Generating, migrating or exporting bound keys
First Claim
1. One or more computer storage media having stored thereon a plurality of instructions to implement a GenBoundKey operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
- generate, in response to a program calling the GenBoundKey operation, a data structure for a new bound key that is to be bound to the one or more processors, wherein the data structure includes;
data that allows a private key of a public/private key pair to be recovered from the data structure;
a key usage element that identifies a key operation that can be performed with the private key, the key operation being one of a decrypt operation that decrypts additional data using the private key, a sign operation that digitally signs additional data using the private key, and a quote operation that digitally signs both additional data and an identifier of a program invoking the quote operation; and
a condition element that specifies one or more conditions under which the private key can be used;
cryptographically protect the data structure; and
return the cryptographically protected data structure generated by the GenBoundKey operation to the calling program.
1 Assignment
0 Petitions
Accused Products
Abstract
In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using public key encryption, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with another aspect, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The data is decrypted using public key decryption and returned to the calling program only if the calling program is allowed to access the data.
132 Citations
15 Claims
-
1. One or more computer storage media having stored thereon a plurality of instructions to implement a GenBoundKey operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
generate, in response to a program calling the GenBoundKey operation, a data structure for a new bound key that is to be bound to the one or more processors, wherein the data structure includes; data that allows a private key of a public/private key pair to be recovered from the data structure; a key usage element that identifies a key operation that can be performed with the private key, the key operation being one of a decrypt operation that decrypts additional data using the private key, a sign operation that digitally signs additional data using the private key, and a quote operation that digitally signs both additional data and an identifier of a program invoking the quote operation; and a condition element that specifies one or more conditions under which the private key can be used; cryptographically protect the data structure; and return the cryptographically protected data structure generated by the GenBoundKey operation to the calling program. - View Dependent Claims (2)
-
-
3. One or more computer storage media having stored thereon a plurality of instructions to implement a BoundKeyMigrate operation, wherein the plurality of instructions, when executed by one or more processors of a computing device, causes the one or more processors to:
-
receive, as an input, a data structure including both a bound key and a usage condition that specifies under what conditions the bound key can be used, wherein the bound key is bound to a program calling the BoundKeyMigrate operation; verify that the usage condition can be changed by the program calling the BoundKeyMigrate operation, wherein to verify that the usage condition can be changed by the program calling the BoundKeyMigrate operation is to verify that the program calling the BoundKeyMigrate operation is permitted to migrate the bound key; and if the verification is successful, then change the usage condition and produce a new data structure including both the bound key and the changed usage condition. - View Dependent Claims (4, 5, 6, 7, 8)
-
-
9. One or more computer storage media having stored thereon a plurality of instructions to implement a BoundKeyExport operation, wherein the plurality of instructions, when executed by a processor of a computing device, causes the processor to:
-
receive, as an input, a data structure including a bound key, wherein the bound key is bound to a secure service processor via a cryptographic operation based on a key of the secure service processor; verify that the bound key can be re-bound to a different secure service processor, wherein to verify that the bound key can be re-bound to a different secure service processor is to verify that a program calling the BoundKeyExport operation is permitted to export the bound key; and re-bind the bound key to the different secure service processor if the verification is successful, wherein the bound key is re-bound to the different secure service processor via a cryptographic operation based on a key of the different secure service processor. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
Specification