Network of trusted execution environments

EP4754659A1Pending Publication Date: 2026-06-10REAL-CIS GMBH

Patent Information

Authority / Receiving Office
EP · EP
Patent Type
Applications
Current Assignee / Owner
REAL-CIS GMBH
Filing Date
2024-08-02
Publication Date
2026-06-10

AI Technical Summary

Technical Problem

Current methods for forming and expanding secure data processing environments are time-consuming, costly, and prone to security vulnerabilities due to manual processes and potential fraudulent interactions, which can lead to violations of confidentiality and integrity.

Method used

A network of Trusted Execution Environments that autonomously pair and form without human intervention, using cryptographic attestation to establish authenticity and generate a common secret, reducing complexity and costs while enhancing security by eliminating privileged access and ensuring confidentiality and integrity.

Benefits of technology

Significantly reduces the complexity and costs of forming and expanding secure data processing environments while providing high protection against confidentiality and integrity violations, ensuring secure data processing and program integrity through automated processes and enhanced security measures.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure IMGF000015_0001
    Figure IMGF000015_0001
  • Figure IMGF000015_0002
    Figure IMGF000015_0002
  • Figure 00000027_0000
    Figure 00000027_0000
Patent Text Reader

Abstract

The invention relates to a network of at least two trusted execution environments and a method for forming a network of at least two trusted execution environments. The invention also relates to a method for operating and expanding a network of trusted execution environments.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] Network of secure data processing environments

[0002] The invention relates to a network of at least two secure data processing environments and a method for forming a network of at least two secure data processing environments (Network of Trusted Execution Environments). Furthermore, the invention relates to a method for operating and expanding a network of secure data processing environments.

[0003] It is well known from the state of the art to use central data processing facilities (servers) to coordinate the flow of data within information technology infrastructure. The advantages of digitalization are largely based on the networking of digitized devices and equipment. These devices only rarely interact directly with each other. Servers typically coordinate the flow of data. To reliably provide digitization services critical to the well-being of society, trustworthy provision and maintenance of the servers must be guaranteed.

[0004] Such data processing facilities and procedures have, provided they are carefully implemented, the property that access by both third parties and the personnel operating the data processing system to the data processed by the system is restricted and controlled by technical and organizational measures, such as those required in the requirement catalogs of the ISO / IEC standards of the 27k series or the Federal Office for Information Security (BSI C5), so that a minimum level of protection against unauthorized data access or manipulation of the data processed by the facility can be achieved.

[0005] As long as the principles of manipulation security, i.e. the requirement that changes to the system may only be made through the cooperation of employees from several different organizations involved in the development and operation of the data processing system, are not met when designing the data processing facilities, individual employees from the organizations involved in the development and / or operation of the data processing system may still violate regulations for the protection of confidentiality and integrity in the case of data processing facilities and procedures for the protection of confidentiality and integrity and consequently violate the confidentiality and / or integrity of the data processed in the data processing facilities.

[0006] The probability of such a breach of the confidentiality and / or integrity of the data processed in the data processing facilities decreases by several (decimal) orders of magnitude if the principles of designing the data processing facilities according to security against manipulation, as described, for example, in [HA Jäger et al. (2020). Tamper-proof cloud infrastructures. ISBN 978-3-658-31848-2. Pages 33-79. Springer Nature.], are observed.

[0007] Assuming the independence of employees from several different organizations involved in the construction and / or operation of the data processing facilities, the aforementioned probability that the properties of tamper-proof data processing facilities are changed and that this change is used to violate the confidentiality and / or integrity of the data processed in the data processing facilities can be considered as the probability of infidelity by an individual employee of these organizations multiplied by the number of different independent organizations necessary for a change.

[0008] Such tamper-proof data processing devices and the state-of-the-art methods implementing them provide a high level of security against breaches of the confidentiality and / or integrity of the data processed by them by ensuring that no data is available unencrypted outside of the program execution environments or data processing environments (Trusted Execution Environments, TEE) intended for data processing. For example, such TEEs can be implemented at the chip level as "Software Guard Extensions" (SGX) from Intel Corporation, as described in [I. Anati et al. (2013). Innovative Technology for CPU-Based Attestation and Sealing. In Workshop on Hardware and Architectural Support for Security and Privacy HASP '13.].Furthermore, TEE can be implemented at the server and multi-server level, for example, by the precautionary deletion of data within a module as soon as an attack attempt is detected, as described in [FIPS PUB 140-2: Security Requirements for Cryptographic Modules. NIST. July 26, 2007. “Security Level 4 provides the highest level of security. At this security level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate deletion of all plaintext critical security parameters.”].Another class of secure computing environments at the chip level encapsulates large parts of the computing process, for example, an entire "virtual machine," so that the programs used for computing require little or no adaptation to the secure computing environment. Two examples of such chip-level TEEs are the implementation of "Secure Encrypted Virtualization" (SEV) from Advanced Micro Devices Corporation (AMD) described in [D. Kaplan (2017). PROTECTING VM REGISTER STATE WITH SEV-ES. In https: / / www.amd.com / en / developer / sev.html from AMD], and the "Trusted Domain Extensions" (TDX) from Intel Corporation described in [P.-C. Cheng et al. (2023). Intel TDX Demystified: A Top-Down Approach. In https: / / arxiv.org / abs / 2303.15540 from IBM Research].

