Patent US6. 29. 25. Systems and methods using cryptography to protect secure computing environments. CROSS REFERENCE TO RELATED APPLICATIONThis application is a continuation of application Ser.
Basic Methods Of Cryptography By Jan C. Free UK delivery on eligible orders. Read the book Basic Methods Of Cryptography by Jan C. Van Der Lubbe online or. ISBNLib.com-Your Free Book.
Aug. 6,1. 57,7. 21, which is incorporated herein by reference. This application is related to commonly assigned copending application Ser. Ginter et al., filed Feb. We incorporate by reference, into this application, the entire disclosure of this prior- filed Ginter et al. Still more specifically, the present invention relates to computer security techniques based at least in part on cryptography, that protect a computer processing environment against potentially harmful computer executables, programs and/or data; and to techniques for certifying load modules such as executable computer programs or fragments thereof as being authorized for use by a protected or secure processing environment.
BACKGROUND AND SUMMARY OF THE INVENTION(S)Computers have become increasingly central to business, finance and other important aspects of our lives. It is now more important than ever to protect computers from . Unfortunately, since many of our most critical business, financial and governmental tasks now rely heavily on computers, dishonest people have a great incentive to use increasingly sophisticated and ingenious computer attacks.
Public-key cryptography. Standard Specifications for Public-Key Cryptography; Christof Paar, Jan Pelzl. Cryptography (ANDDF) - Free ebook download as Word Doc. One of the most basic methods of encryption is the use of Caesar Ciphers. Cryptography/Basic Code. Until modern times, cryptography referred almost exclusively to encryption, which is the process of converting ordinary information (called plaintext) into.
Imagine, for example, if a dishonest customer of a major bank could reprogram the bank's computer so it adds to instead of subtracts from the customer's account. If successful, such attacks would not only allow dishonest people to steal, but could also undermine society's confidence in the integrity and reliability of the banking system. Terrorists can also try to attack us through our computers. We cannot afford to have harmful computer programs destroy the computers driving the greater San Francisco metropolitan air traffic controller network, the New York Stock Exchange, the life support systems of a major hospital, or the Northern Virginia metropolitan area fire and paramedic emergency dispatch service.
There are many different kinds of . One of the most notorious kinds is so- called . A computer virus is a computer program that instructs the computer to do harmful or spurious things instead of useful things. Since the computer does whatever its instructions tell it to do, it will carry out the bad intent of a malicious human programmer who wrote the computer virus program. Increased computer connectivity provides increased capabilities, but also creates a host of computer security problems that haven't been fully solved. For example, electronic networks are an obvious path for spreading computer viruses.
In October 1. 98. Internet (a network of computer networks connected to millions of computers worldwide) to infect thousands of university and business computers with a self- replicating . This computer virus outbreak (which resulted in a criminal prosecution) caused widespread panic throughout the electronic community.
Computer viruses are by no means the only computer security risk made even more significant by increased computer connectivity. For example, a significant percentage of the online electronic community has recently become committed to a new . Java was designed to allow computers to interactively and dynamically download computer program code fragments (called . For example, a user's computer could run a particularly computationally or data- intensive routine.
For example, Java applets could be written to damage hardware, software or information on the recipient computer, make the computer unstable by depleting its resources, and/or access confidential information on the computer and send it to someone else without first getting the computer owner's permission. People have expended lots of time and effort trying to solve Java's security problems. To alleviate some of these concerns, Sun Microsystems has developed a Java interpreter providing certain built- in security features such as: a Java verifier that will not let an applet execute until the verifier verifies the applet doesn't violate certain rules,a Java class loader that treats applets originating remotely differently from those originating locally,a Java security manager that controls access to resources such as files and network access, andpromised to come soon. Moreover, a philosophy underlying this overall security design is that a user will have no incentive to compromise the security of her own locally installed Java interpreter. The protected processing environment described in Ginter et al. It can execute computer code the Ginter et al.
For a load module to operate and interact as intended, it must execute without unauthorized modification and its contents may need to be protected from disclosure. Unlike many other computer security scenarios, there may be a significant incentive for an owner of a Ginter et al. For example: the owner may wish to . Only by anticipating how a burglar might try to break into a house can the installer successfully defend the house against burglary.
Similarly, computer security experts must try to anticipate the sorts of attacks that might be brought against a presumably secure computer system. From this . Because load modules have access to internal protected data structures within protected processing environments and also (at least to an extent) control the results brought about by those protected processing environments, bogus load modules can (putting aside for the moment additional possible local protections such as addressing and/or ring protection and also putting aside system level fraud and other security related checks) perform almost any action possible in the virtual distribution environment without being subject to intended electronic controls. Especially likely attacks may range from straightforward changes to protected data (for example, adding budget, billing for nothing instead of the desired amount, etc.) to wholesale compromise (for example, using a load module to expose a protected processing environment's cryptographic keys). For at least these reasons, the methods for validating the origin and soundness of a load module are critically important. The Ginter et al. Therefore, even a very secure system such as that disclosed in Ginter et al. In one particular preferred embodiment, these techniques build upon, enhance and/or extend in certain respects, the load module security techniques, arrangements and systems provided in the Ginter et al.
A verifying authority digitally . Tamper resistant barriers may be used to protect this programming or other conditioning. The assurance levels described below are a measure or assessment of the effectiveness with which this programming or other conditioning is protected. A web of trust may stand behind a verifying authority.
For example, a verifying authority may be an independent organization that can be trusted by all electronic value chain participants not to collaborate with any particular participant to the disadvantage of other participants. A given load module or other executable may be independently certified by any number of authorized verifying authority participants. If a load module or other executable is signed, for example, by five different verifying authority participants, a user will have (potentially) a higher likelihood of finding one that they trust.
General commercial users may insist on several different certifiers, and government users, large corporations, and international trading partners may each have their own unique . Such specifications could be represented by any combination of specifications, formal mathematical descriptions that can be verified in an automated or other well- defined manner, or any other forms of description that can be processed, verified, and/or tested in an automated or other well- defined manner. The load module or other executable is preferably constructed using a programming language (e. Java and Python) and/or design/implementation methodology (e. Gypsy, FDM) that can facilitate automated analysis, validation, verification, inspection, and/or testing. A verifying authority analyzes, validates, verifies, inspects, and/or tests the load module or other executable, and compares its results with the specifications associated with the load module or other executable.
A verifying authority may digitally sign or certify only those load modules or other executables having proper specifications. Such a specification could be reviewed by the load module's originator and/or any potential users of the load module.
A verifying authority may selectively be given the authority to generate an additional specification for the load module, for example by translating a formal mathematical specification to other kinds of specifications. This authority could be granted, for example, by a load module originator wishing to have a more accessible, but verified (certified), description of the load module for purposes of informing other potential users of the load module. Additionally, a verifying authority may selectively be empowered to modify the specifications to make it accurate. The specifications may in some instances be viewable by ultimate users or other value chain participants. A digital signature allows the execution environment to test both the authenticity and the integrity of the load module or other executables, as well permitting a user of such executables to determine their correctness with respect to their associated specifications or other description of their behavior, if such descriptions are included in the verification process. A hierarchy of assurance levels may be provided for different protected processing environment security levels. Load modules or other executables can be provided with digital signatures associated with particular assurance levels.
Appliances assigned to particular assurance levels can protect themselves from executing load modules or other executables associated with different assurance levels.