(19)
(11)EP 3 113 406 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
29.04.2020 Bulletin 2020/18

(21)Application number: 14884251.1

(22)Date of filing:  27.08.2014
(51)International Patent Classification (IPC): 
H04L 9/32(2006.01)
H04L 9/08(2006.01)
G06F 9/46(2006.01)
H04L 9/30(2006.01)
H04L 9/00(2006.01)
G06F 12/0806(2016.01)
H04L 9/14(2006.01)
(86)International application number:
PCT/CN2014/085236
(87)International publication number:
WO 2015/127772 (03.09.2015 Gazette  2015/35)

(54)

KEY PROTECTING METHOD AND APPARATUS

SCHLÜSSELSCHUTZVERFAHREN UND -VORRICHTUNG

PROCÉDÉ ET APPAREIL DE PROTECTION DE CLÉ


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 27.02.2014 CN 201410068010

(43)Date of publication of application:
04.01.2017 Bulletin 2017/01

(73)Proprietor: Data Assurance and Communication Security Research Center, Chinese Academy of Sciences
Haidian District Beijing 100093 (CN)

(72)Inventors:
  • LIN, Jingqiang
    Beijing 100093 (CN)
  • GUAN, Le
    Beijing 100093 (CN)
  • WANG, Qiongxiao
    Beijing 100093 (CN)
  • WANG, Jing
    Beijing 100093 (CN)
  • JING, Jiwu
    Beijing 100093 (CN)

(74)Representative: Gunzelmann, Rainer 
Wuesthoff & Wuesthoff Patentanwälte PartG mbB Schweigerstraße 2
81541 München
81541 München (DE)


(56)References cited: : 
WO-A1-2014/004222
CN-A- 102 355 350
US-A1- 2014 040 554
CN-A- 1 822 217
CN-A- 103 607 279
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    FIELD



    [0001] The present disclosure relates to a computer security field, and more particularly to a key protecting method and apparatus.

    BACKGROUND



    [0002] In a computer system, private data are protected with cryptography. In a public-key cryptographic algorithm, keys are generated in pairs. Each pair of keys consist of a private key and a public key. The private key is kept only by the owner. The premise for protecting private data with a public-key cryptographic algorithm is ensuring confidentiality of the private key.

    [0003] Normally, in the computer system, the private key is stored and operated in a memory. However, system intrusions and physical attacks severely threaten the security of the computer system. The system intrusions utilize a software bug of the system and directly obtain the private key via memory access instructions. The physical attacks, such as a cold boot attack, may obtain an image of the whole Random-Access Memory (RAM) chip while there is a physical access with a target computer. In order to prevent the cold boot attack, a general practice is storing the key with resources in the CPU, rather than resources in the RAM. These schemes may be classified into two categories. One kind of scheme is utilizing a register. Since the capacity of the register is limited, this scheme may only support a symmetric cryptographic algorithm and a simple asymmetric cryptographic algorithm, in which length of the key is limited. The other kind of scheme is applicable to a multi-core processor and stores the key and intermediate variables in an on-chip cache of the CPU. This kind of scheme utilizes a write back mode of the cache to clear up contents, which are newly written into the memory, before the contents are synchronized to the RAM chip and only computation results are reserved. Meanwhile, in order to eliminate influence of cache sharing, when the cryptographic computation is performed, all cores, which share the cache with the cryptographic computation core, need to be configured as a no-fill mode. In the no-fill mode, a memory access operation, which is a read miss or a write miss, does not incur replacement of the cache. It can be seen that in a situation that an L3 cache is shared by all cores of the multi-core processor, this kind of scheme supports only one core in performing the cryptographic operation at the same time. Further, when one core performs the cryptographic operation, other cores are configured as the no-fill mode, so that the processor is inefficient. Besides, as for this kind of configuration, if the Operating System (OS) has a bug, malicious processes still may directly read the keys stored in the memory via the bug, resulting in invalidity of the protection mechanism.

    D1 (CN103607279A) discloses a multi-core processor based key protection method and system.

    D2 (WO2014004222) discloses novel instructions, logic, methods and apparatus to test transactional execution status.

    D3 (US2014/040554) discloses an improved system and method for protecting large regions within a hardware transactional memory without operating system support.


    SUMMARY



    [0004] As for the above problems in the prior art, embodiments of the present disclosure provide a key protection method and device to resist system intrusions and physical attacks on the memory to ensure security of the implementation of public-key cryptographic algorithm in the computer system and enhance efficiency of the processor.

    [0005] In order to achieve the above objectives, an embodiment of the present disclosure provides a key protection method, including:

    step A, setting a symmetric master key in each core of a multi-core processor;

    step B, taking any core of the multi-core processor configured to contain the symmetric master key as an operation core, performing a decryption operation to obtain a plaintext private key using the symmetric master key, performing a public-key cryptographic operation using the plaintext private key; the plaintext private key and intermediate variables used in the public-key cryptographic operation being stored in a cache occupied by the operation core; and

    step C, clearing up the plaintext private key and the intermediate variable used in the public-key cryptographic operation in the cache occupied by the operation core;



    [0006] in a process of executing the step B and step C, when another core and the operation core of the multi-core processor try to access a same memory address and at least one write operation is executed, or when the cache is replaced due to insufficiency of space of the cache, all operations executed by the operation core are aborted and the step B and step C are re-executed.

    [0007] The method further includes:

    recording all memory accesses dynamically in the process for executing the step B and step C when the step B and step C are executed;

    determining whether another core and the operation core of the multi-core processor simultaneously access the same memory address and at least one write operation is executed according to all the recorded memory accesses; or

    determining whether the space of the cache is sufficient according to all the recorded memory accesses.



    [0008] The method further includes:
    specifying codes corresponding to the step B and step C as a transactional region via a transactional memory mechanism, so that the multi-core processor dynamically records all the memory accesses in the process for executing the step B and step C, aborts all the operations executed by the operation core and re-executes the step B and step C when another core and the operation core of the multi-core processor try to access the same memory address and at least one write operation is executed or when the cache is replaced due to insufficiency of the space of the cache occupied by the operation core.

    [0009] The method further includes:
    specifying codes corresponding to the step B and step C as a transactional region via Intel Transactional Synchronization Extensions (TSX), so that the multi-core processor dynamically records all the memory access in the process for executing the step B and step C, aborts all the operations executed by the operation core and re-executes the step B and step C when another core and the operation core of the multi-core processor try to access the same memory address and at least one write operation is executed or when the cache is replaced due to insufficiency of the space of the cache occupied by the operation core.

    [0010] The method further includes:
    aborting all the operations executed by the operation core and re-executing the step B and step C via a Restricted Transactional Memory (RTM) mechanism of the Intel TSX when another core and the operation core of the multi-core processor try to access the same memory address and at least one write operation is executed or when the cache is replaced due to insufficiency of the space of the cache occupied by the operation core.

    [0011] The method further includes:
    entering the transactional region via begin instructions (such as xbegin instruction) in a Restricted Transactional Memory (RTM) mechanism and specifying beginning of the step B as a feedback address when another core and the operation core of the multi-core processor try to access the same access memory address and at least one write operation is executed or specifying the beginning of the step B as the fallback address when the cache is replaced due to insufficiency of the cache occupied by the operation core, and existing the transactional region via end instructions (such as xend instruction) when execution of the step C is finished.

    [0012] The method for setting the symmetric master key in each core of the multi-core processor in the step A includes:

    popping up, by an Operating System (OS), a prompt interface and receiving a password input by a user in the prompt interface;

    converting, by the OS, the password into the symmetric master key adopting a key generation algorithm; and

    copying the symmetric master key to specified registers in each core of the multi-core processor for storage.