[0009] Such tamper-proof data processing environments and the procedures implementing them further provide a high level of security against breaches of confidentiality and / or integrity if the keys used to encrypt the results and intermediate results of the data processing tasks once they leave the TEE are generated exclusively in a clearly defined and closed network of secure data processing environments and do not leave this network.

[0010] In order to be able to restart the network even in the event of a simultaneous failure of all data processing environments in the network, in some designs of such networks of tamper-proof data processing environments, according to the state of the art, a sufficiently large group of mutually independent auditors of the system share an initially automatically generated master secret, for example using the "Shamir Secret Sharing" method [A. Shamir (1979). How to Share a Secret. Programming Techniques. Editor R. Rivest. Communications of the ACM. Vol. 22 No. 11.], which they regenerate in a system of data processing environments after successful completion of the audit by entering a sufficient subset of partial secrets (Sharmir parts) at a human-machine interface.

[0011] In state-of-the-art combinations of data processing environments and the processes implementing them, the configuration of the technical parameters required for distributing the primary secret is generally a manual process that must be performed individually for each data processing environment and is also part of the implementation review by independent auditors. To limit the effort required for these manual processes, in practice, only combinations of secure data processing environments with the same technology and design are used.

[0012] This results in the disadvantage that the manual process, which must be performed individually for each data processing environment, is time-consuming and costly. This disadvantage makes the creation and expansion of large networks comprising a multitude of secure data processing environments impractical.

[0013] In addition, there is the disadvantage that the use of different types of secure data processing environments when forming a network of data processing environments means an additional high expenditure of time and costs for forming a network.

[0014] Furthermore, there is the disadvantage that the manual processes for setting up the federation of secure data processing environments can become subject to abuse of the privilege to set up the federation and thus the security against violations of confidentiality, integrity and availability can be lost.

[0015] Even if, according to the state of the art, the secure sharing of a common master secret enforces the cooperation of several independent persons to form or expand a network, fraudulent cooperation among these persons cannot be ruled out. Furthermore, according to the state of the art, it may happen that the (partial) secret holders necessary to establish a network or to expand an existing network are not available, thus making the formation of a network or the expansion of an existing network impossible.

[0016] In some secure computing environments implemented according to the state of the art, for example, those designed using the encryption of "virtual machines" (such as Intel Corporation's TDX or AMD Corporation's "Secure Encrypted Virtualization" (SEV)), in addition to encapsulating the processing environment, there is privileged access to the computing resources and the data they process. This privileged access is not detrimental in some application scenarios, for example, when server administrators are to be excluded, but the administrators of the application logic, i.e., the application software, are trusted.However, in situations where no administrator, including the administrators of the application logic, should be able to violate the confidentiality and integrity of the data, this remaining privileged access and the associated access options to the resources, to the coding of the application logic and to the data processed by it is a disadvantage.

[0017] The object of the invention is therefore to provide an association and a method for forming an association of secure data processing environments which ensure a very high level of protection against the violation of the confidentiality of the data and the programs processing them, the integrity of the data and the programs processing them and the availability of the data and the programs processing them, without having the disadvantages of the associations and methods for forming such associations known from the prior art.

[0018] This object is achieved according to the invention by the methods and devices according to the independent claims. Advantageous further developments are specified in the respective dependent claims.

[0019] The invention relates to a network and a method for forming a network of at least two secure data processing environments (Network of Trusted Execution Environments), in which the secure data processing environments are coupled to one another autonomously and merge into a network without human intervention in such a way that (partial) secrets or identities would have to be entered manually, and / or remaining privileged accesses are closed, so that the complexity and costs for forming and expanding networks of secure data processing environments are low compared to the prior art, correspondingly large networks are practicable and the misuse of privileges as well as a fraudulent violation of the confidentiality and integrity of the data and / or the programs processing the data are largely excluded.

[0020] The invention has the following particular advantages:

[0021] 1. Since the secure data processing environments of an initial set of secure data processing environments defined to form a network of secure data processing environments (Network of Trusted Execution Environments), whose secure data processing environments can mutually attest their status as a secure data processing environment, autonomously determine among themselves which of the secure data processing environments generates the original secret, which is then transmitted to the participating secure data processing environments and to the additional ones that are added in extensions, both the complexity and the costs of setting up a network of secure data processing environments are significantly reduced compared to the state of the art and the security is increased compared to the state of the art, since the misuse of an administrator privilege that is unavoidable in the case of manual interventions is largely excluded.

