PROTECTING COMMUNICATIONS WITH HARDWARE ACCELERATORS FOR INCREASED WORKFLOW SECURITY
First Claim
1. A computing device comprising:
- a general-purpose central processing unit;
a hardware accelerator to perform a subset of computing operations of the general-purpose central processing unit, wherein the hardware accelerator processes one or more of the subset of computing operations at a processing speed greater than the general-purpose central processing unit;
a network interface to receive a first encrypted communication and to transmit a second encrypted communication; and
one or more computer-readable storage medium comprising computer-executable instructions, which, when executed by the hardware accelerator, cause the hardware accelerator to;
decrypt the first encrypted communication into a first communication using a first cryptographic key that is stored within the hardware accelerator and which, among processes executing on the computing device and components of the computing device, is only accessible to the hardware accelerator;
perform, in accordance with the first communication, at least some of the subset of computing operations that the hardware accelerator is configured to perform;
generate a second communication responsive to the first communication; and
encrypt the second communication to generate the second encrypted communication using a second cryptographic key that is also stored within the hardware accelerator and which, among processes executing on the computing device and components of the computing device, is also only accessible to the hardware accelerator.
1 Assignment
0 Petitions
Accused Products
Abstract
To protect customer data and provide increased workflow security for processing requested by a customer, a secure communicational channel can be established between a customer and one or more hardware accelerators such that even processes executing on a host computing device hosting such hardware accelerators are excluded from the secure communicational channel. An encrypted bitstream is provided to hardware accelerators and the hardware accelerators obtain therefrom cryptographic information supporting the secure communicational channel with the customer. Such cryptographic information is stored and used exclusively from within the hardware accelerator, rendering it inaccessible to processes executing on a host computing device. The cryptographic information can be a shared secret, an appropriate one of a pair of cryptographic keys, or other like cryptographic information. Similarly, the encrypted bitstream can comprise the cryptographic information, computer-executable instructions executable by the processing circuitry of the hardware accelerator to derive such cryptographic information, or combinations thereof.
-
Citations
20 Claims
-
1. A computing device comprising:
-
a general-purpose central processing unit; a hardware accelerator to perform a subset of computing operations of the general-purpose central processing unit, wherein the hardware accelerator processes one or more of the subset of computing operations at a processing speed greater than the general-purpose central processing unit; a network interface to receive a first encrypted communication and to transmit a second encrypted communication; and one or more computer-readable storage medium comprising computer-executable instructions, which, when executed by the hardware accelerator, cause the hardware accelerator to; decrypt the first encrypted communication into a first communication using a first cryptographic key that is stored within the hardware accelerator and which, among processes executing on the computing device and components of the computing device, is only accessible to the hardware accelerator; perform, in accordance with the first communication, at least some of the subset of computing operations that the hardware accelerator is configured to perform; generate a second communication responsive to the first communication; and encrypt the second communication to generate the second encrypted communication using a second cryptographic key that is also stored within the hardware accelerator and which, among processes executing on the computing device and components of the computing device, is also only accessible to the hardware accelerator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a computing device comprising a general-purpose central processing unit; a first hardware accelerator to perform a subset of computing operations of the general-purpose central processing unit, wherein the first hardware accelerator processes one or more of the subset of computing operations at a processing speed greater than the general-purpose central processing unit; a second hardware accelerator of a same type as the first hardware accelerator; a first set of computer-readable storage media comprising computer-executable instructions, which, when executed by the first hardware accelerator, cause the first hardware accelerator to; maintain a first secure communication channel with a customer based on a first cryptographic information; obtain a second cryptographic information associated with the second hardware accelerator; generate a first encrypted communication by encrypting the first cryptographic information utilizing the second cryptographic information; and transmit the first encrypted communication to the second hardware accelerator; and a second set of computer-readable storage media comprising computer-executable instructions, which, when executed by the second hardware accelerator, cause the second hardware accelerator to; obtain the first cryptographic information by decrypting the first encrypted communication; and establish a second secure communication channel with the same customer based on the first cryptographic information. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A method of increasing workflow security in a data center, the method comprising:
-
receiving, at a computing device of the data center, an encrypted communication from a customer of the data center; providing, to a hardware accelerator hosted by the computing device, the encrypted communication, the hardware accelerator comprising an FPGA device; decrypting, on the hardware accelerator, the encrypted communication using cryptographic information that is stored within the hardware accelerator and is only accessible to the hardware accelerator, the cryptographic information having been provided by the customer; retrieving, by the computing device, on behalf of the hardware accelerator, encrypted data stored on a storage device that is communicationally coupled to the computing device, the retrieving being responsive to the decrypting; providing, to the hardware accelerator, the encrypted data; and decrypting, on the hardware accelerator, the encrypted data using the cryptographic information; wherein the workflow comprises communications to and from the customer and data comprising the encrypted data. - View Dependent Claims (20)
-
Specification