    [0013] Further, the specified registers of the multi-core processor for storing the symmetric master key include a debug register and Performance Monitor Counter (PMC) register.

    [0014] The public-key cryptographic operation includes: a plaintext private key obtaining operation and a private-key computation operation.

    [0015] The plaintext private key obtaining operation includes: reading, by the operation core, a private key encrypted with the symmetric master key from a hard disk, and copying the private key to a memory, decrypting, by the operation core, the private key encrypted by the symmetric master key in the specified register in the multi-core processor to obtain the plaintext private key and storing the plaintext private key in the cache occupied by the operation core;
    the private-key computation operation comprises: a digital signature and/or decryption step, wherein the digital signature and/or decryption operation is executed with the plaintext private key, the method further includes: storing the intermediate variables private-key computation and a computation result generated in the private-key computation operation in the cache occupied by the operation core.

    [0016] The plaintext private key obtaining operation decrypts the private key encrypted with the symmetric master key using a Streaming Single Instruction Multiple Data (SIMD) Extension (SSE) register via calling Advanced Encryption Standard-New Instruction (AES-NI) instructions and copies the plaintext private key to the cache.

    [0017] The step C further includes: clearing up data in the SSE register and a general-purpose register.

    [0018] Before the step B, the method further includes: prohibiting OS process scheduling and disabling local interrupts.

    [0019] After the step C, the method further includes: restoring the OS process scheduling and enabling the local interrupt.

    [0020] Further, the OS process scheduling is prohibited and the local interrupts are disabled via clearing up an Interrupt Flag (IF) bit of the EFLAGS register of the multi-core processor and the OS process scheduling and local interrupt is enabled via setting the IF bit of the EFLAGS register of the multi-core processor.

    [0021] Before the step B is executed, the method further includes: reserving a memory region accessed by the step B and step C for each core of the multi-core processor.

    [0022] Embodiments of the present disclosure further provide a key protection device for implementing the above methods.

    [0023] The key protection method provided by embodiments of the present disclosure may resist physical attacks and system intrusions. Via setting that each core of the multi-core processor may have one symmetric master key, dynamically obtaining the plaintext private key of the asymmetric algorithm via a decryption operation and using the Intel TSX, it may be ensured that the private key and the intermediate variables used in the computation process may be stored in the cache occupied by the operation core only in terms of the hardware level, which may prevent the attackers from stealing the private key from the physical memory and ensure the security of the implementation of public-key cryptographic algorithm in the computer system. Further, even the OS is compromised and the attacker may directly read the memory space storing the key, since the Intel TSX mechanism may ensure the atomicity of the submission of the memory, the attacker cannot obtain the plaintext private key. Further, in this scheme, the other cores of the multi-core processor may perform the cryptographic operation, which may enhance the operation efficiency.

    BRIEF DESCRIPTION OF THE DRAWINGS



    [0024] 

    Figure 1 is a flow chart illustrating a key protection method in accordance with an example of the present disclosure;

    Figure 2 is a flow chart illustrating another key protection method in accordance with an example of the present disclosure;

    Figure 3 is a flow chart illustrating a method for setting a transactional region and actions when memory access conflict occurs in accordance with an example of the present disclosure;

    Figure 4 is a flow chart illustrating setting a symmetric master key in each core and a public-key cryptographic operation in accordance with an example of the present disclosure;

    Figure 5 is a flow chart illustrating a plaintext private key obtaining operation in accordance with an example of the present disclosure;

    Figure 6 is a flow chart illustrating a private-key computation operation in accordance with an example of the present disclosure;

    Figure 7 is a flow chart illustrating clearing up the plaintext private key and intermediate variables in a cache in accordance with an example of the present disclosure;

    Figure 8 is a schematic diagram illustrating a key protection device in accordance with an example of the present disclosure;

    Figure 9 is a schematic diagram illustrating a setting module in the key protection device in accordance with an example of the present disclosure; and

    Figure 10 is a schematic diagram illustrating another key protection device in accordance with another example of the present disclosure.


    DETAILED DESCRIPTION



    [0025] The present disclosure is further described in detail hereinafter with reference to the accompanying drawings to make the objective, technical solution and merits thereof more apparent.

    [0026] The present disclosure may be implemented based on following considerations:
    There may be various system level attacks on the memory. At present, the OS may provide some protection measures on sensitive memory space. However, if an attacker bypasses these protection measures with some bugs, the attacker may directly access the sensitive memory space and sensitive data may leak out. The present disclosure may dynamically monitor the sensitive data region via a hardware mechanism so that any direct access to the sensitive data region may be able to obtain a non-sensitive cipher text version only before sensitive data are written into the sensitive data region, which may greatly enhance the difficulty of the attacks on the memory system.

    [0027] The cold boot attack, as a physical attack, may attack a physical memory module. Since the on-chip cache is generally integrated into the Central Processing Unit (CPU), a key protection process for storing the plaintext private key and intermediate variables in the CPU on-chip cache proposed in the prior art is very effective. In the structure of the computer memory hierarchy, the cache is a small-capacity storage at a high speed between the CPU and a main memory. The physical cores of the CPU and caches which are occupied by the physical cores of the CPU may constitute a relatively independent environment. The storage capacity of the cache is much larger than that of the register of the CPU, may be enough to store the keys of the public-key cryptographic algorithm and to provide various algorithms of security enhancement and arithmetic acceleration. Existing literatures may implement a 4096-bit Rivest-Shamir-Adleman (RSA) operation supporting a Chinese Remainder Theorem (CRT) with this method.

    [0028] However, in order to implement the above process, additional software protection mechanisms may need to be set up. If there is a bug in the OS, a malicious process may lead to invalidation of the software protection mechanism through the bug. The number of cores, which may simultaneously perform the cryptographic operation, may be influenced by the hierarchical structure of the cache. For instance, the existing CPU architecture may have a shared cache (such as L3 cache register), and this scheme may support only one core performing the cryptographic operation at the same time. Further, due to the additional software protection mechanisms, such as configuring other cores into the no-fill mode with software, which may affect the processing speed of the CPU since the other cores cannot simultaneously perform other cryptographic operation in the multi-core processor system. Another objective of the present disclosure may be preventing the cold boot attack via storing the plaintext private key and intermediate variables in the CPU on-chip cache and preventing slowdown of the processing speed of the CPU.

    [0029] In order to improve the efficiency of the CPU, parallel tasks should be adopted. If the parallel tasks are adopted, thread synchronization must be ensured. Transactional memory is a technology put forwarded in the prior art for solving the problem of thread synchronization. Transactional memory may allow one thread to independently finish modification of the shared memory and may neglect that there may be other threads. However, the thread may record each read and write operation on shared memory in a log. If there may be concurrent operations on the shared memory, the thread may abort all the previous operations and fall back to the beginning state of the transaction.

    [0030] One representative technology of transactional memory technology may be Intel Transactional Synchronization Extensions (TSX), which may be first shipped in Intel's fourth-generation Core CPUs (i.e., Haswell architecture) to implement hardware transactional memory. The programing interface of Intel TSX may be used to enhance utilization of existing CPU multi-core in multi-threading applications.

    [0031] In the conventional multi-threading programming, generally, potential data sharing may be implemented via a locking mechanism. The result is that these operations may be serialized whether the two threads simultaneously operate a same data variable or not. Fine-grain locks may have less impact on the performance. However, it may be prone to error and difficult to program. Coarse-grain locks may be easy to be implemented. However, the coarse-grain locks cannot fully utilize advantages of multi-threading, resulting in low efficiency.

