JP6898519B2 - 暗号化キーのセキュリティ - Google Patents
暗号化キーのセキュリティ Download PDFInfo
- Publication number
- JP6898519B2 JP6898519B2 JP2020516649A JP2020516649A JP6898519B2 JP 6898519 B2 JP6898519 B2 JP 6898519B2 JP 2020516649 A JP2020516649 A JP 2020516649A JP 2020516649 A JP2020516649 A JP 2020516649A JP 6898519 B2 JP6898519 B2 JP 6898519B2
- Authority
- JP
- Japan
- Prior art keywords
- authentication value
- encryption key
- module
- bios
- storage location
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/107—License processing; Key processing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Storage Device Security (AREA)
Description
Claims (15)
- システムであって:
基本入出力システム(BIOS)からアクセス可能なセキュアストレージ;
システムのブートの間に、セキュアストレージ内の固定記憶位置にある認証値を記憶するBIOSセキュリティモジュール;および
暗号化キーモジュールを含み、暗号化キーモジュールは:
固定記憶位置から認証値を読み出し;
固定記憶位置にある認証値を上書きし;そして
認証値を使用して暗号化キーを取得する、システム。 - 暗号化キーは、認証値を使用して暗号化キーを生成することによって取得される、請求項1のシステム。
- 暗号化キーは、認証値に基づいて、システムがアクセス可能なストレージ上にある暗号化キーをアクセスすることによって取得される、請求項1のシステム。
- セキュアストレージはBIOSのプライベートメモリであり、そして固定記憶位置はユニファイド・エクステンシブル・ファームウェア・インタフェース(UEFI)変数である、請求項1のシステム。
- 暗号化キーモジュールは認証値をUEFI変数から、アドミニストレータ権限を用い、プライベートBIOSコールを使用して読み出す、請求項4のシステム。
- セキュアストレージは信頼されたプラットフォームモジュールであり、そして固定記憶位置は予め決定されたプラットフォーム構成レジスタである、請求項1のシステム。
- 認証値を上書きすることは、レジスタをランダムデータで拡張することを含む、請求項6のシステム。
- コンピュータ可読媒体であって、プロセッサによって実行された場合に:
セキュアストレージ内の固定記憶位置から認証値を読み出し、ここで認証値は基本入出力システム(BIOS)のスタートアップの間に固定記憶位置に記憶されたものであり;
認証値を固定記憶位置から消去し;そして
認証値を使用して暗号化キーを取得するようにプロセッサを制御する、プロセッサで実行可能な命令を記憶している、コンピュータ可読媒体。 - 認証値を消去することは、固定記憶位置にランダムデータを書き込むことを含む、請求項8のコンピュータ可読媒体。
- 固定記憶位置は、ユニファイド・エクステンシブル・ファームウェア・インタフェース(UEFI)変数を介してアクセス可能なBIOSプライベートメモリ内にある、請求項8のコンピュータ可読媒体。
- 固定記憶位置は、信頼されたプラットフォームモジュールのプラットフォーム構成レジスタである、請求項8のコンピュータ可読媒体。
- 暗号化キーは、認証値を使用して暗号化キーを生成すること、認証値を使用して記憶場所から暗号化キーをアクセスすることの一方によって取得される、請求項8のコンピュータ可読媒体。
- システムであって:
基本入出力システム(BIOS)からアクセス可能な第1のプラットフォーム構成レジスタを有する、信頼されたプラットフォームモジュール;
システムのスタートアップの間に、認証値をプラットフォーム構成レジスタに記憶するBIOSセキュリティモジュール;
プラットフォーム構成モジュールから認証値を取得し、そしてプラットフォーム構成レジスタをランダムデータで拡張する値取得モジュール;および
認証値を使用して暗号化キーを取得するよう認証値を使用するキー取得モジュールを含む、システム。 - キー取得モジュールは、認証値を使用して暗号化キーを生成する、請求項13のシステム。
- キー取得モジュールは、認証値を使用してシステムからアクセス可能なストレージから暗号化キーを取得する、請求項13のシステム。
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/US2017/052181 WO2019059887A1 (en) | 2017-09-19 | 2017-09-19 | CRYPTOGRAPHIC KEY SECURITY |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| JP2020534619A JP2020534619A (ja) | 2020-11-26 |
| JP6898519B2 true JP6898519B2 (ja) | 2021-07-07 |
Family
ID=65811522
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| JP2020516649A Expired - Fee Related JP6898519B2 (ja) | 2017-09-19 | 2017-09-19 | 暗号化キーのセキュリティ |
Country Status (6)
| Country | Link |
|---|---|
| US (1) | US11507668B2 (ja) |
| EP (1) | EP3685300A4 (ja) |
| JP (1) | JP6898519B2 (ja) |
| KR (1) | KR102322955B1 (ja) |
| CN (1) | CN111373404B (ja) |
| WO (1) | WO2019059887A1 (ja) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989379B (zh) * | 2021-03-17 | 2025-02-25 | 联想(北京)有限公司 | 密钥保护实现方法、装置及电子设备 |
Family Cites Families (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6401208B2 (en) * | 1998-07-17 | 2002-06-04 | Intel Corporation | Method for BIOS authentication prior to BIOS execution |
| US7117376B2 (en) * | 2000-12-28 | 2006-10-03 | Intel Corporation | Platform and method of creating a secure boot that enforces proper user authentication and enforces hardware configurations |
