40 results about "Cryptographic hardware" patented technology

A side channel attack utilizes information gained from the physical implementation of a cryptosystem. Software and hardware-based systems and methods for preventing side channel attacks are presented. Cryptographic hardware may introduce dummy operations to compensate for conditional math operations in certain functions such as modular exponentiation. Cryptographic hardware may also introduce random stalls of the data path to introduce alterations in the power profile for the operation. A cryptographic function may be mapped to a micro code sequence having a plurality of instructions. Firmware in the cryptosystem may alter the micro code sequence by altering the order of instructions, add dummy operations in the micro code sequence, break the micro code sequence into multiple sub micro code sequences and/or change the register location for source and destination operands used in the sequence. These alterations are designed to randomly change the timing and power profile of the requested function.

System for providing a secure file service includes an MLS file service module (300) comprised of a cryptographic processor (302). The MLS file service module also includes an MLS file system (301) hosted by the cryptographic processor. A secure user processor (402) includes programming and communications hardware for requesting at least one classified file from the MLS file service module. The cryptographic processor includes cryptographic hardware and software to decrypt the classified file. The cryptographic processor is also performs an integrity check on the classified file. Once the file is decrypted and its integrity checked by the cryptographic processor, the MLS file service module serves the classified file to the secure user processor in decrypted form. If the classified file is an executable file, the method also includes selectively enabling a write function for program memory of the secure user processor. This write function is disabled immediately after the classified executable file has been loaded into the program memory to guard against self modifying programs.

The present invention relates to a system and method for secure verification of electronic transactions, and in particular secure processing of personal identification numbers when third party processors are involved. In an embodiment, a variable length PIN associated with a credit card or debit card is encrypted, then hashed using a one-way hash algorithm before it is passed along to and stored by a third party processor. The encrypted-hashed PIN always remains in an encrypted form while in the hands of the third party processor. At the third party processor, secure cryptographic hardware is used to store the one-way hash algorithm. Encrypted PIN values received for verification are converted and hashed using the one-way hash algorithm, and the resulting hashed-encrypted value is compared against the hashed-encrypted PIN values previously stored at the third party processor. As the PIN has a variable length, and the third party processor has no access to the hash algorithm, the encrypted PIN values are highly resistant to reverse engineering or decryption.

Systems and methods for dual mode hardware acceleration for cryptographic operations are provided. According to one embodiment, data upon which a cryptographic operation is to be performed is receive by a computer system that includes a host CPU and a cryptographic hardware accelerator. The data is divided into multiple blocks. Performance of the operation on a first block is offloaded to the hardware accelerator. For each remaining block: (i) the CPU requests state information of the hardware accelerator; (ii) when the state satisfies a condition, then performance of the operation is offloaded to the hardware accelerator; (iii) otherwise, the operation is performed by the CPU by invoking a native hardware supported cryptographic instruction. In this manner, the cryptographic operation is performed on at least one of the blocks by the hardware accelerator and the operation is performed on at least another of the blocks by the CPU.

A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.

The invention discloses a software authorization verification method. The method comprises the following steps of before software is started each time, processing hardware information of equipment inwhich the software is positioned to obtain a verification code, and comparing the verification code with an authorization code stored in an authorization file to obtain a verification authorization code comparison result; comparing the software authorization time information stored in the authorization file with corresponding time information recorded in a system of the equipment to obtain a timeinformation comparison result; and when the verification authorization code comparison result and the time information comparison result both meet the authorization condition, allowing the software torun in the equipment. According to the method, the authorization verification of the software is realized without depending on external pluggable encryption hardware equipment, a far-end authorization server, the Internet and a satellite positioning time service system, the content of the authorization file can be effectively prevented from being modified by a user, and the service life of the software is effectively controlled.

The invention discloses a signature method and device for generating an SM2 algorithm through mutual coordination, and a storage medium, and solves the problem that a user private key is easily stolenin the prior art under the condition of no cryptographic hardware. The signature method implemented by a first participant includes the steps: receiving intermediate information determined by a second participant according to a signature output party identifier; determining a participant of the complete signature of the to-be-signed message based on the signature output party identifier; generating a second partial signature of the to-be-signed message by using a first sub-private key and the intermediate information if the first participant outputs the complete signature, and outputting thecomplete signature consisting of the first partial signature and the second partial signature carried in the intermediate information; generating a first intermediate signature through the first sub-private key and the intermediate information of the second participant outputs the complete signature, and sends the first intermediate signature to the second participant, so that the second participant can generate a second partial signature of the to-be-signed message by using a second sub-private key and the first intermediate signature, so as to determine the complete signature.