    [0032] The core of the Intel TSX technology is transactional memory. The procedure may take a code segment as a transactional region and all memory accesses made by the code segment may be recorded. If there is memory access conflict, abort may occur to abort all previous operations and the state of the CPU may be restored to that before entering the transactional region. Then, as for Restricted Transactional Memory (RTM), aborted operations may directly jump to a specified code area. Alternatively, as for Hardware Lock Elision (HLE), the above operations may be re-executed after locking. If there is no memory access conflict, all updates on the memory and registers may be atomically submitted. Therefore, before the update is finished, other cores may read old data only while accessing this segment of the memory. The access conflict may refer to that an external thread may read a memory address, which may have been written before in the transactional region or an external thread may write a memory address, which may have been read or written before in the transactional region. If there is memory access conflict, transaction abort may occur.

    [0033] The basis for implementing transactional memory may be the cache-coherence protocol of the CPU. All memory accesses in the transactional region may occur in the cache of the operation core. If another core accesses a memory address recorded in the transactional region or the cache of the operation core should synchronize data in the cache to the memory due to insufficiency of space, the above operations may be detected by the cache-coherence protocol and aborts may occur based on the policy.

    [0034] The present disclosure may ensure that the sensitive data stored in the cache, such as the plaintext private key may not be synchronized to the memory with the transactional region of the above Intel TSX technology. Since the TSX may ensure the atomicity of the memory submission, the malware attacks of the system level may be prevented.

    [0035] An example of the present disclosure may provide a key protection method, which may be executed by a multi-core processor, as shown in figure 1.

    [0036] At block A, a symmetric master key may be set in each core of a multi-core processor.

    [0037] At block B, any core of the multi-core processor may be taken as an operation core. The plaintext private key may be decrypted from the symmetric master key to execute a public-key cryptographic operation. Intermediate variables used in the public-key cryptographic operation and the plaintext private key may be stored in the cache occupied by the operation core.

    [0038] At block C, the plaintext private key and the intermediate variables used in the operation process in the cache occupied by the operation core may be cleared up.

    [0039] In the process of executing the block B and block C, when other cores of the multi-core processor and the operation core try to access a same memory address (i.e., the address of the cache occupied by the operation core) and at least one write operation needs to be executed or when the space of the cache is insufficient and the cache is replaced, all operations, which have been executed by the operation core, may be aborted and block B and block C may be re-executed.

    [0040] With the above scheme, storing the plaintext private key and intermediate variables in the cache may prevent physical attacks, such as the cold boot attacks. When multiple cores simultaneously access a same memory address, the operation core may execute an abort operation. That is, the operation core may abort all previous operations and re-execute all operations, which may have been executed. Therefore, the other cores need not to be configured as the no-fill mode, so that multiple cores may simultaneously execute the cryptographic operation to improve the efficiency of the multi-core processor and prevent the system attacks.

    [0041] For instance, when the block B and block C are executed, the multi-core processor may dynamically record all memory accesses in the execution process of the block B and block C. A determination as to whether other threads of the multi-core processor and the operation core simultaneously access a same memory address and at least one write operation is executed may be made according to all the memory accesses recorded. Alternatively, a determination as to whether the space of the cache is enough may be made according to the record of all the memory accesses.

    [0042] Specifically, an embodiment of the present disclosure provides a key protection method, which may effectively resist physical attacks and system intrusions, shown in figure 2 and figure 3. The method may include following blocks.

    [0043] At block A, each core of the multi-core processor may be configured to contain a symmetric master key (i.e., the symmetric master key may be set in each core of the multi-core processor).

    [0044] At block B, any core of the multi-core processor may be taken as an operation core. An decryption operation may be performed to obtain a plaintext private key using the symmetric master key. The public-key cryptographic operation may be performed using the plaintext private key. The plaintext private key and intermediate variables used in the operation process may be stored in the cache occupied by the operation core.

    [0045] At block C, the plaintext private key and the intermediate variables used in the operation process in the cache occupied by the operation core may be cleared up.

    [0046] When the block B and block C are executed, the multi-core processor may dynamically record all memory accesses in the execution processes of the block B and block C.

    [0047] When the other threads of the multi-core processor and the operation core (or operation thread) try to simultaneously access the same memory address and at least one write operation is executed, or the cache is replaced due to insufficiency of the space of the cache occupied by the operation core, the operation core may abort all executed operations of the block B and block C (i.e., the operation core may abort all executed operations) and block B and block C may be re-executed until the block B and block C are finished. An operation may be performed to exit from the transactional region and submit the memory.

    [0048] In order to better describe the present disclosure, an example that the Intel Haswell processor performs the RSA public-key cryptographic operation may be given hereinafter. In this example, the processor may be a four-core Intel Core i7 4770S. The used RSA algorithm may be implemented with Chinese Remainder Theorem (CRT) acceleration, Montgomery mode multiply acceleration and sliding window. Size of the sliding window may be 32 and the maximum memory used in the RSA computation may be 4708 bytes.

    [0049] First, block A may be executed to make each core of the multi-core processor contain the symmetric master key. Block A may include following blocks.

    [0050] As shown in figure 4, at block A1, when the OS boots, a prompt interface may pop up and a user may input a password. The OS may convert the password into the symmetric master key via a key generation algorithm.

    [0051] At block A2, the symmetric master key may be copied to the specified registers of the multi-core processor, which may facilitate the public-key cryptographic operation. The specified registers may be debug registers or Performance Monitor Counter (PMC) registers.

    [0052] Then, block B may be performed. Any core may be taken as the operation core to execute the public-key cryptographic operation. The plaintext private key and the intermediate variables in the operation process may be stored in the cache occupied by the operation core. The public-key cryptographic operation may include: a plaintext private key obtaining operation and a private-key computation operation.

    [0053] When the plaintext private key obtaining operation is performed, referring to figure 4, at block B1, the operation core may read the private key encrypted with the symmetric master key from the hard disk and copy the private key to the memory. The operation core may decrypt the private key, which is encrypted with the symmetric master key with the symmetric master key stored in the specified registers of the multi-core process to obtain the plaintext private key and store the plaintext private key in the cache occupied by the operation core. In the above process, in this example, as shown in figure 5, at block B2, the symmetric master key in the debug register or the PMC register may be written into the cache. The private key encrypted with the symmetric master key may be decrypted using the SSE register via calling Advanced Encryption Standard-New Instruction (AES-NI) instructions and the plaintext private key may be copied to the cache.

    [0054] When the private-key computation operation is performed, as shown in figure 6, at block 1, the operation core may perform digital signature and/or decryption operation with the plaintext private key. At block 2, intermediate variables generated in the computation process may be stored in the cache occupied by the operation core. At block 3, the computation result may be stored in the cache occupied by a running core.

    [0055] Finally, block C may be executed. Referring to figure 7, the plaintext private key and the intermediate variables used in the operation process in the cache occupied by the operation core may be cleared up and only the operation result may be kept.

    [0056] When the block B and block C are executed, the multi-core processor may dynamically record all memory accesses in the execution process of the block B and block C.

    [0057] When other threads and the operation core of the multi-core processor try to simultaneously access a same memory address and at least one write operation is executed, or the cache is replaced due to insufficiency of the space of the cache occupied by the operation core, the operation core may abort all executed operations of the block B and block C and block B and block C may be re-executed.

    [0058] Codes corresponding to the block B and block C may be specified as the transactional region via transactional memory mechanism, such as Intel TSX mechanism. After entering the transactional region, the multi-core processor may dynamically record all memory accesses of the codes in the transactional region. In other words, all memory accesses in the execution process of the block B and block C may be recorded. Specifically, with the RTM of the Intel TSX mechanism, when there may be memory access conflict between the other threads of the multi-core processor and all memory accesses dynamically recorded by the multi-core processor or when the data may need to be synchronized to the memory due to the insufficiency of the cache occupied by the operation core, the operation core may abort all executed operations of the block B and block C and re-execute the block B and block C.