| US7281125B2 (en) * | 2001-08-24 | 2007-10-09 | Lenovo (Singapore) Pte. Ltd. | Securing sensitive configuration data remotely |
| US7376968B2 (en) | 2003-11-20 | 2008-05-20 | Microsoft Corporation | BIOS integrated encryption |
| US7421588B2 (en) * | 2003-12-30 | 2008-09-02 | Lenovo Pte Ltd | Apparatus, system, and method for sealing a data repository to a trusted computing platform |
| US7552326B2 (en) | 2004-07-15 | 2009-06-23 | Sony Corporation | Use of kernel authorization data to maintain security in a digital processing system |
| GB2419434A (en) * | 2004-10-23 | 2006-04-26 | Qinetiq Ltd | Encrypting data on a computer's hard disk with a key derived from the contents of a memory |
| US7711960B2 (en) * | 2006-08-29 | 2010-05-04 | Intel Corporation | Mechanisms to control access to cryptographic keys and to attest to the approved configurations of computer platforms |
| US8556991B2 (en) * | 2008-08-08 | 2013-10-15 | Absolute Software Corporation | Approaches for ensuring data security |
| US20100083002A1 (en) * | 2008-09-30 | 2010-04-01 | Liang Cui | Method and System for Secure Booting Unified Extensible Firmware Interface Executables |
| US8811619B2 (en) | 2008-10-31 | 2014-08-19 | Dell Products, Lp | Encryption key management system and methods thereof |
| US20110154023A1 (en) * | 2009-12-21 | 2011-06-23 | Smith Ned M | Protected device management |
| CN102024115B (zh) * | 2010-11-19 | 2013-04-17 | 紫光股份有限公司 | 一种具有用户安全子系统的计算机 |
| DE112011105678T5 (de) * | 2011-09-28 | 2014-07-17 | Hewlett-Packard Development Company, L.P. | Entsperren eines Speichergeräts |
| US9037854B2 (en) | 2013-01-22 | 2015-05-19 | Amazon Technologies, Inc. | Privileged cryptographic services in a virtualized environment |
| US9032117B2 (en) * | 2013-07-10 | 2015-05-12 | Cisco Technology, Inc. | Active cable with display |
| US10192054B2 (en) * | 2013-09-13 | 2019-01-29 | Intel Corporation | Automatic pairing of IO devices with hardware secure elements |
| US9367689B2 (en) | 2013-11-13 | 2016-06-14 | Via Technologies, Inc. | Apparatus and method for securing BIOS in a trusted computing system |
| TW201535145A (zh) * | 2013-12-04 | 2015-09-16 | Insyde Software Corp | 使用保護讀取儲存器安全地儲存韌體數據之系統及方法 |
| US9563773B2 (en) * | 2014-02-26 | 2017-02-07 | Dell Products L.P. | Systems and methods for securing BIOS variables |
| US9785801B2 (en) * | 2014-06-27 | 2017-10-10 | Intel Corporation | Management of authenticated variables |
| WO2016014031A1 (en) * | 2014-07-22 | 2016-01-28 | Hewlett-Packard Development Company, L.P. | Authorizing a bios policy change for storage |
| US10296730B2 (en) * | 2014-08-18 | 2019-05-21 | Dell Products L.P. | Systems and methods for automatic generation and retrieval of an information handling system password |
| CN104850792A (zh) * | 2015-05-20 | 2015-08-19 | 浪潮电子信息产业股份有限公司 | 一种服务器信任链的构建方法和装置 |
| CN104866784B (zh) * | 2015-06-03 | 2018-03-23 | 杭州华澜微电子股份有限公司 | 一种基于bios加密的安全硬盘、数据加密及解密方法 |
| US10013561B2 (en) | 2015-10-30 | 2018-07-03 | Ncr Corporation | Dynamic pre-boot storage encryption key |
| CN105678173B (zh) * | 2015-12-31 | 2018-06-29 | 武汉大学 | 基于硬件事务内存的vTPM安全保护方法 |
| CN107292176B (zh) * | 2016-04-05 | 2021-01-15 | 联想企业解决方案(新加坡)有限公司 | 用于访问计算设备的可信平台模块的方法和系统 |
-
2017
- 2017-09-19 WO PCT/US2017/052181 patent/WO2019059887A1/en not_active Ceased
- 2017-09-19 EP EP17925966.8A patent/EP3685300A4/en active Pending
