Discontinuation
- 1998-09-25 AU AU95822/98A patent/AU750573B2/en not_active Ceased
- 1998-09-25 EP EP98949515A patent/EP1032879A1/en not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4734568A (en) * | 1985-07-31 | 1988-03-29 | Toppan Moore Company, Ltd. | IC card which can set security level for every memory area |
US5432950A (en) * | 1990-09-28 | 1995-07-11 | Motorola Inc. | System for securing a data processing system and method of operation |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112541186A (en) * | 2020-12-21 | 2021-03-23 | 中国电子科技集团公司第三十研究所 | Password out-of-control resisting system and method based on motion state perception |
Also Published As
Publication number | Publication date |
---|---|
CA2311392C (en) | 2004-05-11 |
CA2311392A1 (en) | 2000-04-06 |
AU750573B2 (en) | 2002-07-25 |
AU9582298A (en) | 2000-04-17 |
EP1032879A1 (en) | 2000-09-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6438666B2 (en) | Method and apparatus for controlling access to confidential data by analyzing property inherent in data | |
US6385727B1 (en) | Apparatus for providing a secure processing environment | |
AU743775B2 (en) | An apparatus for providing a secure processing environment | |
KR100851631B1 (en) | Secure mode controlled memory | |
JP4498735B2 (en) | Secure machine platform that interfaces with operating system and customized control programs | |
KR100809977B1 (en) | Initializing, maintaining, updating and recovering secure operation within an integrated system employing a data access control function | |
US7313705B2 (en) | Implementation of a secure computing environment by using a secure bootloader, shadow memory, and protected memory | |
US7480806B2 (en) | Multi-token seal and unseal | |
US7987356B2 (en) | Programmable security platform | |
EP0908810B1 (en) | Secure processor with external memory using block chaining and block re-ordering | |
EP1855476A2 (en) | System and method for trusted data processing | |
US8656191B2 (en) | Secure system-on-chip | |
TWI490724B (en) | Method for loading a code of at least one software module | |
CN116484379A (en) | System starting method, system comprising trusted computing base software, equipment and medium | |
AU750573B2 (en) | Method and apparatus for controlling access to confidential data | |
MXPA00005081A (en) | An apparatus for providing a secure processing environment | |
MXPA00005079A (en) | Method and apparatus for controlling access to confidential data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1998949515 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 95822/98 Country of ref document: AU |
|
ENP | Entry into the national phase |
Ref document number: 2311392 Country of ref document: CA Ref country code: CA Ref document number: 2311392 Kind code of ref document: A Format of ref document f/p: F |
|
WWE | Wipo information: entry into national phase |
Ref document number: PA/a/2000/005079 Country of ref document: MX |
|
ENP | Entry into the national phase |
Ref country code: JP Ref document number: 2000 572761 Kind code of ref document: A Format of ref document f/p: F |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWP | Wipo information: published in national office |
Ref document number: 1998949515 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
WWG | Wipo information: grant in national office |
Ref document number: 95822/98 Country of ref document: AU |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 1998949515 Country of ref document: EP |