    [0059] It can be seen that when the memory access conflict occurs or the space of the cache is insufficient, the operation core may abort the operations and jump to a specified code region. Therefore, all memory write operations in the cryptographic operation process may occur in the cache only, which may prevent synchronization of the data from the cache to the memory and prevent the cold boot attacks. Further, when the other cores read the private key, re-execution may occur and the key information cannot be obtained. The present disclosure may not limit other processes in the multi-core processor to use the cache and may support that each core in the multi-core processor may use a different cryptographic operation to enhance efficiency of the multi-core processor.

    [0060] Further, in order to increase a success rate of the public-key cryptographic operation as much as possible, before performing block B, i.e., before entering into the transactional region, this example may further include prohibiting OS process scheduling and disabling local interrupts. After clearing up the data in the cache occupied by the operation core, i.e., after exiting from the transactional region, the OS process scheduling and the local interrupts may be enabled. The OS process scheduling may be prohibited and the local interrupts may be disabled via clearing up an Interrupt Flag (IF) bit of the EFLAGS register of the multi-core processor and the OS process scheduling and the local interrupt may be enabled by setting the IF bit of the EFLAGS register of the multi-core processor.

    [0061] Since the setting of the transactional region and subsequent processing utilize the Intel TSX technology, all memory accesses of the codes (i.e., the codes corresponding to the plaintext private key obtaining operation and private-key computation operation) in the transactional region may be recorded. If memory accesses of other non-operation cores conflict with the memory access recorded in the transactional region, abort may occur. The operation core may abort the previous operations. The state of the operation core may be restored to that before entering into the transactional region. The operation core may jump to the specified code region (when the RTM is used). Therefore, after entering into the transactional region, i.e., starting to execute the block B and block C, all memory write operations of the operation core occur in the cache of the operation core, so that the plaintext private key used in the whole key protection process and the intermediate variables generated in the operation process will not be synchronized to the memory from the cache occupied by the operation core. Further, the running speed of the non-operation cores may not be affected with the Intel TSX mechanism.

    [0062] Further, since the operation core may use the SSE register and the general-purpose register in the operation process, when the plaintext private key and the intermediate variables used in the operation process in the cache occupied by the operation core are cleared up, data in the SSE register and general-purpose register may also be cleared up. In this example, the data in the cache occupied by the operation core may be cleared up with the memset function and the data in the SSE register and general-purpose register may be cleared up with the XOR instruction.

    [0063] Further, in order to avoid that the processes of the non-operation core may frequently access the memory addresses accessed by the transactional region, which may lead to frequent aborts in the transactional region codes, the present disclosure may preferably reserve a memory region accessed by the block B and block C for each core in the multi-core processor before executing the block B, i.e., before entering the transactional region. So that each core of the multi-core processor may access a fixed memory region via reserving the memory region, the conflict between the memory accesses of the other cores and the operation core transactional region may be avoided and the plaintext private key obtaining operation and private-key computation operation may be successfully carried out.

    [0064] In conclusion, with the key protection method provided in the present disclosure, the symmetric private key in plain text may be decrypted dynamically via making each core of the multi-core processor contain one symmetric master key. Further, in terms of the hardware, it may be ensured that the private key and the intermediate variables used in the computation process may be stored in the cache occupied by the core only via the Intel TSX. It may be prevented that the attacker may directly steal the private-key information from the physical memory or read the private-key information via malwares, so that the security of the implementation of public-key cryptographic algorithm in the computer system may be ensured. Further, the other cores of the multi-core processor may perform the cryptographic operations with the Intel TSX mechanism to improve the operation efficiency.

    [0065] Figure 8 is a schematic diagram illustrating the structure of a key protection device in accordance with an example of the present disclosure. The key protection device 800 may include: a setting module 801, an operation module 802 and an execution-abort module 803.

    [0066] The setting module 801 may be to execute step A of setting a symmetric master key in each core of the multi-core processor.

    [0067] The operation module 802 may be to execute step B of taking any core of the multi-core processor as the operation core, performing a public-key cryptographic operation according to the symmetric master key set by the setting module 801. The plaintext private key and the intermediate variables used in the public-key cryptographic operation may be stored in the cache occupied by the operation core. The operation module 802 may further execute step C of clearing up the plaintext private key and the intermediate variables in the cache occupied by the operation core.

    [0068] The execution-abort module 803 may be to enable, in the process of executing the step B and step C, the operation module 802 to abort all executed operations and to re-execute the step B and step C when another core and the operation core of the multi-core processor try to access a same memory address and at least one write operation is executed, or when the cache is replaced due to insufficiency of space of the cache.

    [0069] The key protection device 800 may execute the steps in the method examples shown in figure 1 to figure 7, which will not be described here in detail to avoid repetition.

    [0070] As an example, the multi-core processor 800 may further include a recording module 804. The recording module 804 may be to record all memory accesses dynamically in the process of executing the step B and step C when the operation module 802 executes the step B and step C. The operation module 802 may be further to determine whether another core and the operation core of the multi-core processor may simultaneously access the same memory address and at least one write operation may be executed according to all the memory accesses recorded by the recording module 804; or determine whether the space of the cache may be sufficient according to all the memory accesses recorded by the recording module 804.

    [0071] Further, the execution-abort module 803 may be to enable the operation module 802 to abort all the executed operations and to enable the operation module 802 to re-execute the step B and step C via transactional memory mechanism (such as the Intel TSX) when another thread and the operation core of the multi-core processor try to access the same memory address and at least one write operation is executed or when the cache is replaced due to insufficiency of the space of the cache. Further, the execution-abort module 803 may be to enter a transactional region via begin instructions (such as xbegin instruction) in the Restricted Transactional Memory (RTM) mechanism of the Intel TSX and specify beginning of the step B executed by the operation module 802 as a fallback address when threads of other cores and the operation core of the multi-core processor try to access the same memory address and at least one write operation is executed or specify the beginning of the step B executed by the operation module 802 as the fallback address when the cache is replaced due to insufficiency of the space of the cache occupied by the operation core and exist the transactional region via end instructions (such as xend instruction) when execution of the step C is finished by the operation module 802.

    [0072] With the above scheme, when the memory access conflict occurs or the space of the cache is insufficient, the operation core may abort the operations and jump to a specified code region. Therefore, all memory write operations in the cryptographic operation process may occur in the cache only, which may prevent synchronization of the data from the cache to the memory and prevent the cold boot attacks. Further, when the other cores read the private key, re-execution may occur and the key information cannot be obtained. The present disclosure does not limit the threads of other cores of the multi-core processor to use the cache and each core in the multi-core processor may use a different cryptographic operation to enhance efficiency of the multi-core processor.

    [0073] As another example, as shown in figure 9, the setting module 801 may include: a popping up unit 901, a receiving unit 902, a conversion unit 903 and a copying unit 904.

    [0074] The popping up unit 901 may be to pop up a prompt interface when an OS boots.

    [0075] The receiving unit 902 may be to receive a password input by a user in the prompt interface popped up by the popping up unit 901.

    [0076] The conversion unit 903 may be to convert the password received by the receiving unit 902 into the symmetric master key via the OS adopting a key generation algorithm.

    [0077] The copying unit 904 may be to copy the symmetric master key converted by the conversion unit 903 to the specified registers in the multi-core processor for storage.

    [0078] Refer to the description regarding to the above methods for specific examples, which may not be repeated here.