[0022] 2. Since the methods and devices according to the invention for forming a network of secure data processing environments are furthermore suitable for automatically transmitting secure data processing environments added to a network, the identity and the creation history of the network when it is expanded, the complexity and costs of expanding a network of secure data processing environments are significantly reduced compared to the prior art.

[0023] 3. Since the methods and devices according to the invention for forming a network of secure data processing environments are furthermore suitable for unambiguously and repeatably deriving further secrets necessary for the operation of the network of data processing environments and / or software instances of the network from the original secret, it is possible to form large networks of many secure data processing environments with such stateless secure data processing environments with low complexity and low cost, thereby achieving particularly high protection against the loss of the original secret. Since the methods and devices according to the invention for forming a network of secure data processing environments are furthermore suitable for generating the original secret,nor the entry of identities of one of the participating secure data processing environments, on the one hand, no fraudulent conduct can lead to a loss of confidentiality or integrity, and on the other hand, no situations arise in which the necessary human persons as bearers of (partial) secrets are not available to form or expand a network of secure data processing environments. Since the methods and devices according to the invention for forming a network of secure data processing environments are also suitable for automating not only the generation of the original secret but also other parts of the method for forming a network of secure data processing environments,The complexity and costs of forming large networks of many secure data processing environments are further reduced. Since the methods and devices according to the invention for forming a network of secure data processing environments are furthermore suitable for generating the original secret and further secrets by method components that are implemented independently of the configuration of the secure data processing environments used, different versions of secure data processing environments can be used mixed in a network, which means advantageous flexibility for the method and the resulting networks. Different versions of secure data processing environments with different,properties relevant to practice are used in a mixed manner, thus reducing costs through better adaptation to practical needs. Since the methods and devices according to the invention for forming a network of secure data processing environments are further suitable for forming a network of secure data processing environments, a first secure data processing environment, which according to its design has privileged access, with a second secure data processing environment, which according to its design does not have privileged access, such that the second secure data processing environment, which according to its design does not have privileged access, exclusively controls the privileged access of the first secure data processing environment,In the inventive combination of both secure data processing environments, privileged access is no longer possible, thus largely precluding any breach of the confidentiality of the data and the programs that process them, as well as the integrity of the data and the programs that process them. Since the inventive methods and devices for forming a network of secure data processing environments are furthermore suitable for using several secure data processing environments that, according to their design, do not have privileged access, to exclusively control the privileged access(s) of one or more secure data processing environments that, according to their design, do have privileged access, complex and extensive software packages and application logic can be protected against any breach of the confidentiality of the data and the programs that process them.the integrity of the data and the programs processing them, and a violation of the availability of the data and the programs processing them are protected to the greatest extent possible. Since the methods and devices according to the invention for forming a network of secure data processing environments are furthermore suitable for administering the secure data processing environments via a positively defined list of commands for executing administration activities, this results in the advantage that flexible maintenance of the programs executed by the secure data processing environments is possible. 10. Finally, since the methods and devices according to the invention for forming a network of secure data processing environments are suitable for one or more secure data processing environments, which according to their design do not have privileged access, and in a nested manner within a secure data processing environment,which, according to its design, does not have privileged, unrestricted access, but has an interface through which a plurality of positively defined commands for executing administrative activities can be triggered, which exclusively control the positively defined commands for executing administrative activities, has the advantage that this allows for a flexible distribution of responsibilities to different administrators.

[0024] Details and features of the invention, as well as specific embodiments of the invention, will become apparent from the following description taken in conjunction with the drawings. It shows:

[0025] Fig. 1 is a block diagram of an inventive network of secure data processing environments to explain the inventive method for forming such a network with the designations:

[0026] V-DVU network of secure data processing environments

[0027] S1 to Sn Server 1 to Server n

[0028] DVU 1,1 to DVUl,ml secure data processing environment 1 of server 1 to secure data processing environment ml of server 1

[0029] DVUn,l to DVUn,mn secure data processing environment 1 of server n to secure data processing environment mn of server n

[0030] KS1 to KSh Configuration Server 1 to Configuration Server h

[0031] AVS1 to AVSk Authenticity Verification Server 1 to Authenticity

[0032] Verification server k

[0033] Fig. 2 shows a state diagram of an embodiment of the method according to the invention for forming a network of secure data processing environments with the designations: Z1 to Z6 states of the secure data processing environments 1 to 6 with the designations "UNINITIALIZED", "NEGOTIATION PHASE", "EXCHANGE KEY PHASE", "VERIFICATION PHASE", "ONLINE", and "IMPORT PHASE"

[0034] BOO State change when initializing the bootstrap subprocedure “INIT BOOTSTRAP”

[0035] AND Obtaining acceptance of the negotiation data “ACCEPT NEGOTIATION DATA“

[0036] ASA state change as soon as all initially involved secure data processing environments have accepted the checks of the last current state: “ALL SEEDS ACCEPTED”

