Secure interface for versatile key derivation function support
First Claim
1. A method of computing a cryptographic function involving a shared secret, said shared secret being accessible to a first module, the method comprising the steps of:
- performing on the first module, at least one operation of the cryptographic function utilizing said shared secret; and
providing a result of said at least one operation to an application running on a second module to complete computation of said cryptographic function.
4 Assignments
0 Petitions
Accused Products
Abstract
Improper re-use of a static Diffie-Hellman (DH) private key may leak information about the key. The leakage is prevented by a key derivation function (KDF), but standards do not agree on key derivation functions. The module for performing a DH private key operation must somehow support multiple different KDF standards. The present invention provides an intermediate approach that neither attempts to implement all possible KDP operations, nor provide unprotected access to the raw DH private key operation. Instead, the module performs parts of the KDF operation, as indicated by the application using the module. This saves the module from implementing the entire KDF for each KDF needed. Instead, the module implements only re-usable parts that are common to most KDFs. Furthermore, when new KDFs are required, the module may be able to support them if they built on the parts that the module has implemented.
21 Citations
18 Claims
-
1. A method of computing a cryptographic function involving a shared secret, said shared secret being accessible to a first module, the method comprising the steps of:
-
performing on the first module, at least one operation of the cryptographic function utilizing said shared secret; and
providing a result of said at least one operation to an application running on a second module to complete computation of said cryptographic function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A cryptographic apparatus comprising:
-
a first module having a shared secret and a processor to perform at least one cryptographic operation using said shared secret and produce a result therefrom;
a second module running an application to compute a cryptographic function; and
a data connection between said first and second modules to transfer said result from said first module to said second module to enable said second module to complete computation of said cryptographic function using said result. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
Specification