    [0079] As another example, the setting module 801 may be further to prohibit OS process scheduling and disable local interrupts before the operation module 802 executes the step B and enable the OS process scheduling and the local interrupts after the operation module 802 executes the step C. Therefore, the success rate of the public-key cryptographic operation may be improved.

    [0080] Further, the setting module 801 may be further to prohibit the OS process scheduling and disable the local interrupts via clearing up the Interrupt Flag (IF) bit of the EFLAGS register of the multi-core processor and enable the OS process scheduling and local interrupts via setting the IF bit of the EFLAGS register of the multi-core processor.

    [0081] Preferably, in order to avoid that processes of the non-operation cores may frequently access the memory addresses accessed by the transactional region, which may occur frequent aborts in the transactional region codes, the setting module 801 may be further to reserve a memory region accessed when the operation module 802 executes the step B and step C for each core in the multi-core processor. Via the reservation operation of the setting module 801, each core of the multi-core process may access a fixed memory region, so that the conflict between the memory accesses of other cores and the transactional region of the operation core may be avoided and the plaintext private key obtaining operation and private-key computation operation may be successfully executed.

    [0082] This example may provide a device for executing the blocks in the above method.

    [0083] Figure 10 is a schematic diagram illustrating a key protection device. In this example, the key protection device 1000 may include a multi-core processor 1001 and a storage 1002. The multi-core processor 1001 may further be called a Central Processing Unit (CPU). The storage 1002 may include: a Read-Only Memory (ROM) and a Random Access Memory (RAM) and provide the multi-core processor 1001 with instructions and data. The storage 1002 may include a Non-Volatile Random Access Memory (NVRAM). The processor 1001 may couple with the storage 1002 with a bus system 1010. The bus system 1010 may include: a power bus, a control bus and a state signal bus besides data bus. For clarity, various buses in the figure may be labeled as the bus system 1010.

    [0084] The methods in the above examples may be applied to the above key protection device 1000. The multi-core processor 1001 may be an integrated circuit chip with the signal processing ability. In the implementation process, each block of the above methods may be implemented via an integrated logic circuit of the hardware or instructions in software format in the multi-core processor 1001.

    [0085] The multi-core processor 1001 may support Intel TSX and connect with a cache 1003. Sensitive information in the computation process may be stored in the device 1003.

    [0086] When the system boots, a user interface may be popped up and a password may need to be input into the user interface. These operations may be implemented via a keyboard 1005 and display 1006 connected with a bridge device 1004, The bridge device may be a high-speed Northbridge, which may be used to connect with a graphic display card or may be used to connect with a peripheral, such as a keyboard by a Southbridge.

    [0087] What has been described and illustrated herein are examples of the disclosure along with some variations. The terms, descriptions and figures used herein are set forth by way of illustration only and are not meant as limitations. Many variations are possible within the scope of the disclosure, which is intended to be defined by the following claims -- and their equivalents -- in which all terms are meant in their broadest reasonable sense unless otherwise indicated.


    Claims

    1. A key protection method, which is applied to a multi-core processor, comprising:

    step A, setting a symmetric master key in each core of the multi-core processor (A);

    step B, taking any core of the multi-core processor configured to contain the symmetric master key as an operation core, performing a decryption operation to obtain a plaintext private key using the symmetric master key, performing a public-key cryptographic operation using the plaintext private key; the plaintext private key and the intermediate variables used in the public-key cryptographic operation being stored in a cache occupied by the operation core (B); and

    step C, clearing up the plaintext private key and the intermediate variables used in the public-key cryptographic operation in the cache occupied by the operation core (C);

    wherein in a process of executing the step B and step C, when another core and the operation core of the multi-core processor try to access a same memory address and at least one write operation is executed, or when the cache occupied by the operation core is replaced due to insufficiency of space of the cache occupied by the operation core, all operations executed by the operation core are aborted and the step B and step C are re-executed.
     
    2. The method according to claim 1, further comprising:

    recording all memory accesses dynamically in the process for executing the step B and step C when the step B and step C are executed;

    determining whether another core and the operation core of the multi-core processor simultaneously access the same memory address and at least one write operation is executed according to all the recorded memory accesses; or

    determining whether the space of the cache occupied by the operation core is sufficient according to all the recorded memory accesses.


     
    3. The method according to claim 2, further comprising:
    specifying codes corresponding to the step B and step C as a transactional region via a transactional memory mechanism, so that the multi-core processor dynamically records all the memory accesses in the process for executing the step B and step C, aborts all the operations executed by the operation core and re-executes the step B and step C when another core and the operation core of the multi-core processor try to access the same memory address and at least one write operation is executed or when the cache occupied by the operation core is replaced due to insufficiency of the space of the cache occupied by the operation core.
     
    4. The method according to claim 3, wherein the transactional memory mechanism comprises: Intel Transactional Synchronization Extensions (TSX); the method further comprises:
    entering the transactional region via begin instructions in a Restricted Transactional Memory (RTM) mechanism and specifying beginning of the step B as a fallback address when another core and the operation core of the multi-core processor try to access the same access memory address and at least one write operation is executed or specifying the beginning of the step B as the fallback address when the cache occupied by the operation core is replaced due to insufficiency of the cache occupied by the operation core, and exiting the transactional region via end instructions when execution of the step C is finished.
     
    5. The method according to claim 1, wherein setting the symmetric master key in the each core of the multi-core processor in the step A comprises:

    popping up, by an Operating System (OS), a prompt interface and receiving a password input by a user in the prompt interface;

    converting, by the OS, the password into the symmetric master key adopting a key generation algorithm; and

    copying the symmetric master key to specified registers in the multi-core processor for storage.


     
    6. The method according to claim 5, wherein the public-key cryptographic operation comprises: a plaintext private key obtaining operation and a private-key computation operation;
    the plaintext private key obtaining operation comprises: reading, by the operation core, a private key encrypted with the symmetric master key from a hard disk, copying the private key to a memory, decrypting, by the operation core, the private key encrypted by the symmetric master key in the specified registers in the multi-core processor to obtain the plaintext private key and storing the plaintext private key in the cache occupied by the operation core;
    the private-key computation operation comprises: a digital signature and/or decryption step, wherein the digital signature and/or decryption operation is executed with the plaintext private key, the method further comprises: storing intermediate variables generated in the private-key computation operation and a computation result in the cache occupied by the operation core.
     
    7. The method according to claim 1, wherein
    before the step B, the method further comprises: prohibiting OS process scheduling and disabling local interrupt;
    after the step C, the method further comprises: enabling the OS process scheduling and enabling the local interrupt.
     
    8. A key protection device, comprising a setting module (801), an operation module (802) and an execution-abort module (803); wherein
    the setting module (801) is operable to execute step A of setting a symmetric master key in each core of the multi-core processor; and
    the operation module (802) is operable to execute step B of taking any core of the multi-core processor configured to contain the symmetric master key as an operation core, performing a decryption operation to obtain a plaintext private key using the symmetric master key, performing a public-key cryptographic operation using the plaintext private key; the plaintext private key and the intermediate variables used in the public-key cryptographic operation being stored in a cache occupied by the operation core and further execute step C of clearing up the plaintext private key and the intermediate variables in the cache occupied by the operation core;
    the execution-abort module (803) is operable to enable, in a process of executing the step B and step C, the operation module (802) to abort all executed operations and to re-execute the step B and step C when another core and the operation core of the multi-core processor try to access a same memory address and at least one write operation is executed, or when the cache occupied by the operation core is replaced due to insufficiency of space of the cache occupied by the operation core.
     