[0037] AKD Obtaining acceptance of the key data “ACCEPT KEY DATA” AVR Obtaining acceptance of the verification report “ACCEPT VERIFICATION REPORT”

[0038] IMP State change to initialize an extension of the network by adding a secure data processing environment “INIT IMPORT”

[0039] AIM Obtaining acceptance of the existing data of the network “ACCEPT IMPORT DATA”

[0040] RST State change to return to the initial state “RESET”

[0041] Fig. 3 shows the same block diagram as in Fig. 1, wherein the network of secure data processing environments is added to explain the method part for extending the network, a server with one or more secure data processing environments with the following designation: Sn+1 Server n+1

[0042] Fig.4 a collection of 4 block diagrams a), b), c) and d) to explain the method according to the invention for forming a network of secure execution environments with the designations:

[0043] V-DVU network of secure execution environments

[0044] S 1 to S4 Server 1 to Server 4 DVU1 and DVU3 secure data processing environments that have privileged access and access

[0045] PZ Privileged Access and Access

[0046] DVU2 and DVU4 secure data processing environments that do not have privileged access

[0047] ALI and AL2 Application Logic 1 and Application Logic 2

[0048] AC1 Administrator Client 1

[0049] NC1,1 to NCl,p User client of ALI 1 to User client of ALI p

[0050] NC2,1 to NC2,q User client of AL2 1 to User client of ALI q

[0051] AZL1 User Access Logic 1

[0052] Fig.4 a collection of two block diagrams a) and b) to explain the method according to the invention for forming a network of secure execution environments with the designations:

[0053] V-DVU network of secure execution environments

[0054] S5 to S8 Server 5 to Server 8

[0055] DVU5 and DVU6 secure data processing environments that have privileged access and access

[0056] PZ Privileged Access and Access

[0057] DVUC7 and DVUC8 control units (controllers) of the secure data processing environments 7 and 8

[0058] DVU7 and DVU8 secure data processing environments that no longer have privileged access

[0059] AL5 to AL8 Application Logic 5 to Application Logic 8

[0060] AC56 Administrator Client for DVU5 and DVU6

[0061] AC78 Administrator Client for DVU7 and DVU8

[0062] NC5,1 to NC5,p User client 1 to p of AL5

[0063] NC6,1 to NC6,q User client 1 to q of AL6

[0064] NC7,1 to NC7,r User client 1 to r of AL7

[0065] NC8,1 to NC8,s User client 1 to s of the AL8 The devices according to the invention and the methods according to the invention enable both adequate protection against violations of the confidentiality of the data and / or programs processing them, the integrity of the data and / or programs processing them and / or the confidentiality of the data and / or programs processing them, as well as a reduction in the complexity and the costs of forming a network of secure data processing environments.

[0066] The plurality of m secure data processing environments DVU 1,1, DVU1,2 to DVU1,ml shown in Fig. 1 are components of a first data processing device, which in practice are called "servers," here Server 1 (S1). Such servers comprise, among other things, a housing, a power supply, network components, persistent and volatile storage units, and one or more processor units. Depending on the design, the secure data processing environments are implemented, for example, as components of the processor units and the main memory using firmware, i.e., extensions of the machine-level instruction sets (e.g., Software Guard Extensions, Secure Encrypted Virtualization, or Trusted Domain Extension).When a secure computing environment is initiated by software programs running on one of the server's processors, the keys used by the secure computing environment to encrypt data written to volatile random access memory (RAM) or persistent storage are determined. In some implementations of secure computing environments, the keys are written to special, dedicated registers on the processor chips.

[0067] Additional secure data processing environments DVUa,b, where a is one of {1, 2, .. n} and b is one of {1, 2, .. ma}, are provided by a plurality of servers, Server 2 (S2), Server 3 (S3) to Server n (Sn). All of these secure data processing environments are registered according to their identity and specific technical design with Configuration Servers 1 (KS1) to Configuration Server h (KSh) and obtain all software and configuration information from there upon system startup. This information includes, among other things, information about which secure data processing environments belong to the network to be formed from this defined set of secure data processing environments. In addition, all of these secure data processing environments are registered according to their identity and specific technical design with Authenticity Verification Servers 1 (AVS1) to k (AVSk).This means that the data processing environments can attest to each other with the help of the authenticity verification servers 1 (AVS1) to k (AVSk) that they are fundamentally authorized to participate in the inventive formation of a network of secure data processing environments (V-DVU).

[0068] At least two secure data processing environments DVUc,d and DVUe,f, where c and e are from { 1, 2, .. n}, d from { 1, 2, .. md} and f from { 1, 2, .. me}, as well as additional secure data processing environments on a case-by-case basis, together form the seed of data processing environments from which the network of secure data processing environments is constituted according to the invention.

