Unlock instant, AI-driven research and patent intelligence for your innovation.

A method and system for performing cryptographic operations in an operating system

An operating system and password technology, applied in the fields of computer technology and information security, it can solve the problems of high performance overhead, vulnerabilities that are not easy to repair, and high performance overhead, and achieve the effect of preventing attacks to obtain sensitive data such as keys.

Active Publication Date: 2021-12-10
INST OF INFORMATION ENG CHINESE ACAD OF SCI
View PDF8 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

If some application scenarios require a large number of kernel and user space switching (switching between two page tables), it will cause high performance overhead. Currently, the average performance overhead of this solution is about 20%.
[0009] To completely eliminate the Specter vulnerability requires changing the architecture of the processor, so the vulnerability is not easy to patch
The existing solution to mitigate Specter attacks is mainly to disable the branch predictor, which will also bring a huge performance overhead

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method and system for performing cryptographic operations in an operating system
  • A method and system for performing cryptographic operations in an operating system
  • A method and system for performing cryptographic operations in an operating system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0041] figure 1 It is a flow chart of the overall step of the method of the present invention. This embodiment performs an RSA decryption operation in the operating system, and the calculation results are directly output, mainly including the following steps:

[0042] 1. Protect the key to generate, such as figure 2 As shown, including the following steps:

[0043] 1) Modify the operating system kernel launch process, add the protection key generation process to ensure that the protection key generation process does not have any user state programs to start, run.

[0044] 2) Operating system starts, the protection key generation program is executed, the user operation interface displays the prompt information, prompt the operator input password.

[0045] 3) Operator input password.

[0046] 4) The password entered by the user as the input of the SHA-256 whisker algorithm, and the SHA-256 operation is performed, and the operation obtains 256 bits of the same value as the protectio...

Embodiment 2

[0078] In this embodiment, the SM4 encryption operation is performed in the operating system, and the operation result is output after the key is encrypted, mainly including the following steps:

[0079] 1. The protection key is generated, the protection key is placed in the privilege register and the loading password operation core module step is the same as in Example 1.

[0080] 2, user key generation,:

[0081] This Example 2 Selects that the password operator core module uses internal random numbers to generate user keys and derived after encryption, such as Figure 4 As shown, the specific process is as follows:

[0082] 1) User status call request password The kernel module directly generates a user key.

[0083] 2) Turn off the interrupt.

[0084] 3) Call the XBEGIN instruction to set the transaction ABORT jump address as the transaction ABORT handler.

[0085] 4) The password operation kernel module uses its internal random number as the input of the SM4 key generation alg...

Embodiment 3

[0104] This embodiment provides a system for password operation in an operating system, including:

[0105] Protect the key generation module, which is responsible for generating a protection key in the system initialization credibility, and stores the protection key in the privileged register of the system; the privileged register cannot be accessed by the user state program, and cannot be used as an operating system Other uses;

[0106] The user key generating module is responsible for generating a user key in the internal random number of the source data or password operation through the user-state program, and then outputs after encryption using the protection key;

[0107] The password operation module is responsible for providing the source data required for the user state program and after the user key encrypted by the protection key, complete the password operation; the password operation uses the protection key to decrypt the user key, then use the user The key completes th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method and a system for performing cryptographic operations in an operating system. The method generates a protection key in an operating system initialization trusted environment, and stores the protection key in a privileged register reserved by the operating system. The user key can be generated by the data input by the user or the internal random number of the cryptographic operation kernel module, and then encrypted by the protection key and then exported. The system provides the user with a cryptographic operation kernel module. When the user needs to use the user key to perform cryptographic operations, the user mode call program initiates a request to the cryptographic operation kernel module to provide the calculation source data and the user key of the ciphertext, and protect the key in the password. The user key is decrypted in the operation kernel module, and then the user key is used to complete the cryptographic operation requested by the user. The invention can defend against memory information leakage attacks implemented by various attack programs in the user state, and the protection key and the user key can resist Meltdown and Specter attacks.

Description

Technical field [0001] The present invention pertains to computer technology, information security technology, particularly to a method and system for performing cryptographic operations in the operating system. Background technique [0002] Cryptographic techniques are often used to protect sensitive data application system, the security of online transactions, e-mail and remote login and other services rely on password protection technology, once a cryptographic operation process sensitive information security can not be guaranteed, the attacker can decrypt the information transmitted on the network, even pretending to be the original user identity fraud and other crimes, the user will suffer great losses. Therefore, the protection of sensitive data in a cryptographic operation is very important. [0003] In recent years, more and more related to cryptography attack, attack more and more novel approach, the software from the hardware layer to layer, endless means of attack, att...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/60G06F21/71G06F12/02H04L9/06
CPCH04L9/0618G06F12/0253G06F21/602G06F21/71
Inventor 林璟锵蔡权伟荆继武李文强李从午王建民王琼霄
Owner INST OF INFORMATION ENG CHINESE ACAD OF SCI