    9. The device according to claim 8, wherein the multi-core processor further comprises: a recording module (804);
    the recording module (804) is to record all memory accesses dynamically in the process for executing the step B and step C when the operation module (802) executes the step B and step C;
    the operation module (802) is further to determine whether another core and the operation core of the multi-core processor simultaneously access the same memory address and at least one write operation is executed according to all the memory accesses recorded by the recording module (804); or determine whether the space of the cache occupied by the operation core is sufficient according to all the memory accesses recorded by the recording module (804).
     
    10. The device according to claim 9, wherein the execution-abort module (803) is to enable the operation module (802) to abort all the executed operations and to enable the operation module (802) to re-execute the step B and step C via a Transactional memory mechanism when another core and the operation core of the multi-core processor try to access the same memory address and at least one write operation is executed or when the cache occupied by the operation core is replaced due to insufficiency of the space of the cache occupied by the operation core.
     
    11. The device according to claim 10, wherein the transactional memory mechanism comprises: an Intel Transactional Synchronization Extensions (TSX);
    the execution-abort module (803) is to enter the transactional region via begin instructions in a Restricted Transactional Memory (RTM) mechanism of the Intel TSX and specify beginning of the step B executed by the operation module (802) as a fallback address when another core and the operation core of the multi-core processor try to access the same memory address and at least one write operation is executed or specify the beginning of the step B executed by the operation module (802) as the fallback address when the cache occupied by the operation core is replaced due to insufficiency of the cache occupied by the operation core, and exit the transactional region via end instructions when execution of the step C is finished by the operation module (802).
     


    Ansprüche

    1. Schlüsselschutzverfahren, das in einem Mehrkernprozessor angewendet wird, umfassend:

    Schritt A, Stellen eines symmetrischen Master-Schlüssels in jedem Kern des Mehrkernprozessors (A);

    Schritt B, Hernehmen von irgendeinem Kern des Mehrkernprozessors, der konfiguriert ist, um den symmetrischen Master-Schlüssel zu enthalten, als einen Betriebskern, Durchführen eines Entschlüsselungsvorgangs, um einen privaten Schlüssel im Klartext unter Verwendung des symmetrischen Master-Schlüssels zu erlangen, Durchführen eines kryptographischen Vorgangs mit öffentlichem Schlüssel unter Verwendung des privaten Schlüssels im Klartext; wobei der private Schlüssel im Klartext und die Zwischenvariablen, die in dem kryptographischen Vorgang mit öffentlichen Schlüssels verwendet werden, in einem Cache gespeichert werden, der durch dem Betriebskern belegt ist (B); und

    Schritt C, Löschen des privaten Schlüssels im Klartext und der Zwischenvariablen, die in dem kryptographischen Vorgang mit öffentlichen Schlüssels verwendet werden, in dem Cache, der durch den Betriebskern belegt ist (C);

    wobei ein Prozess zum Ausführen des Schritts B und des Schritts C, wenn ein anderer Kern und der Betriebskern des Mehrkernprozessors versuchen, auf dieselbe Speicheradresse zuzugreifen und zumindest ein Schreibvorgang ausgeführt wird, oder wenn der durch den Betriebskern belegte Cache auf Grund des unzureichenden Speicherplatzes des durch den Betriebskern belegten Cache ersetzt wird, alle durch den Betriebskern ausgeführten Vorgänge abgebrochen werden und der Schritt B und Schritt C neu ausgeführt werden.
     
    2. Verfahren gemäß Anspruch 1, weiterhin umfassend:

    dynamisches Aufzeichnen von allen Speicherzugriffen in dem Prozess zum Ausführen des Schritts B und des Schritts C, wenn Schritt B und Schritt C ausgeführt werden;

    Bestimmen, ob ein anderer Kern und der Betriebskern des Mehrkernprozessors gleichzeitig auf dieselbe Speicheradresse zugreifen und zumindest ein Schreibvorgang ausgeführt wird gemäß allen aufgezeichneten Speicherzugriffen; oder

    Bestimmen, ob der Speicherplatz des Cache, der durch den Betriebskern belegt ist, gemäß allen aufgezeichneten Speicherzugriffen hinreichend ist.


     
    3. Verfahren gemäß Anspruch 2, weiterhin umfassend:
    Spezifizieren von Codes entsprechend dem Schritt B und dem Schritt C als ein Transaktionsbereich über eine Transaktionsspeichereinrichtung, so dass der Mehrkernprozessor alle Speicherzugriffe in dem Prozess zum Ausführen des Schritts B und Schritts C dynamisch aufzeichnet, alle durch den Betriebskern ausgeführten Vorgänge abbricht und den Schritt B und Schritt C neu ausführt, wenn ein anderer Kern und der Betriebskern des Mehrkernprozessors versuchen, auf dieselbe Speicheradresse zuzugreifen und zumindest ein Schreibvorgang ausgeführt wird, oder wenn der durch den Betriebskern belegte Cache aufgrund des unzureichenden Speicherplatzes des durch den Betriebskern belegten Cache ersetzt wird.
     
    4. Verfahren gemäß Anspruch 3, wobei bei die Transaktionsspeichereinrichtung umfasst: Intel Transactional Synchronization Extensions (TSX); wobei das Verfahren weiterhin umfasst:
    Eingeben des Transaktionsbereichs über Beginnanweisungen in eine Restricted Transactional Memory- (RTM) -Einrichtung und Spezifizieren des Beginns des Schritts B als eine Rückfalladresse, wenn ein anderer Kern und der Betriebskern des Mehrkernprozessors versuchen, auf dieselbe Speicheradresse zuzugreifen und zumindest ein Schreibvorgang ausgeführt wird, oder Spezifizieren des Beginns des Schritts B als die Rückfalladresse, wenn der durch den Betriebskern belegte Cache aufgrund des unzureichenden Speicherplatzes des durch den Betriebskern belegten Cache ersetzt wird, und Verlassen des Transaktionsbereichs über Endanweisungen, wenn die Ausführung des Schritts C beendet ist.
     
    5. Verfahren gemäß Anspruch 1, wobei das Stellen des symmetrischen Master-Schlüssels in jedem Kern des Mehrkernprozessors in Schritt A umfasst:

    Anzeigen, durch ein Betriebssystem (OS), einer Eingabeschnittstelle als Popupmenü und Empfangen einer Passworteingabe durch einen Benutzer in der Eingabeschnittstelle;

    Umwandeln, durch das OS, des Passwortes in den symmetrischen Master-Schlüssel, der einen Schlüsselerzeugungsalgorithmus einsetzt; und

    Kopieren des symmetrischen Master-Schlüssels in spezifische Register in dem Mehrkernprozessor zur Speicherung.


     
    6. Verfahren gemäß Anspruch 5, wobei der kryptographische Vorgang mit öffentlichem Schlüssel umfasst: einen Erlangungsvorgang für den privaten Schlüssel im Klartext und einen Berechnungsvorgang für den privaten Schlüssel;

    wobei der Erlangungsvorgang für den privaten Schlüssel im Klartext umfasst: Lesen, durch den Betriebskern, eines privaten Schlüssels, der mit dem symmetrischen Master-Schlüssel verschlüsselt ist, von einer Festplatte, Kopieren des privaten Schlüssels in einen Speicher, Entschlüsseln, durch den Betriebskern, des durch den symmetrischen Master-Schlüssel verschlüsselten privaten Schlüssels in den spezifizierten Registern in dem Mehrkernprozessor, um den privaten Schlüssel im Klartext zu erlangen und Speichern des privaten Schlüssels im Klartext in dem durch den Betriebskern belegten Cache;

    wobei der Berechnungsvorgang für den privaten Schlüssel umfasst: einen digitalen Signatur- und/oder einen Entschlüsselungsschritt, wobei der digitale Signatur- und/oder Entschlüsselungsvorgang mit dem privaten Schlüssel im Klartext ausgeführt wird, wobei das Verfahren weiterhin umfasst: Speichern von Zwischenvariablen, die durch den Berechnungsvorgang für den privaten Schlüssel erzeugt wurden, und eines Berechnungsergebnisses in dem durch den Betriebskern belegten Cache.