[0069] The aforementioned attestation process is implemented cryptographically, i.e., a central infrastructure of public and private key pairs belonging to the secure data processing environments DVUa,b (public key infrastructure) is initialized by the operator of the V-DVU network. For this purpose, the operator uses a subset of the k authenticity verification servers (designated AVS1 to AVSk in Fig. 1) that includes at least one authenticity verification server. To enable high availability of the authenticity verification service, a subset of several authenticity verification servers can advantageously be used. The operator of the V-DVU network can use these to have the authenticity of the secure data processing environments confirmed by the manufacturer of these secure data processing environments.

[0070] For example, if a secure data processing environment DVUc,d needs to certify the authenticity of a second secure data processing environment DVUe,f, designated by the manufacturer as a secure data processing environment, in this example, the secure data processing environment DVUc,d sends a message to one of the authenticity verification servers AVSh+1 to AVSk, requesting whether the secure data processing environment DVUe,f is indeed a secure data processing environment as defined by the manufacturer, with regard to the origin and status of the machine-level programs. These servers can reliably answer the query due to the constantly updated reports on manufactured secure data processing environments and the status of the machine-level software. This certifies the affiliation of the secure data processing environment DVUe,f to the seed for the secure data processing environment DVUc,d.In this way, all secure data processing environments can ensure the authenticity of each other's secure data processing environment.

[0071] Additionally, the secure computing environments DVUc,d and DVUe,f can mutually assure each other of the authenticity of the programs controlling the secure computing environments by comparing a measurement of the programs or comparing the identity of the signing auditor. Such a measurement is the application of a one-way function (hash) to the code to be measured.

[0072] The inventive autonomous determination of the common original secret, under the defined sentence from £ secure data processing environments belonging to secure data processing environments is carried out gradually with the initiation of the with secure data processing environments by the operator of the V-DVU network of data processing environments.

[0073] In Fig. 2, a total of seven states ZI to Z7 of an embodiment of the method for the autonomous determination of the common original secret are shown, of which, however, only the states ZI to Z6 are considered initially.

[0074] If a secure data processing environment is started from the seed of secure data processing environments by the operator of the V-DVU network of data processing environments, this secure data processing environment changes from the “UNINITIALIZED” (ZI) state to the “NEGOTIATION PHASE” (Z2) state by initializing the bootstrap sub-procedure “INIT BOOTSTRAP” (BOO).

[0075] In this state Z2, each secure computing environment initially randomly or quasi-randomly generates an asymmetric communication key pair intended for secure communication between the seed's secure computing environments, because it is assumed that the transmission channels between the secure computing environments may be insecure. The public key of this communication key pair is signed with the signature key characteristic of the secure computing environment. This signed communication key is sent as a tuple with the public communication key to all other seed's secure computing environments, and a response is requested with the signed public key of the other secure computing environments.After receiving the signed public keys of the other secure data processing environments, the authenticity of the public key is verified (“ACCEPT NEGOTIATION DATA”, AND).

[0076] As soon as the public keys of all other secure data processing environments have been successfully verified using the described “negotiation” AND, the state “NEGOTIATION PHASE” (Z2) changes to the next state “EXCHANGE KEY PHASE” (Z3) (“ALL SEEDS ACCEPTED”, ASA).

[0077] In this state Z3, each secure computing environment generates its own random or quasi-random proposal for the original secret, together with a particularly precise (double variable) random or quasi-random pseudo-clock, as a tuple and exchanges this tuple with all other secure computing environments of the seed ("ACCEPT KEY DATA", AKD). Subsequently, all tuples of the individual, unique proposals for the original secret and the pseudo-clocks are sorted according to the values ​​of the pseudo-clocks. If a conflict arises because two or more pseudo-clocks have the same value, the process is reset ("RESET", RST). If a unique order of the tuples ("generation history" or "generation pseudo-history", since the "clocks" are pseudo-clocks) is established, the process continues.

[0078] As soon as all tuples with the individual proposals for the original secret and the pseudo-time for the secure data processing environments have been collected and checked for their authenticity (“ALL SEEDS ACCEPTED”, ASA), the system switches from state Z3 to the next state “VERIFICATION PHASE” (Z4).

[0079] In this state Z4, each secure data processing environment encrypts the sorted list of tuples generated and sorted in state Z3 using the key specific to each secure data processing environment and sends it to all other secure data processing environments. Subsequently, an identifier of the self-generated list, generated by a one-way function (hash), is compared with the identifiers of the lists of the other secure data processing environments, also generated by a one-way function (accept verification report). Should a conflict arise, i.e., one or more lists or the unique identifiers of the lists differ from one another, the procedure is reset (RST). Finally, the proposal for the shared original secret is selected from the list, which, for example, has the highest value for the pseudo-time.In this way, all participating secure data processing environments have the same shared primary secret and persist this shared primary secret encrypted with a key specific to the secure data processing environment, which is accessible only within that secure data processing environment. Should an error occur during persistence, for example, due to a typo, the process is reset (RST).