A method and a device are disclosed for the low-cost implementation even of high-performance encryption functions in an encryptor. The encryptor may be composed merely of PC software or the like, or of any other terminal/information system with integrated Vernam cipher which does not need to be supported by expensive crypto-hardware for the actual encryption process. The crypto-hardware is made either of a chipcard or a multifunctional PC interface adapter (e.g., PCMCIA module) with built-in special crypto-hardware. The encryptor, on the other hand, is a conventional personal computer, software or another terminal which, however, with the exception of the very simple Vernam cipher (e.g., EXOR), needs no further crypto-technology even for broad-band applications in software. The external crypto-modules contain all the complex crypto-functions which generate the Vernam key in reserve, the reserves being temporarily stored in an intermediate storage until they are gradually used up by the encryption process through logic operations of the method. The storage may be installed either in the PC or terminal, or also in the crypto-module. The encryptor always operates with the same Vernam cipher, even if the external crypto- or PCMCIA modules use different symmetrical and asymmetrical ciphers. External crypto-modules in the form of chipcards or PCMCIA modules are inexpensive to manufacture. All the complex crypto-functions are located outside of the encryptor. They are interchangeable by module and can be implemented in the proposed low-cost and somewhat lower-speed external crypto-modules.

The invention discloses a request processing method of a web server, which is applied to a cloud host and includes following steps: generating an asymmetric encryption task according to a web request after receiving the web request; executing the asymmetric encryption task by utilizing encryption hardware transparently transmitted to the cloud host by the cloud platform to obtain an execution result; and finally, generating a web response according to an execution result, and feeding back. Therefore, according to the method, the encryption process is transferred to the hardware equipment from the web application program, the burden of the CPU can be reduced while the data transmission security is ensured, the execution speed of the asymmetric encryption algorithm is increased, and the web service efficiency is improved. In addition, the invention further provides a request processing device, equipment and system of the web server and a readable storage medium, and the technical effect of the request processing device, equipment and system corresponds to the technical effect of the method.

The embodiment of the invention provides an offline bill generation method and device, and the method comprises the steps that a terminal device comprises a trusted execution environment (TEE) and a security element based on encryption hardware, and the terminal device obtains basic transaction information corresponding to the transaction and identity identification information of the target account in the TEE under the condition that the terminal device detects that a target account generates a transaction in an offline scene; the basic transaction information and the identity identification information are sent to a secure element; in the secure element, the basic transaction information and the identity information are signed by using a stored first private key to obtain a first signature; and in the TEE, the basic transaction information, the identity identification information and the first signature are combined, an offline bill corresponding to the transaction is generated, and the offline bill is stored.

The invention discloses a software security and validity period verification method and system, and the method comprises the steps: obtaining hardware data of a host when software runs; encrypting the hardware data by adopting an encryption algorithm to obtain a first identification code and a first verification code corresponding to the first identification code; judging whether the first verification code is successfully matched with a pre-obtained target verification code or not; if yes, verification is passed, otherwise, dates D are traversed in a date set, the first identification code and the dates D are processed and then encrypted, a second verification code corresponding to each date D is obtained, D belongs to [D1, D2], D is a positive integer, D2 is larger than or equal to D1, D1 is the current date of the system, and D2 is the expiration date of the validity period of the software; judging whether a second verification code matched with the target verification code exists or not; if yes, determining that the verification is passed, and if not, determining that the verification fails. According to the method, additional encryption hardware is not needed, the cost is reduced, the period is short, and verification of software in environments such as medical scenes which cannot be connected with an external network is facilitated.

The invention discloses an equipment security management method based on encryption hardware, which comprises the following steps of: S1, detecting whether equipment unique identification DEVICE_ID information is stored in the encryption hardware or not, and detecting whether encryption hardware unique identification SDCARD_ID information is stored in a sec-id partition of the equipment or not; S2, if neither the DEVICE_ID information nor the SDCARD_ID information exists, binding the encryption hardware with equipment, and continuing to start the equipment after binding; and S3, if the DEVICE_ID information or the SDCARD_ID information does not exist, or both the DEVICE_ID information and the SDCARD_ID information exist but the information is not matched, indicating that the encryption hardware cannot be matched with the equipment, shunting down the equipment, and if the information is matched, continuing to start the equipment. According to the equipment security management method, the starting process of the equipment is reconstructed based on t e hardware encryption hardware, one-to-one binding of the encryption hardware and the equipment is realized, the system can be normally started under the condition that the encryption hardware held by the user is matched with the equipment, and the safety of the starting process of the equipment is effectively improved.

The invention discloses a portable high-speed stream encryption hardware device and method. The method comprises the following steps of storing an encrypted ciphertext file and data into a hidden partition of encryption hardware equipment; wherein the hidden partition is invisible at the host end, so that the security of files stored in the hidden partition is ensured, matching the special file system with an encryption module and a decryption module to realize the process of stream encryption and stream decryption, the encryption capability of the hardware cryptographic equipment to data is improved, and the security of file data is improved.