- 2017-09-19 JP JP2020516649A patent/JP6898519B2/ja not_active Expired - Fee Related
- 2017-09-19 US US16/479,495 patent/US11507668B2/en active Active
- 2017-09-19 CN CN201780097041.9A patent/CN111373404B/zh active Active
- 2017-09-19 KR KR1020207010271A patent/KR102322955B1/ko not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN111373404A (zh) | 2020-07-03 |
| US11507668B2 (en) | 2022-11-22 |
| EP3685300A1 (en) | 2020-07-29 |
| KR102322955B1 (ko) | 2021-11-08 |
| EP3685300A4 (en) | 2021-04-28 |
| US20200210588A1 (en) | 2020-07-02 |
| KR20200047696A (ko) | 2020-05-07 |
| WO2019059887A1 (en) | 2019-03-28 |
| JP2020534619A (ja) | 2020-11-26 |
| CN111373404B (zh) | 2024-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9535712B2 (en) | System and method to store data securely for firmware using read-protected storage | |
| CN109918919B (zh) | 认证变量的管理 | |
| US11455396B2 (en) | Using trusted platform module (TPM) emulator engines to measure firmware images | |
| JP4982825B2 (ja) | コンピュータおよび共有パスワードの管理方法 | |
| JP4288209B2 (ja) | システム・オン・チップのためのセキュリティ・アーキテクチャ | |
| CN109587106B (zh) | 密码分区的云中的跨域安全性 | |
| JP6096301B2 (ja) | ファームウェアにおける盗難防止 | |
| US11354417B2 (en) | Enhanced secure boot | |
| TWI632483B (zh) | 安全裝置及在其內提供安全服務至主機的方法、安全設備以及電腦軟體產品 | |
| US10747885B2 (en) | Technologies for pre-boot biometric authentication | |
| US10853086B2 (en) | Information handling systems and related methods for establishing trust between boot firmware and applications based on user physical presence verification | |
| US11960737B2 (en) | Self-deploying encrypted hard disk, deployment method thereof, self-deploying encrypted hard disk system and boot method thereof | |
| Raj et al. | ftpm: A firmware-based tpm 2.0 implementation | |
| Buhren et al. | Fault attacks on encrypted general purpose compute platforms | |
| US10229281B2 (en) | Remote provisioning and authenticated writes to secure storage devices | |
| US10956564B2 (en) | Systems and methods for key-based isolation of system management interrupt (SMI) functions and data | |
| JP6898519B2 (ja) | 暗号化キーのセキュリティ | |
| US8108905B2 (en) | System and method for an isolated process to control address translation | |
| US10592663B2 (en) | Technologies for USB controller state integrity protection | |
| US20230229774A1 (en) | Bios action request for authorized application | |
| CN103942482B (zh) | 一种基于嵌入式的主机安全保护方法 | |
| Proudler et al. | Initialising TPM2 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| A621 | Written request for application examination |
Free format text: JAPANESE INTERMEDIATE CODE: A621 Effective date: 20200423 |
|
| A977 | Report on retrieval |
Free format text: JAPANESE INTERMEDIATE CODE: A971007 Effective date: 20210414 |
|
| TRDD | Decision of grant or rejection written | ||
| A01 | Written decision to grant a patent or to grant a registration (utility model) |
Free format text: JAPANESE INTERMEDIATE CODE: A01 Effective date: 20210511 |
|
| A61 | First payment of annual fees (during grant procedure) |
Free format text: JAPANESE INTERMEDIATE CODE: A61 Effective date: 20210610 |
|
| R150 | Certificate of patent or registration of utility model |
Ref document number: 6898519 Country of ref document: JP Free format text: JAPANESE INTERMEDIATE CODE: R150 |
|
| LAPS | Cancellation because of no payment of annual fees |