[0080] Once all secure computing environments confirm to each other that the shared original secret has been successfully persisted ("ALL SEEDS ACCEPTED", ASA), the system switches to the final state of the state diagram in Fig. 2, "ONLINE" (Z5). The secure computing environment remains in this state Z5 until the server implementing the secure computing environment is shut down.

[0081] The original secret, now available to all secure data processing environments, is the basis for deriving keys necessary to decrypt data that must be shared between different secure data processing environments. The derivation of keys for decrypting data from other secure data processing environments also depends on the identity of the other secure data processing environment, for example, a name, a signature of the other data processing environment's auditor, or other identifying features of the other secure data processing environment.

[0082] In any case, the derivation of keys for decrypting data from other secure data processing environments is unique and repeatably unique, since the same common original secret and digital words characterising the identity of other secure data processing environments, established by convention within the network, are always used.

[0083] The ability to securely read data from other secure data processing environments is essential to be able to run all programs in large software packages with confidential computing and to create redundant structures to improve the availability of the software services and data provided by the software.

[0084] In the described embodiment, the secure data processing environments interact autonomously with one another, without requiring a person operating the secure data processing environment network to make any inputs at a human-machine interface after the initial configuration process. This results in a significant reduction in the complexity and costs of an inventive network of secure data processing environments. Furthermore, this results in a significant improvement in the confidentiality, integrity, and availability of the programs executed in the secure data processing environments, as well as the data processed with the programs.

[0085] In Fig. 3, an additional server Sn+1 is added to the network of secure data processing environments shown in Fig. 1, which in turn contains a plurality of secure data processing environments DVUn+1,1 to DVUn+1,mn+1.

[0086] To expand the V-DVU network, the operator of the V-DVU network adds the configuration to one of the configuration servers KS1 to KSh, which replicate this configuration change to the other configuration servers according to standard practice. In the configuration data extension, the operator indicates that server Sn+1 is being added to an existing network of secure data processing environments and does not belong to the seed of secure data processing environments for forming a new network of secure data processing environments.

[0087] When started, the server Sn+1 obtains the configuration data from one of the configuration servers KS1 to KSh and also receives the addresses of the secure data processing environments DVU 1,1 to DVUn,mn that are already involved in the network of secure data processing environments.

[0088] The server Sn+1 starts in the "UNINITIALIZED" state ZI of the state diagram shown in Fig. 2. The configuration parameter, which states that the server Sn+1 is not an initial seed DVU according to the configuration parameters, but is being added to an existing network of secure data processing environments, triggers the server Sn+1 to switch to the "IMPORT PHASE" state (Z6) ("INIT IMPORT", IMP) in the exemplary embodiment of the method according to the invention.

[0089] In state Z6 "IMPORT PHASE," each of the secure data processing environments DVUn+1,1 to DVUn+l,mn of the server Sn+1 randomly or quasi-randomly generates an asymmetric communication key pair intended for secure communication between the secure data processing environments and the secure data processing environments of the servers S1 to Sn. The public key of this communication key pair is signed with the signature key characteristic of the secure data processing environments of the server Sn+1, and this signed communication key is sent as a tuple with the public communication key to another secure data processing environment of the servers S1 to Sn, and a response is requested with the signed public key of the other secure data processing environments.If the first-contacted other secure data processing environment does not respond as expected, another secure data processing environment is contacted, and so on, until the requested information is received. After receiving the signed public keys of the other secure data processing environments, the authenticity of the public key is verified. The server Sn+1 then requests the shared original secret from one of the secure data processing environments already belonging to the V-DVU network, along with the identifier for the "history of origin" of the V-DVU network generated by a one-way function (hash). Finally, the secure data processing environments of the server Sn+1 persist the original secret ("ACCEPT IMPORT DATA", AIM).

[0090] Once all secure computing environments of the server Sn+1 have confirmed that the shared original secret can be successfully read and decrypted from the persistent storage (“ALL SEEDS ACCEPTED”, ASA), the system switches to the final state of the state diagram in Fig. 2, “ONLINE” (Z5).

[0091] Extensions of the V-DVU network by additional servers Sn+1, Sn+2, etc., each with one or more secure data processing environments, can be carried out in an analogous manner not only with the increment of one server described in this exemplary embodiment, but also with arbitrarily large increments with a plurality and even a multiplicity of servers.

[0092] In the described embodiment, additional servers Sn+1, Sn+2, etc. can be added to the n servers of the seed configuration in the simple manner described above, and in this way, existing networks of secure data processing environments can be expanded with very low complexity to result in very large networks of secure data processing environments.

[0093] Large networks have a very low probability that all secure data processing environments within the network will collectively lose their functionality, resulting in the loss of the shared primary secret. Accordingly, large networks are robustly protected against the loss of the primary secret.