     
    7. Verfahren gemäß Anspruch 1, wobei

    vor dem Schritt B das Verfahren weiterhin umfasst: Untersagen der OS-Prozessplanung und Außerkraftsetzen der lokalen Unterbrechung;

    nach dem Schritt C, das Verfahren weiterhin umfasst: Inkraftsetzen der OS-Prozessplanung und Inkraftsetzen der lokalen Unterbrechung.


     
    8. Schlüsselschutzvorrichtung, die ein Stellmodul (801), ein Betriebsmodul (802) und ein Ausführungsabbruchmodul (803) umfasst; wobei

    das Stellmodul (801) betriebsfähig ist, um einen Schritt A zum Stellen eines symmetrischen Master-Schlüssels in jedem Kern des Mehrkernprozessors auszuführen; und

    das Betriebsmodul (802) betriebsfähig ist, um einen Schritt B zum Hernehmen irgendeines Kerns des Mehrkernprozessors, der konfiguriert ist, um den symmetrischen Master-Schlüssel zu enthalten, als einen Betriebskern auszuführen, Durchführen eines Entschlüsselungsvorgangs, um einen privaten Schlüssel im Klartext unter Verwendung des symmetrischen Master-Schlüssels zu erlangen, Durchführen eines kryptographischen Vorgangs mit öffentlichem Schlüssel unter Verwendung des privaten Schlüssels im Klartext; wobei der private Schlüssel im Klartext und die Zwischenvariablen, die in dem kryptographischen Vorgang mit öffentlichem Schlüssel verwendet werden, in einem Cache gespeichert werden, der durch den Betriebskern belegt ist, und weiterhin Ausführen von Schritt C des Löschens des privaten Schlüssels im Klartext und der Zwischenvariablen in dem durch den Betriebskern belegten Cache;

    das Ausführungsabbruchmodul (803) betriebsfähig ist, um in einem Prozess des Ausführens des Schritts B und Schritts C das Betriebsmodul (802) zu befähigen, um alle ausgeführten Vorgänge abzubrechen und den Schritt B und den Schritt C neu auszuführen, wenn ein anderer Kern und der Betriebskern des Mehrkernprozessors versuchen, auf dieselbe Speicheradresse zuzugreifen und zumindest ein Schreibvorgang ausgeführt wird, oder wenn der durch den Betriebskern belegte Cache aufgrund des unzureichenden Speicherplatzes des durch den Betriebskern belegten Cache ersetzt wird.


     
    9. Vorrichtung gemäß Anspruch 8, wobei der Mehrkernprozessor weiterhin umfasst: ein Aufzeichnungsmodul (804);

    wobei das Aufzeichnungsmodul (804) alle Speicherzugriffe dynamisch in dem Prozess zum Ausführend des Schritts B und Schritts C zu speichern hat, wenn das Betriebsmodul (802) den Schritt B und Schritt C ausführt;

    das Betriebsmodul (802) weiterhin zu bestimmen hat, ob ein anderer Kern und der Betriebskern des Mehrkernprozessors gleichzeitig auf dieselbe Speicheradresse zuzugreifen und zumindest ein Schreibvorgang ausgeführt wird gemäß allen durch das Aufzeichnungsmodul (804) aufgezeichneten Speicherzugriffen; oder zu bestimmen hat, ob der Speicherplatz des durch den Betriebskern belegten Cache hinreichend ist gemäß allen durch das Aufzeichnungsmodul (804) aufgezeichneten Speicherzugriffen.


     
    10. Vorrichtung gemäß Anspruch 9, wobei das Ausführungsabbruchmodul (803) das Betriebsmodul (802) zu befähigen hat, alle ausgeführten Vorgänge abzubrechen, und das Betriebsmodul (802) zu befähigen hat, den Schritt B und den Schritt C über eine Transaktionsspeichereinrichtung neu auszuführen, wenn ein weiterer Kern und der Betriebskern des Mehrkernprozessors versuchen, auf dieselbe Speicheradresse zuzugreifen und zumindest ein Schreibvorgang ausgeführt wird, oder wenn der durch den Betriebskern belegte Cache aufgrund des unzureichenden Speicherplatzes des durch den Betriebskern belegten Cache ersetzt wird.
     
    11. Vorrichtung gemäß Anspruch 10, wobei die Transaktionsspeichereinrichtung umfasst: Intel Transactional Synchronization Extensions (TSX);
    das Ausführungsabbruchmodul (803) in den Transaktionsbereich über Beginnanweisungen in eine Restricted Transactional Memory- (RTM) -Einrichtung der Intel-TSX einzutreten hat und den Beginn des Schritts B, der durch das Betriebsmodul (802) ausgeführt wird, als eine Rückfalladresse zu spezifizieren hat, wenn ein anderer Kern und der Betriebskern des Mehrkernprozessors versuchen, auf dieselbe Speicheradresse zuzugreifen und zumindest ein Schreibvorgang ausgeführt wird, oder den Beginn des Schritts B, der durch das Betriebsmodul (802) ausgeführt wird, als die Rückfalladresse zu spezifizieren hat, wenn der durch den Betriebskern belegte Cache aufgrund des unzureichenden Speicherplatzes des durch den Betriebskern belegten Cache ersetzt wird, und den Transaktionsbereich über Endanweisungen zu verlassen hat, wenn die Ausführung des Schritts C durch das Betriebsmodul (802) beendet ist.
     


    Revendications

    1. Procédé de protection de clé, qui est appliqué à un processeur multicœur, comprenant :

    étape A, établir une clé principale symétrique dans chaque coeur du processeur multicœur (A) ;

    étape B, prendre n'importe quel cœur du processeur multicœur configuré pour contenir la clé principale symétrique en tant que coeur d'opération, effectuer une opération de déchiffrement pour obtenir une clé privée en texte en clair en utilisant la clé principale symétrique, effectuer une opération cryptographique à clé publique en utilisant la clé privée en texte en clair ; la clé privée en texte en clair et les variables intermédiaires utilisées dans l'opération cryptographique à clé publique étant stockées dans un cache occupé par le cœur d'opération (B) ; et

    étape C, effacer la clé privée en texte en clair et les variables intermédiaires utilisées dans l'opération cryptographique à clé publique dans le cache occupé par le coeur d'opération (C) ;

    dans lequel dans un processus d'exécution de l'étape B et de l'étape C, lorsqu'un autre cœur et le coeur d'opération du processeur multicœur tentent d'accéder à une même adresse mémoire et qu'au moins une opération d'écriture est exécutée, ou lorsque le cache occupé par le cœur d'opération est remplacé en raison de l'insuffisance d'espace du cache occupé par le cœur d'opération, toutes les opérations exécutées par le cœur d'opération sont abandonnées et l'étape B et l'étape C sont ré-exécutées.
     
    2. Procédé selon la revendication 1, comprenant en outre :

    enregistrer tous les accès à la mémoire de manière dynamique dans le processus d'exécution de l'étape B et de l'étape C lorsque l'étape B et l'étape C sont exécutées ;

    déterminer si un autre cœur et le coeur d'opération du processeur multicœur accèdent simultanément à la même adresse mémoire et qu'au moins une opération d'écriture est exécutée en fonction de tous les accès à la mémoire enregistrés ; ou

    déterminer si l'espace du cache occupé par le cœur d'opération est suffisant en fonction de tous les accès à la mémoire enregistrés.