[0094] Even with the expansion of the network described in the exemplary embodiment by one or more servers Sn+1, Sn+2, etc., each with one or more secure data processing environments, the secure data processing environments interact autonomously with one another without requiring a person operating the network of secure data processing environments to make inputs at a human-machine interface after the configuration expansions. This results in a significant reduction in the complexity and costs of a network of secure data processing environments according to the invention. Furthermore, this results in a significant improvement in the confidentiality, integrity, and availability of the programs executed in the secure data processing environments, as well as the data processed with the programs.In a similar way, further automation can be carried out within the D-DVU network, for example, the generation of key sets for specific services, applications, databases, storage systems, and the like. The derivation of the additional keys occurs in a "trust hierarchy," i.e., a sequence of sub-processes that generate keys that each refer to previously generated keys. The generated keys are secured in encrypted form, with the shared master secret being used to generate the encryption key for this process, so that the backup (storage) is independent of individual secure data processing environments. This ensures that these keys are not lost if the secure data processing environment in which the keys were generated becomes unusable.

[0095] The automation of the formation of the V-DVU network of secure data processing environments can be designed to such an extent that, apart from the initial entries in one of the configuration servers KS1 to KSh, no further inputs are required by the V-DVU operator's personnel at the human-machine interfaces of the servers S1 to Sn+x, where x can assume very large natural numerical values. The operating conditions regarding integration into the network connection, participation in distributed storage systems, and the like for each individual server are automatically recorded (auto-discovery) and negotiated in interaction with the other servers in the V-DVU network. Majority voting and Byzantine fault tolerance principles can be applied here.

[0096] The described exemplary embodiment according to the invention is ultimately suitable for creating a software service for key derivation and management (Key Derivation and Management Service) that is designed independently of the specific implementation of the secure data processing environments DVUa,b by generating a common master secret and creating an instance that is independent of the secure data processing environments and the server in terms of software architecture. In many implementations according to the prior art, key generation depends on the respective individual hardware of the secure data processing environments, and the inventive independence from the secure data processing environments and the server is not provided. In Fig. 4, sub-figures a) and b) each depict a secure data processing environment DVU1 in the server SI and DVU2 in the server S2.Within DVU1, the application logic ALI is operated for users with their user clients NC1,1 to NC1,p. Within DVU2, the application logic AL2 is operated for users with their user clients NC2,1 to NC2,q.

[0097] The secure data processing environment DVU 1 has a privileged access (PZ) that can be used by the administrator of the application logic (ALI) via the administrator client AC1 to perform administrative tasks. In practice, such privileged access (PZ) provides administrators with largely unrestricted access to the resources of the secure data processing environment. Its rights have historically evolved to encompass far more functions than are necessary for administering the secure data processing application environment. In practice, privileged access (PZ) is a protocol that makes a command line on the computer or virtual machine remotely accessible (Secure Shell, SSH).Nevertheless, the use of such a secure data processing application environment with privileged access makes sense, as the administrators of the servers implementing the secure data processing application environment are excluded from accessing the programs running and the data being processed. Furthermore, the operating system of server S1 may contain faulty entry points for attackers, without this providing potential attackers with access to the programs running in the secure data processing application environment DVU3 and the data being processed with them.

[0098] The secure data processing environment DVU2 does not have such privileged access PZ, which is why the outer shell of the secure data processing environment DVU2 is indicated as an oval rather than a rectangle.

[0099] The partial figures c) and d) of Fig. 4 show inventive networks of secure data processing environment V-DVU, which are formed from the secure data processing environments DVU3 and DVU4.

[0100] As indicated in sub-figures c) of Fig. 4, the secure data processing environment DVU4, which does not have privileged access, exclusively controls the administration of the secure data processing environment DVU3, which has privileged access, with the administration logic AZL1, in that the AZL1 only allows a positively defined list of administration commands for the administration of the secure data processing environment DVU3 to be executed.

[0101] Alternatively, as indicated in sub-figures d) of Fig. 4, both the secure data processing environment DVU3 and DVU4 can be operated within a common server S4.

[0102] Fig. 5 shows two sub-figures (a) and (b), each illustrating a network of secure data processing environments (V-DVU). In sub-figure a), a secure data processing environment (DVU5) and DVU6, respectively, are implemented in the servers S5 and S6, each of which has privileged access (PZ) through which the administrator of the two application logics (AL5 and AL6) controls the application logics (AL5 and AL6) using their client (AC56). As in Fig. 4, the user clients NC5,1 to NC5,p, which interact with the application logic (AL5), as well as the user clients NC6,1 to NC6,q, which interact with the application logic (AL5), are shown.

[0103] Part b) of Fig. 5 shows, on the one hand, an embodiment of an inventive network in which the privileged access of the secure data processing environment DVU7 in server 7 has been closed with the application logic AL7. In practice, privileged access is closed by blocking the ports for privileged access (close SSH ports) in the configuration of the secure data processing environment DVU7. Such configuration changes can be part of the previously explained "attestation" process, so that the other secure data processing environments in the V-DVU network can verify the existence of a correctly implemented configuration with cryptographic strength.