     
    3. Procédé selon la revendication 2, comprenant en outre :
    spécifier des codes correspondant à l'étape B et à l'étape C en tant que région transactionnelle via un mécanisme de mémoire transactionnelle, de sorte que le processeur multicœur enregistre de manière dynamique tous les accès à la mémoire dans le processus d'exécution de l'étape B et de l'étape C, abandonne toutes les opérations exécutées par le cœur d'opération et ré-exécute l'étape B et l'étape C lorsqu'un autre coeur et le cœur d'opération du processeur multicœur tentent d'accéder à la même adresse mémoire et qu'au moins une opération d'écriture est exécutée ou lorsque le cache occupé par le cœur d'opération est remplacé en raison de l'insuffisance de l'espace du cache occupé par le cœur d'opération.
     
    4. Procédé selon la revendication 3, dans lequel le mécanisme de mémoire transactionnelle comprend : des extensions de synchronisation transactionnelle (TSX) d'Intel ; le procédé comprend en outre :
    entrer dans la région transactionnelle via des instructions de début dans un mécanisme de mémoire transactionnelle restreinte (RTM) et spécifier le début de l'étape B comme adresse de repli lorsqu'un autre cœur et le coeur d'opération du processeur multicœur tentent d'accéder à la même adresse mémoire d'accès et qu'au moins une opération d'écriture est exécutée, ou spécifier le début de l'étape B comme adresse de repli lorsque le cache occupé par le cœur d'opération est remplacé en raison de l'insuffisance du cache occupé par le coeur d'opération, et sortir de la région transactionnelle via des instructions de fin lorsque l'exécution de l'étape C est terminée.
     
    5. Procédé selon la revendication 1, dans lequel l'établissement de la clé principale symétrique dans chaque cœur du processeur multicœur à l'étape A comprend :

    faire apparaître, par un système d'exploitation (OS), une interface d'invite et recevoir un mot de passe entré par un utilisateur dans l'interface d'invite ;

    convertir, par l'OS, le mot de passe en clé principale symétrique en adoptant un algorithme de génération de clé ; et

    copier la clé principale symétrique dans des registres spécifiés dans le processeur multicœur pour le stockage.


     
    6. Procédé selon la revendication 5, dans lequel l'opération cryptographique à clé publique comprend : une opération d'obtention de clé privée en texte en clair et une opération de calcul de clé privée ;
    l'opération d'obtention de clé privée en texte en clair comprend : la lecture, par le cœur d'opération, d'une clé privée chiffrée avec la clé principale symétrique depuis un disque dur, la copie de la clé privée dans une mémoire, le déchiffrement, par le coeur d'opération, de la clé privée chiffrée par la clé principale symétrique dans les registres spécifiés dans le processeur multicœur pour obtenir la clé privée en texte en clair et le stockage de la clé privée en texte en clair dans le cache occupé par le coeur d'opération ;
    l'opération de calcul de clé privée comprend : une étape de signature numérique et/ou de déchiffrement, dans laquelle l'opération de signature numérique et/ou de déchiffrement est exécutée avec la clé privée en texte en clair, le procédé comprend en outre : le stockage de variables intermédiaires générées dans l'opération de calcul de clé privée et d'un résultat de calcul dans le cache occupé par le cœur d'opération.
     
    7. Procédé selon la revendication 1, dans lequel
    avant l'étape B, le procédé comprend en outre : l'interdiction de la planification des processus OS et la désactivation d'une interruption locale ;
    après l'étape C, le procédé comprend en outre : l'activation de la planification des processus OS et l'activation de l'interruption locale.
     
    8. Dispositif de protection de clé, comprenant un module de paramétrage (801), un module d'opération (802) et un module d'abandon d'exécution (803) ; dans lequel
    le module de paramétrage (801) peut fonctionner pour exécuter l'étape A d'établissement d'une clé principale symétrique dans chaque coeur du processeur multicœur ; et
    le module d'opération (802) peut fonctionner pour exécuter l'étape B consistant à prendre n'importe quel cœur du processeur multicœur configuré pour contenir la clé principale symétrique en tant que cœur d'opération, effectuer une opération de déchiffrement pour obtenir une clé privée en texte en clair en utilisant la clé principale symétrique, effectuer une opération cryptographique à clé publique en utilisant la clé privée en texte en clair ; la clé privée en texte en clair et les variables intermédiaires utilisées dans l'opération cryptographique à clé publique étant stockées dans un cache occupé par le cœur d'opération, et exécuter en outre l'étape C consistant à effacer la clé privée en texte en clair et les variables intermédiaires dans le cache occupé par le cœur d'opération ;
    le module d'abandon d'exécution (803) peut fonctionner pour permettre, dans un processus d'exécution de l'étape B et de l'étape C, au module d'opération (802) d'abandonner toutes les opérations exécutées et de ré-exécuter l'étape B et l'étape C lorsqu'un autre cœur et le cœur d'opération du processeur multicœur tentent d'accéder à une même adresse mémoire et qu'au moins une opération d'écriture est exécutée, ou lorsque le cache occupé par le cœur d'opération est remplacé en raison de l'insuffisance d'espace du cache occupé par le coeur d'opération.
     
    9. Dispositif selon la revendication 8, dans lequel le processeur multicœur comprend en outre : un module d'enregistrement (804) ;
    le module d'enregistrement (804) sert à enregistrer de manière dynamique tous les accès à la mémoire dans le processus d'exécution de l'étape B et de l'étape C lorsque le module d'opération (802) exécute l'étape B et l'étape C ;
    le module d'opération (802) sert en outre à déterminer si un autre cœur et le cœur d'exploitation du processeur multicœur accèdent simultanément à la même adresse mémoire et qu'au moins une opération d'écriture est exécutée en fonction de tous les accès à la mémoire enregistrés par le module d'enregistrement (804) ; ou à déterminer si l'espace du cache occupé par le cœur d'opération est suffisant en fonction de tous les accès à la mémoire enregistrés par le module d'enregistrement (804).
     
    10. Dispositif selon la revendication 9, dans lequel le module d'abandon d'exécution (803) doit permettre au module d'opération (802) d'abandonner toutes les opérations exécutées et permettre au module d'opération (802) de ré-exécuter l'étape B et étape C via un mécanisme de mémoire transactionnelle lorsqu'un autre cœur et le cœur d'opération du processeur multicœur tentent d'accéder à la même adresse mémoire et qu'au moins une opération d'écriture est exécutée ou lorsque le cache occupé par le cœur d'opération est remplacé en raison de l'insuffisance de l'espace du cache occupé par le cœur d'opération.
     
    11. Dispositif selon la revendication 10, dans lequel le mécanisme de mémoire transactionnelle comprend : des extensions de synchronisation transactionnelle (TSX) d'Intel ;
    le module d'abandon d'exécution (803) doit entrer dans la région transactionnelle via des instructions de début dans un mécanisme de mémoire transactionnelle restreinte (RTM) de la TSX d'Intel et spécifier le début de l'étape B exécutée par le module d'opération (802) comme adresse de repli lorsqu'un autre coeur et le cœur d'opération du processeur multicœur tentent d'accéder à la même adresse mémoire et qu'au moins une opération d'écriture est exécutée, ou spécifier le début de l'étape B exécutée par le module d'opération (802) comme adresse de repli lorsque le cache occupé par le cœur d'opération est remplacé du fait de l'insuffisance du cache occupé par le cœur d'opération, et sortir de la région transactionnelle via des instructions de fin lorsque l'exécution de l'étape C est terminée par le module d'opération (802).
     




    Drawing




















    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description