[0104] Sub-figure b) of Fig. 5 also shows an administration access logic AZL1 that exclusively permits the execution of a positively defined list of administration commands, thus enabling the administration of the application logic AL7. The integrity of the administration access logic AZL1 can also be part of the previously explained "measurement" of the attestation process, so that the other secure data processing environments of the V-DVU network can verify the existence of a correctly implemented administration access logic AZL1 with cryptographic strength. The users of the application logic AL7 can rely on highly confidential data processing and highly confidential access to the application logic AL7 via the user clients NC7,1 to NC7,r.

[0105] The server S8 in sub-figure b) of Fig. 5 also shows the administration access logic AZL2, which is executed by a secure data processing environment DVU9 without privileged access, which is implemented embedded in the secure data processing environment DVU8 (nesting of TEEs). This embodiment, in turn, conveys the particularly high level of security that only the controlling administration commands transmitted by the administration client AC78, and subsequently the users of the application logic AL8, can rely on a particularly high level of confidentiality regarding data processing and access to the application logic AL8 via the user clients NC8,1 to NC8,s.

[0106] The different embodiments illustrate different possibilities for forming networks of secure data processing environments, which, depending on their configuration, are suitable for different distributions of administrative responsibilities. For example, a first administrator can be responsible for a secure data processing environment implemented as a secure virtual machine, and a second administrator can be responsible for a specific process within the same secure data processing environment.In this example, an embedded secure computing environment designed analogously to the secure computing environment DVU9 can ensure that the second administrator does not have access to the other parts of the secure computing environment designed as a virtual machine for which the first administrator is responsible, and conversely, the first administrator also does not have access to the specific process for which the second administrator is responsible.

Claims

Claims 1. A method for forming a network of at least two secure data processing environments (Network of Trusted Execution Environments), wherein the secure data processing environments of a defined, initial set of secure data processing environments can mutually attest to their status as a secure data processing environment, characterized in that the secure data processing environments autonomously determine among themselves which of the secure data processing environments generates a primary secret, which is then transmitted to the participating secure data processing environments and to the additional secure data processing environments that are added in extensions.

2. Method according to claim 1, characterized in that secure data processing environments that are added when a network is expanded automatically receive the identity of the data processing environments participating in the network and the creation history of the network.

3. Method according to claims 1 or 2, characterized in that secrets necessary for the operation of the network of data processing environments and / or software instances of the network are uniquely and repeatably derived from the original secret.

4. A method for forming a network of secure data processing environments (Network of Trusted Execution Environments), characterized in that the generation of the original secret does not require the involvement of human persons to enter partial secrets at a human-machine interface, nor does it require the entry of identities of one of the participating secure data processing environments.

5. Method according to claim 4, characterized in that not only the process parts for generating the original secret, but also other parts of the process for forming a network of secure data processing environments are automated.

6. Method for forming a network of secure data processing environments (Network of Trusted Execution Environments), whereby the secure data processing environments of a defined, initial set of secure data processing environments can mutually attest to their status as a secure data processing environment, characterized in that the process parts used to generate the original secret and further secrets are designed independently of the execution of the secure data processing environments used.

7. A method for forming a network of secure data processing environments (Network of Trusted Execution Environments), wherein the secure data processing environments of a defined, initial set of secure data processing environments can mutually attest to their status as a secure data processing environment, characterized in that a first secure data processing environment, which according to its execution has privileged, unrestricted access, and a second secure data processing environment, which according to its execution has no privileged access, form a network of secure data processing environments in such a way that the second secure data processing environment, which according to its execution has no privileged access, exclusively controls the privileged access of the first secure data processing environment.

8. The method according to claim 7, characterized in that several secure data processing environments which, according to their design, do not have privileged access, exclusively control the privileged access(s) of one or more secure data processing environments which, according to their design, have privileged access.

9. Method for forming a network of secure data processing environments (Network of Trusted Execution Environments), whereby the secure data processing environments of a defined, initial set of secure data processing environments can mutually attest to their status as a secure data processing environment, characterized in that the secure data processing environments do not have a privileged access channel, but a plurality of positively defined commands to carry out administrative tasks relating to the secure data processing environment and the programs executed therein.

10. The method according to claim 9, characterized in that one or more secure data processing environments, which according to their design do not have privileged access, are operated in a nested manner within a secure data processing environment, which according to its design does not have privileged, unrestricted access but has an interface via which a plurality of positively defined commands for executing administration activities can be triggered, which exclusively control the positively defined commands for executing administration activities.

11. A network of trusted execution environments, the network being adapted to execute a method according to any one of claims 1 to 3.

12. A network of trusted execution environments, the network being adapted to execute a method according to one of claims 4 and 5.

13. A network of trusted execution environments, the network being adapted to execute a method according to claim 6.

14. A network of trusted execution environments, the network being adapted to execute a method according to one of claims 7 and 8.

15. A network of trusted execution environments, the network being adapted to execute a method according to one of claims 9 and 10.